ES plugin - filter

1

Hello,
I am using the Elasticsearch plugin. When I insert the filter option, kibana does not work. Any error in my code?

readonlyrest:
    access_control_rules:

    - name: "::Kibana server::"
      auth_key: user1:password1
      type: allow

    - name: "user2"
      auth_key: user2:password2
      type: allow
      kibana_access: ro
      indices: [".kibana*","exercicio"]
      actions: ["indices:data/read/*"]
      filter: '{"bool": { "must": { "match": { "sms_campaign_name.keyword": "Campanha1" }}}}'

The strange this is that if I use must_not worked.

  filter: '{"bool": { "must_not": { "match": {"sms_campaign_name.keyword":"Campanha1"}}}}'

Thank you.

2

Yes @francisca.lima, this is expected. When you use filter and fields rules, you need to duplicate your ACL block, as these rules only will match with *search *get requests, while a normal Kibana session uses a wider mix of request types.

You can find this technique explained in our documentation, look where it says “IMPORTANT”.

If you want some feedback on your settings, feel free to show us here.

3

Can you send me example? How I duplicate my ACL block? I only want to read data.

4

Something like this:

So the searches will be intercepted by the first block. All the other requests will be intercepted by the second block

1 Like
5

Thank your for your help!

1 Like
6

However, in 6.7.0 version this is not working. Any idea?

7

Can you tell us in what (ES and ROR) version you had it working? Also, can you tell us how you define work/not work with a simple experiment? I.e. using curl with a minimal configuration?

8

I defined the configuration file of readonlyrest in 6.6.1 but when I upgrade to 6.7.0 did not work.
The configuration file is:

readonlyrest:
access_control_rules:

- name: "::Kibana server::"
  auth_key: user1:password1
  type: allow

- name: "user2 (filtered searches)"
  auth_key: user2:password2
  type: allow
  indices: ["exercicio2","exercicio"]
  filter: '{"bool": { "must": { "match": { "sms_campaign_name.keyword": "Campanha1" }}}}'

- name: "user2 (other kibana ops)"
  auth_key: user2:password2
  type: allow
  kibana_access: ro
  indices: [".kibana*","exercicio2","exercicio"]
  actions: ["indices:data/read/*"]

- name: "user3 (filtered searches)"
  auth_key: user3:password3
  type: allow
  indices: ["exercicio"]
  filter: '{"bool": { "must": { "match": { "sms_campaign_name.keyword": "Campanha2" }}}}'

- name: "user3 (other kibana ops)"
  auth_key: user3:password3
  type: allow
  kibana_access: ro
  indices: [".kibana*","exercicio"]
  actions: ["indices:data/read/*"]

The filtered searches are not working in Kibana. Can you help me? In Elasticsearch, doing a curl, it worked.

Even stanger is when I add the filter also in other kibana ops, after inserting the credentials of user2 the kibana page does not even work.

[I am using ES Plugin for 6.7.0]

9

Not sure what’s wrong, but what I’m sure about is that mixing “actions” and “kibana_access” doesn’t make sense. The kibana_access rule is already a macro that selects a series of actions. And if you add the actions rule, you are basically neutralising it.

Please have a read at a better explanation of kibana_access.

Please remove the actions rule and try again.

Also, why to allow users access to “.kibana*” when all they need is “.kibana”?

10

Thank you! I removed the actions. My system indexes of kibana are: .kibana_task_manager and .kibana_1, so I tried to only use .kibana_1 or only use .kibana_task_manager, but no success (cannot access kibana).

readonlyrest:
    access_control_rules:

    - name: "::Kibana server::"
      auth_key: user1:password1
      type: allow

    - name: "user2 (filtered searches)"
      auth_key: user2:password2
      type: allow
      indices: ["exercicio2","exercicio"]
      filter: '{"bool": { "must": { "match": { "sms_campaign_name.keyword": "Campanha1" }}}}'

    - name: "user2 (other kibana ops)"
      auth_key: user2:password2
      type: allow
      kibana_access: ro
      indices: [".kibana*","exercicio2","exercicio"]

Any other idea?

11

It’s a bug, we just reproduced it. Will let you know.

12

Thank you! I will be waiting :smiley:

1 Like
13

Hi Francisca,

This is the build with the fix: http://readonlyrest-1.17.5-pre2_es6.7.0.zip

1 Like
14

Thank you so much! It worked!

1 Like
16

Hello ! I have the same issue:

This filter is working:

{
   "bool": {
     "must_not": [
       {"term":{"df_country.keyword": "Ivory Coast"}}
       ]
   }
 }

This filter is NOT working;

{
   "bool": {
     "must": [
       {"term":{"df_country.keyword": "Ivory Coast"}}
       ]
   }
}

My version of ROR is Enterprise-1.39.0_es7.12.1.
Can you help me, please ?

17

Hello @AlexG are you affiliated to any Enterprise subscriber?
Please specify to which one in a private message.

18
Summary

Diana Slavescu

19

Hi @AlexG

Seems that we have recently fixed some issue related to this topic.
Could you please test ROR 1.45.0-pre5 for ES 7.12.1 and let us know if it works?

20

Hello !

Regarding to this topic, I’ve tried to install this version of ROR “ROR 1.45.0-pre5 for ES 7.12.1” for each node elasticsearch from cluster, but unfortunately doesn’t work anymore, the same error 503. If I put in filter config “ must_not”, it works but “must” returns error.

image001.jpg

21

Hello Alex, can you share your readonlyrest.yml or equivalent in-index YAML settings, and give us some examples of queries (i.e. with curl, or similar).

BTW if you are staff of a enterprise subscriber, please tell us at @support_team in direct message (here in the forum) so we can prioritise your support request.