[Enterprise ROR Edition] Forbid specific indices

Hello guys,
Short question, is there any chance to have in a group a list of indices with specific access and in the same time to have forbid to another list of indices ?
EX:

    - name: "Allowed for web kibana"
      groups: [group_web_kibana]
      indices: ["index1-*", "index2", "index3"]
      #//Here should be something like
      forbid_indices: [".readonlyrest", "index4-*”]
      actions: [
           "indices:data/read/*",
          "indices:data/write/*",
          "indices:admin/template/*",
          "indices:admin/create",
        ]

ROR Version for kibana and es: 1.18.9_es7.2.0 -> Enteprise edition
ES Version: 7.2.0

Many thanks in advance


EDIT by @sscarduzio: wrapped the YAML in triple back-quotes (```) so it shows properly formatted.

Hi @cristianr, welcome to the forum!

This is a typical question, but we never really went through and explained it in the forum well enough I think. So thanks for the opportunity.

The best way to obtain the effect expressed in your example is to take advantage of the flexibility of the sequential ACL model, and write… Two blocks instead than one!

So it becomes:

    - name: "Forbidden for web kibana"
      type: forbid
      groups: [group_web_kibana]
      indices: [".readonlyrest", "index4-*"]
      
    - name: "Allowed for web kibana"
      groups: [group_web_kibana]
      indices: ["index1-*", "index2", "index3"]
      actions: [
          "indices:data/read/*",
          "indices:data/write/*",
          "indices:admin/template/*",
          "indices:admin/create",
        ]
1 Like

Hello,

Many thanks for your help.
This solved my problem perfectly.

1 Like

Hello I’m coming back with an weird situation

readonlyrest:
  prompt_for_basic_auth: false
  access_control_rules:
    - name: "Kibana Server"
      groups: ["kibana-srv"]
    - name: "Full Admin Users"
      groups: ["full-admin"]
    - name: "Forbidden for .readonlyrest index"
      groups: ["client_admin"]
      type: "forbid"
      indices: [".readonlyrest"]
    - name: "Client Admin Group Kibana"
      groups: ["client_admin"]
      indices: [".kibana"]
      kibana_access: "admin"
      kibana_hide_apps: ["readonlyrest_kbn"]
    - name: "Client Admin Group"
      groups: ["client_admin"]
  proxy_auth_configs:
    - name: "px1"
      user_id_header: "x-forwarded-user"
  users:
    - username: "fulladmin"
      groups: ["full-admin"]
      auth_key: "fulladmin:password"
    - username: "sspo"
      groups: ["full-admin"]
      auth_key_sha256: "bae2cb4456415038b70a5addb30c4018efe63ef2b698fb2e6c7c9234092f99bd"
    - username: "clientadmin"
      groups: ["client_admin"]
      auth_key: "clientadmin:password"
    - username: "data"
      groups: ["full-admin"]
      auth_key_sha256: "c91531226aac2a2281e26d2ad0cc3629d82a0b4daa6db61b066d70388d41a126"
    - username: "kibana"
      groups: ["full-admin"]
      auth_key_sha256: "f120ee114bac036c1fa436baf7f19a13308e2d093acd5d8bf90ee53a7eff5c2d"
    - username: "abcdefgh"
      groups: ["client_admin"]
      proxy_auth:
        proxy_auth_config: "px1"
        users: ["abcdefgh"]

If I’m making a curl request with user abcdefgh for http://192.168.42.145:9200/_cat/indices?format=json I receive

{
"error": {
    "root_cause": [
        {
            "reason": "forbidden",
            "due_to": [
                "FORBIDDEN_BY_BLOCK"
            ]
        }
    ],
    "reason": "forbidden",
    "due_to": [
        "FORBIDDEN_BY_BLOCK"
    ],
    "status": 403
}

}
curl --location --request GET 'http://192.168.42.145:9200/_cat/indices?format=json' --header 'x-forwarded-user: abcdefgh'

Which is normal and not in the same time :))
Yes it is normal because in that result .readonlyrest index exists so it gives me 403 status code but if I want with that user to go on kibana webpage -> visualize -> elasticsearch index management I receive
You do not have permissions to use Index Management
error.

How can I replace somehow forbid block with deny only for update .readonlyrest
index ?

Expected behaviour:
Allow client_admin group to use index_management from kibana webpage for all indexes EXCEPT .readonlyrest index( deny it to update .readonlyrest index)

1 Like

Ok let’s start from saying that NOBODY should read or write the “.readonlyrest” index. Even when you edit the settings from our Kibana app, the browser talks to a specific API that validates the new settings for syntax and semantics before writing it to .readonlyrest.

So your ACL could very well have the first block saying “deny ANY access to .readonlyrest index” and things would work perfectly.

Another thing I don’t recommend is using forbid blocks with authentication and authorization rules. It makes it so difficult to reason about and much more often than not, it’s an indicator you are thinking about the problem in a too convoluted way.

Unfortunately we are forced to read/write .readonlyrest index outside of kibana ( semantics part is already covered by us to be compliant with same thing that kibana will use )

Even though it is not recommended, do you have any suggestion to obtain the expected behaviour? or maybe help with an example of how can allow read on .readonlyrest index and deny write something in it for specific groups

@cristianr the API I’m talking about is not in Kibana, it’s implemented in ROR for ES. This means your tools can and should use that API rather than writing the “.readonlyrest” index. We need to reserve the right to change how persistence to Elasticsearch is achieved. I.e.we were thinking of encrypting the content of that index.

The clusterwide settings It’s a very very simple API and you can allow it in the ACL using a simple uri_re or action rule. Actually our bad we didn’t document it appropriately.

curl -u admin:password -XPOST "$ES_URL/_readonlyrest/admin/config" -d '{"settings": "...JSON escaped settings YAML"}

This should check and write the settings in the index, and refresh.

we are using also ES endpoint but for some specific groups we want to give access to all actions except writing to .readonlyrest index through es api. So, to achieve that we added the forbid block for .readonlyrest index. But we realized that by doing so, the user will not be able to use GET /_cat/indices .so it would be helpfull if we can give access to read .readonlyrest index but deny write requests for those groups

OK what does ES log say when you hit a 403 here? I’m interested in the “HIS:” part of the “FORBIDDEN” log line. To understand what rules and block match.

Hello,

We found a solution as follows:

readonlyrest:
  prompt_for_basic_auth: false
  access_control_rules:
    - name: "Kibana Server"
      groups: ["kibana-srv"]
    - name: "Full Admin Users"
      groups: ["full-admin"]
    - name: "Forbidden for .readonlyrest index"
      groups: ["client_admin"]
      indices: [".readonlyrest"]
      methods: ["PUT", "POST"]
      type: "forbid"
    - name: "Client Admin Group Kibana"
      groups: ["client_admin"]
      indices: ["*"]
      kibana_access: "admin"
      kibana_hide_apps: ["readonlyrest_kbn"]
    - name: "Client Admin Group"
      groups: ["client_admin"]
  proxy_auth_configs:
    - name: "px1"
      user_id_header: "x-forwarded-user"
  users:
    - username: "fulladmin"
      groups: ["full-admin"]
      auth_key: "fulladmin:password"
    - username: "sspo"
      groups: ["full-admin"]
      auth_key_sha256: "bae2cb4456415038b70a5addb30c4018efe63ef2b698fb2e6c7c9234092f99bd"
    - username: "clientadmin"
      groups: ["client_admin"]
      auth_key: "clientadmin:password"
    - username: "data"
      groups: ["full-admin"]
      auth_key_sha256: "c91531226aac2a2281e26d2ad0cc3629d82a0b4daa6db61b066d70388d41a126"
    - username: "kibana"
      groups: ["full-admin"]
      auth_key_sha256: "f120ee114bac036c1fa436baf7f19a13308e2d093acd5d8bf90ee53a7eff5c2d"
    - username: "abcdefgh"
      groups: ["client_admin"]
      proxy_auth:
        proxy_auth_config: "px1"
        users: ["abcdefgh"]

Many thanks for your help