GET _cat/aliases endpoint not working?


#1

Hello, using ES 5.5.0 and ROR 1.16.8, my administrative user which has full access to do everything has no access to the _cat/aliases endpoint
Previously, my administrator block looked like this:

  - name: "Administrator access"
    proxy_auth: ["administrator"]
    kibana_access: admin
    actions: ["*"]

And I was getting the error

[2017-07-31T23:56:47,353][INFO ][o.e.p.r.a.ACL ] FORBIDDEN by default req={ ID:1953456960-1763679816#20808382, TYP:GetAliasesRequest, USR:administrator, BRS:false, ACT (idea) indices:admin/aliases/get, OA:127.0.0.1, IDX:, MET:GET, PTH:/_cat/aliases, CNT :<OMITTED, LENGTH=0>, HDR:connection,content-length,host,x-forwarded-for,x-forwarded-host,x-forwarded-port,x-forwarded-proto,x-forwarded-user, HIS:[Administrator access->[kibana_access->false, proxy_auth->true]] }

And receiving the permission denied message.

I saw the “indices:admin/aliases/get” as the action, so I tried explicitly adding it to my block

Now my block looks like this

  - name: "Administrator access"
    proxy_auth: ["administrator"]
    kibana_access: admin
    actions: ["*", "indices:admin/*", "indices:admin/aliases/get"]

And I am still getting the error:

[2017-08-01T00:02:27,607][INFO ][o.e.p.r.a.ACL ] FORBIDDEN by default req={ ID:1296547691-1762772625#1511, TYP:GetAliasesRequest, USR:administrator, BRS:false, ACT:indices:admin/aliases/get, OA:127.0.0.1, IDX:, MET:GET, PTH:/_cat/aliases, CNT:<OMITTED, LENGTH=0>, HDR:connection,content-length,host,x-forwarded-for,x-forwarded-host,x-forwarded-port,x-forwarded-proto,x-forwarded-user, HIS: [Administrator access->[kibana_access->false, proxy_auth->true]] }

Any ideas?
Thanks!


(Simone Scarduzio) #2

Points for correctly using the logs for debugging the right way. However, the kibana_access: admin is basically the same with kibana_access: rw plus write access to the .readonlyrest index and an extra API. The rest is still blocked for security reasons.

Question: under what circumstance is anybody asking for _cat/indices? Is it from kibana?

Why your workaround is not working

All the rules in a block execute in logical AND (all need to pass) that means adding that permissive actions rule will have no effect as long askibana_access is present.

A correct workaround would have been adding an extra block with identical proxy_auth and the more permissive actions rule.


#3

I had a project team member attempting to use _cat/aliases from the dev tools section of Kibana. I’ve added an additional block as you suggested and can confirm this is now functioning

  - name: "Administrator access block2"
    proxy_auth: ["administrator"]
    actions: ["*"]

Thanks Simone!