Forbidden for creating component templates

Diana · June 19, 2023, 1:33pm

Hello,

I am using ELK 8.6.2 with ROR 1.49.0 Enterprise. I have the following ROR configuration in place:

readonlyrest:
  prompt_for_basic_auth: false
  access_control_rules:
  - name: "rwgroup Kibana"
    groups: ["rwgroup"]
    indices: [".kibana_rwgroup", "diana*", "elast*"]
    kibana_access: "rw"
    kibana_index: ".kibana_rwgroup"
  - name: "rwgroup 0"
    groups: ["rwgroup"]
    indices: ["diana*", "elast*"]
    actions: ["indices:data/read/*", "indices:data/write/*", "indices:admin/*"]
  proxy_auth_configs:
  - name: "px1"
    user_id_header: "x-forwarded-user"
  users:
  - username: "diana"
    groups: ["rwgroup"]
    proxy_auth:
      proxy_auth_config: "px1"
      users: ["diana"]

I am able to do index management actions (create index/data stream, create index templates) but when trying to create a component template i get a 403 Forbidden error.
Am i missing something in the configuration or is this a bug?

Thanks,
Diana

coutoPL · June 19, 2023, 4:37pm

Could you please show us the FORBIDDEN log from the ES logs?

Diana · June 20, 2023, 10:00am

Hello,

Below the ES log:

[2023-06-20T09:52:36,148][INFO ][tech.beshu.ror.accesscontrol.logging.AccessControlLoggingDecorator] [localhost]FORBIDDEN by default req={ ID:845416081-948329064#39284, TYP:PutComponentTemplateAction$Request, CGR:<N/A>, USR:fulladmin (attempted), BRS:true, KDX:null, ACT:cluster:admin/component_template/put, OA:x.x.x.x/x, XFF:x.x.x.x, x.x.x.x, DA:x.x.x.x/x, IDX:<N/A>, MET:PUT, PTH:/_component_template/test, CNT:<OMITTED, LENGTH=15.0 B> , HDR:Accept-Charset=utf-8, Authorization=<OMITTED>, Content-Length=15, Host=localhost-es:9200, accept=application/vnd.elasticsearch+json; compatible-with=8, connection=close, content-type=application/vnd.elasticsearch+json; compatible-with=8, cookie=mellon-cookie=mellon-cookie; rorCookie=ror-cookie; __Host-ror.x-csrf-token=token, elastic-apm-traceparent=00-0c1d7ddd6a1a521473678a0f67eafc47-82d3cf6697105844-01, traceparent=00-0c1d7ddd6a1a521473678a0f67eafc47-82d3cf6697105844-01, tracestate=es=s:0.1, user-agent=Kibana/8.6.2, x-elastic-client-meta=es=8.4.0p,js=16.18.1,t=8.2.0,hc=16.18.1, x-elastic-product-origin=kibana, x-forwarded-for=x.x.x.x, x.x.x.x, x-forwarded-user=diana, x-opaque-id=unknownId, x-ror-correlation-id=id, x-ror-current-group=rwgroup, x-ror-kibana-request-method=post, x-ror-kibana-request-path=/s/default/api/index_management/component_templates, HIS:[Full Admin Kibana-> RULES:[groups_or->false] RESOLVED:[group=rwgroup;template=ADD(test:)]], [Full Admin Users-> RULES:[groups_or->false] RESOLVED:[group=rwgroup;template=ADD(test:)]], [Client Admin Group Kibana-> RULES:[groups_or->false] RESOLVED:[group=rwgroup;template=ADD(test:)]], [Client Admin Group 0-> RULES:[groups_or->false] RESOLVED:[group=rwgroup;template=ADD(test:)]], [rwgroup Kibana-> RULES:[groups_or->true, kibana_index->true, kibana_access->false] RESOLVED:[user=diana;group=rwgroup;av_groups=rwgroup;kibana_idx=kibana_rwgroup;template=ADD(test:)]], [rwgroup 0-> RULES:[groups_or->true, actions->false] RESOLVED:[user=diana;group=rwgroup;av_groups=rwgroup;template=ADD(test:)]], }

coutoPL · June 20, 2023, 3:21pm

thanks. I will take a look.

coutoPL · June 21, 2023, 8:27pm

I reproduced and fixed it. Will send you a pre-build soon.

coutoPL · June 26, 2023, 9:27pm

This is fixed in ROR 1.49.1.

Diana · July 5, 2023, 10:25am

Hello,

I tested v 1.49.1. I changed the ROR configuration with the following:

readonlyrest:
  prompt_for_basic_auth: false
  access_control_rules:
  - name: "Client Admin Group Kibana"
    groups: ["client_admin"]
    indices: ["kibana_client_admin", "*"]
    kibana_index: "kibana_client_admin"
    kibana_access: "rw"
  - name: "Client Admin Group"
    groups: ["client_admin"]
    indices: ["*"]
    actions: ["*"]
  - name: "rwgroup Kibana"
    groups: ["rwgroup"]
    indices: ["kibana_rwgroup", "diana*", "elast*"]
    kibana_access: "rw"
    kibana_index: "kibana_rwgroup"
  - name: "rwgroup 0"
    groups: ["rwgroup"]
    indices: ["diana*", "elast*"]
    actions: ["indices:data/read/*", "indices:data/write/*", "indices:admin/*"]
  proxy_auth_configs:
  - name: "px1"
    user_id_header: "x-forwarded-user"
  users:
  - username: "diana"
    groups: ["client_admin","rwgroup"]
    proxy_auth:
      proxy_auth_config: "px1"
      users: ["diana"]

In the rwgroup tenant, i create a data stream from Kibana dev tools console:

PUT _data_stream/diana2

i get the following answer:

{
  "acknowledged": true
}

but when i go in Kibana to Data Streams tab, i am not able to see any data stream. If i go to index management, i can see the backing index of the data stream i just created. If i switch to the client_admin tenant, i am able to see this data stream(which is normal as i have access to all indices). This was not happening in the previous ROR version.
Also, in the logs i do not see any forbidden errors, but i was able to catch the part below, not sure if relevant:

[2023-07-05T09:57:24,435][INFO ][tech.beshu.ror.accesscontrol.logging.AccessControlLoggingDecorator] [localhost]INDEX NOT FOUND req={ ID:1609501493-976119418#37230, TYP:GetIndexTemplatesRequest, CGR:<N/A>, USR:_ (attempted), BRS:false, KDX:null, ACT:indices:admin/template/get, OA:x.x.x.x/32, XFF:127.0.0.1, DA:x.x.x.x/32, IDX:<N/A>, MET:GET, PTH:/_template, CNT:<N/A>, HDR:Accept-Charset=utf-8, Authorization=<OMITTED>, Host=localhost:9200, connection=close, content-length=0, content-type=application/json, cookie=mellon-cookie=xxx, elastic-apm-traceparent=00-7120e5512b31060456d20254022b2a2b-12faf7553325f76c-00, traceparent=00-7120e5512b31060456d20254022b2a2b-12faf7553325f76c-00, tracestate=es=s:0, x-forwarded-for=127.0.0.1, x-forwarded-host=localhost:5601, x-forwarded-port=60860, x-forwarded-proto=http, x-forwarded-user=diana, x-ror-correlation-id=32f79091-7b7a-4f4d-8eb5-4e67be1d48e9, x-ror-current-group=rwgroup, x-ror-kibana-request-method=get, x-ror-kibana-request-path=/s/default/api/console/autocomplete_entities, HIS:[Full Admin Kibana-> RULES:[groups_or->false] RESOLVED:[group=rwgroup;template=GET(*)]], [Full Admin Users-> RULES:[groups_or->false] RESOLVED:[group=rwgroup;template=GET(*)]], [Client Admin Group Kibana-> RULES:[groups_or->false] RESOLVED:[group=rwgroup;template=GET(*)]], [Client Admin Group 0-> RULES:[groups_or->false] RESOLVED:[group=rwgroup;template=GET(*)]], [ffgroup Kibana-> RULES:[groups_or->false] RESOLVED:[group=rwgroup;template=GET(*)]], [ffgroup Kibana 1-> RULES:[groups_or->false] RESOLVED:[group=rwgroup;template=GET(*)]], [rogroup Kibana-> RULES:[groups_or->false] RESOLVED:[group=rwgroup;template=GET(*)]], [rogroup 0-> RULES:[groups_or->false] RESOLVED:[group=rwgroup;template=GET(*)]], [rwgroup Kibana-> RULES:[groups_or->true, kibana_index->true, kibana_access->true, indices->false] RESOLVED:[user=hwzr5420;group=rwgroup;av_groups=rwgroup;kibana_idx=kibana_rwgroup;template=GET(*)]], [rwgroup 0-> RULES:[groups_or->true, actions->true, indices->false] RESOLVED:[user=diana;group=rwgroup;av_groups=rwgroup;template=GET(*)]], }

Could you please help with this also?

Thanks

coutoPL · July 5, 2023, 4:58pm

sure, I will check it

Diana · July 11, 2023, 7:41am

Hello,

Do you have any updates?

coutoPL · July 11, 2023, 9:14pm

Yeah, we identified the problem. Now, we are woking on fixing it

Diana · July 18, 2023, 8:35am

Hello,

Will the fix be available in the next ROR release? When you are planning to push it?

coutoPL · July 21, 2023, 12:27pm

No. The next release is planned for this weekend (ROR 1.50.0). The fix is not done yet.
I will send you a pre-build with the fix to check when it’s ready.

coutoPL · July 25, 2023, 3:16pm

@Diana this is the workaround for now:

    - name: "diana"
      type: allow
      auth_key: diana:diana
      indices: [".ds-diana*", ".kibana*"]
      data_streams: ["diana*"]

You have to instruct ROR that indices rule has to accept backing indices of data streams “diana*” and you can add data_streams rule too

Diana · August 4, 2023, 2:05pm

Hello,

When are you planning to release this fix?
Also, should we take into account data streams separately from “normal” indices?
I am asking these because we would have to modify a lot of things in our deployments in order to include data streams in the config, and we would prefer waiting for the fix. On the other side, this is the only thing remaining for us to be able to pass to 8.6.2 elk version.

Diana · August 18, 2023, 12:39pm

Hello,

Any updates?

Thanks!

coutoPL · August 18, 2023, 6:13pm

Hi Diana.

We are working on this issue. It’s a complex problem related to the most commonly used rule, so it’s crucial for us to do it right and not break anything. We will do our best to include this fix in the ROR 1.51.0 release.

coutoPL · August 23, 2023, 7:36pm

@Diana please test this pre-build and let us know if all is fixed: ROR 1.51.0-pre3 for ES 8.6.2

Diana · August 29, 2023, 2:32pm

Hello,

I tested the pre-release. I encountered the following issues:
For the group having
actions: ["indices:data/read/*", "indices:data/write/*", "indices:admin/*"]

create index template - forbidden
create component template - OK
create data stream -OK
when clicking on a data stream name in Index Management this error appears: Error loading data stream forbidden

if i remove the “indices:admin/*” action i receive a forbidden error when trying to access each of the tabs(index templates, data streams, component templates).

coutoPL · August 30, 2023, 7:50pm

create index template - forbidden
I cannot confirm that. I was able to create an index template.

I extracted the minimal reproducible example from your settings shown in previous posts:


    - name: "rwgroup Kibana"
      auth_key: "diana:test"
      indices: [".kibana*"]
      kibana_access: "rw"

    - name: "rwgroup 0"
      auth_key: "diana:test"
      indices: ["diana*", "elast*"]
      actions: ["indices:data/read/*", "indices:data/write/*", "indices:admin/*"]

Here is the log of the successful creation of the index template:

ror-demo-cluster-es-ror-1  | [2023-08-30T19:40:30,857][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [es-ror-single] ALLOWED by { name: 'rwgroup 0', policy: ALLOW, rules: [auth_key,actions,indices] req={ ID:316963062-849947420#2427, TYP:PutComposableIndexTemplateAction$Request, CGR:<N/A>, USR:diana, BRS:true, KDX:null, ACT:indices:admin/index_template/put, OA:172.20.0.3/32, XFF:localhost:15601, DA:172.20.0.2/32, IDX:diana2*, MET:PUT, PTH:/_index_template/diana_test_index_template, CNT:<OMITTED, LENGTH=47.0 B> , HDR:Accept-Charset=utf-8, Authorization=<OMITTED>, Host=es-ror:9200, accept=application/vnd.elasticsearch+json; compatible-with=8, connection=close, content-length=47, content-type=application/vnd.elasticsearch+json; compatible-with=8, cookie=rorCookie=Fe26.2**e341a4b311795663a35a5969b5d16c1c6e9ebc26648c8e6a371830381d93a4c1*6OnOP3Wotgx3svdCB9BQmw*qBlZdu8Vq35u3I1g8_M36K5BAa1dmi-oHrBZnIM27_RTcdi9IQF2T9RPg6fzauyZ**709edbf7262c729c372b0e9815024b0bdaf702f52e4c89de8ec37c993786c0b6*48676PnpxlhIMFJDGFdsUaF5f4q5pUZ6-niEmmVnLfQ; x-csrf-token=fb1009fb9d14b4fe53aede19da357b4ef31dd75d714f376b7c372da30b9ed219, elastic-apm-traceparent=00-9bd966f7b02ba0ddafb5f30bb0997b84-5d257d668ab9e1f0-00, traceparent=00-9bd966f7b02ba0ddafb5f30bb0997b84-5d257d668ab9e1f0-00, tracestate=es=s:0, user-agent=Kibana/8.6.2, x-elastic-client-meta=es=8.4.0p,js=16.18.1,t=8.2.0,hc=16.18.1, x-elastic-product-origin=kibana, x-forwarded-for=localhost:15601, x-opaque-id=unknownId, x-ror-correlation-id=a83f6ba4-8294-485b-8602-5f0c6d09c4f0, x-ror-kibana-request-method=post, x-ror-kibana-request-path=/s/default/api/index_management/index_templates, HIS:[KIBANA-> RULES:[auth_key->false] RESOLVED:[indices=diana2*;template=ADD(diana_test_index_template:diana2*:)]], [ADMIN-> RULES:[auth_key->false] RESOLVED:[indices=diana2*;template=ADD(diana_test_index_template:diana2*:)]], [rwgroup Kibana-> RULES:[auth_key->true, kibana_access->false] RESOLVED:[user=diana;indices=diana2*;template=ADD(diana_test_index_template:diana2*:)]], [rwgroup 0-> RULES:[auth_key->true, actions->true, indices->true] RESOLVED:[user=diana;indices=diana2*;template=ADD(diana_test_index_template:diana2*:)]], }

when clicking on a data stream name in Index Management this error appears: Error loading data stream forbidden

I can confirm it happens:

ror-demo-cluster-es-ror-1  | [2023-08-30T19:44:57,654][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [es-ror-single] FORBIDDEN by default req={ ID:1713650119-1548926947#5758, TYP:DataStreamsStatsAction$Request, CGR:<N/A>, USR:diana (attempted), BRS:true, KDX:null, ACT:indices:monitor/data_stream/stats, OA:172.20.0.3/32, XFF:172.20.0.1, DA:172.20.0.2/32, IDX:<N/A>, MET:GET, PTH:/_data_stream/diana2/_stats, CNT:<N/A>, HDR:Accept-Charset=utf-8, Authorization=<OMITTED>, Host=es-ror:9200, accept=application/vnd.elasticsearch+json; compatible-with=8,text/plain, connection=close, content-length=0, cookie=rorCookie=Fe26.2**e341a4b311795663a35a5969b5d16c1c6e9ebc26648c8e6a371830381d93a4c1*6OnOP3Wotgx3svdCB9BQmw*qBlZdu8Vq35u3I1g8_M36K5BAa1dmi-oHrBZnIM27_RTcdi9IQF2T9RPg6fzauyZ**709edbf7262c729c372b0e9815024b0bdaf702f52e4c89de8ec37c993786c0b6*48676PnpxlhIMFJDGFdsUaF5f4q5pUZ6-niEmmVnLfQ; x-csrf-token=fb1009fb9d14b4fe53aede19da357b4ef31dd75d714f376b7c372da30b9ed219, elastic-apm-traceparent=00-329001f875d18c3fca17d35a6a5c2fe9-a60716a7d4538d0e-00, traceparent=00-329001f875d18c3fca17d35a6a5c2fe9-a60716a7d4538d0e-00, tracestate=es=s:0, user-agent=Kibana/8.6.2, x-elastic-client-meta=es=8.4.0p,js=16.18.1,t=8.2.0,hc=16.18.1, x-elastic-product-origin=kibana, x-forwarded-for=172.20.0.1, x-opaque-id=unknownId, x-ror-correlation-id=b925fcab-426b-4a23-93d0-ef495b38b111, x-ror-kibana-request-method=get, x-ror-kibana-request-path=/s/default/api/index_management/data_streams/diana2, HIS:[KIBANA-> RULES:[auth_key->false]], [ADMIN-> RULES:[auth_key->false]], [rwgroup Kibana-> RULES:[auth_key->true, kibana_access->false] RESOLVED:[user=diana]], [rwgroup 0-> RULES:[auth_key->true, actions->false] RESOLVED:[user=diana]], }

but it looks like your actions rule configuration doesn’t take into consideration indices:monitor/data_stream/stats which describes the GET /_data_stream/diana2/_stats request on the ES side.

Diana · September 6, 2023, 2:21pm

Hello,

Yes, you are right for the index template part, i re-did the test and i can confirm i am able to create it. Sorry for the confusion.
Related to the data stream part, this works fine on ELK 7.17.2 + ROR 1.43.0 but it’s quite strange. From what i understand from the logs, it resolves the action as if i am a fulladmin user, even though i am logged in with the diana user. Logs below:

ALLOWED by { name: 'Full Admin Users', policy: ALLOW, rules: [groups,actions,indices] req={ ID:1292592137-1730457541#18805, TYP:DataStreamsStatsAction$Request, CGR:full-admin, USR:fulladmin, BRS:true, KDX:null, ACT:indices:monitor/data_stream/stats, OA:X.X.X.X/32, XFF:null, DA:X.X.X.X/32, IDX:dianatest-001, MET:GET, PTH:/_data_stream/dianatest-001/_stats, CNT:<N/A>, HDR:Accept-Charset=utf-8, Authorization=<OMITTED>, Host=localhost:9200, connection=close, content-length=0, user-agent=elasticsearch-js/7.16.0-canary.7 (linux 5.4.0-159-generic-x64; Node.js v16.14.2), x-elastic-client-meta=es=7.16.0p,js=16.14.2,t=7.16.0p,hc=16.14.2, x-elastic-product-origin=kibana, x-opaque-id=3f442457-251b-4f77-a5d3-de9efccb2fe6, x-ror-correlation-id=4f01e887-276b-4be6-8353-7e21761d56ac, HIS:[Full Admin Kibana-> RULES:[groups->true, kibana_access->false] RESOLVED:[user=fulladmin;group=full-admin;av_groups=full-admin;indices=dianatest-001]], [Full Admin Users-> RULES:[groups->true, actions->true, indices->true] RESOLVED:[user=fulladmin;group=full-admin;av_groups=full-admin;indices=dianatest-001]], }

vs logs where i get a forbidden message:

FORBIDDEN by default req={ ID:1385422934-382255971#62074, TYP:DataStreamsStatsAction$Request, CGR:<N/A>, USR:_ (attempted), BRS:true, KDX:null, ACT:indices:monitor/data_stream/stats, OA:X.X.X.X/32, XFF:X.X.X.X, X.X.X.X, DA:X.X.X.X/32, IDX:<N/A>, MET:GET, PTH:/_data_stream/dianatest-01/_stats, CNT:<N/A>, HDR:Accept-Charset=utf-8, Authorization=<OMITTED>, Host=localhost:9200, accept=application/vnd.elasticsearch+json; compatible-with=8,text/plain, connection=close, content-length=0, cookie=mellon-cookie=cookie, elastic-apm-traceparent=00-b2973cc1e23f5e6ad7995d6ad63352de-f82df5891ce2774a-00, traceparent=00-b2973cc1e23f5e6ad7995d6ad63352de-f82df5891ce2774a-00, tracestate=es=s:0, user-agent=Kibana/8.6.2, x-elastic-client-meta=es=8.4.0p,js=16.18.1,t=8.2.0,hc=16.18.1, x-elastic-product-origin=kibana, x-forwarded-for=X.X.X.X, X.X.X.X, x-forwarded-user=diana, x-opaque-id=unknownId, x-ror-correlation-id=6d1c5bb2-cd9c-42fb-9f15-f4b30889c8e5, x-ror-current-group=rwgroup, x-ror-kibana-request-method=get, x-ror-kibana-request-path=/s/default/api/index_management/data_streams/dianatest-01, HIS:[Full Admin Kibana-> RULES:[groups_or->false] RESOLVED:[group=rwgroup]], [Full Admin Users-> RULES:[groups_or->false] RESOLVED:[group=rwgroup]], [Client Admin Group Kibana-> RULES:[groups_or->false] RESOLVED:[group=rwgroup]], [Client Admin Group 0-> RULES:[groups_or->false] RESOLVED:[group=rwgroup]], [rwgroup Kibana-> RULES:[groups_or->true, kibana_index->true, kibana_access->false] RESOLVED:[user=diana;group=rwgroup;av_groups=rwgroup;kibana_idx=kibana_rwgroup]], [rwgroup 0-> RULES:[groups_or->true, actions->false] RESOLVED:[user=diana;group=rwgroup;av_groups=rwgroup]], }