Groups + users - can not create index or insert data

Hello,

ROR: 1.18.2_es.7.2.0 + ror_kbn_1.18.2_enterprise

I have this config:

readonlyrest:

  prompt_for_basic_auth: false

  access_control_rules:

  - name: "::KIBANA SRV::"

    groups: ["kibana-srv"]

    indices: [".kibana*"]

 

  - name: "::FULL ADMIN::"

    groups: ["full-admin"]

    kibana_access: admin

    indices: ["*"]

  - name: "::CLIENT ADMIN::"

    groups: ["client-admin"]

    kibana_access: rw

    kibana_hide_apps: ["readonlyrest_kbn"]

  - name: "::CLIENT RO::"

    groups: ["client-ro"]

   kibana_access: ro
   kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]

  users:

  - username: kibana

    groups: ["kibana-srv"]

    auth_key: kibana:kibana


  - username: fulladmin

    groups: ["full-admin"]

    auth_key: fulladmin:kgvt7

 

  - username: clientadmin

    groups: ["client-admin"]

    auth_key: clientadmin:5erj3

 

  - username: client

    groups: ["client-ro"]

    auth_key: client:zk3h8


I can not create any index with user fulladmin or clientadmin:

Sep 13 08:09:31 prbiges005es002d01 elasticsearch[29601]: [2019-09-13T08:09:31,554][INFO ][t.b.r.a.l.AclLoggingDecorator] [prbiges005es002d01] FORBIDDEN by default req={  ID:304109194-864643730#413732,  TYP:IndexRequest,  CGR:N/A,  USR:[user not logged],  BRS:true,  KDX:null,  ACT:indices:data/write/index,  OA:172.24.135.125/32,  XFF:null,  DA:172.24.135.125/32,  IDX:aaa,  MET:POST,  PTH:/aaa/doc,  CNT:<OMITTED, LENGTH=7.0 B> ,  HDR:Accept=*/*, Authorization=<OMITTED>, Content-Length=7, Content-Type=application/json, Host=prbiges005es002d01:9200, User-Agent=curl/7.58.0,  HIS:[::KIBANA SRV::-> RULES:[groups->false], RESOLVED:[]], [::FULL ADMIN::-> RULES:[groups->false], RESOLVED:[]], [::CLIENT ADMIN::-> RULES:[groups->true, kibana_access->false], RESOLVED:[user=clientadmin;group=client-admin;av_groups=client-admin]], [::CLIENT RO::-> RULES:[groups->false], RESOLVED:[]]  }

Hello @duculete!

Looking at the “HIS” (ACL evaluation history log), it seems like the request has valid credentials for the “full-admin” group.

[::CLIENT ADMIN::-> RULES:[groups->true, kibana_access->false]

However, the kibana_access rule denies the index request:

ACT:indices:data/write/index

This is expected, for the definition of “kibana_access: admin”.

If you want to enable ANY request for a certain user or group, you should comment out the kibana_access rule entirely.

I want to create the following scenario:

one group for kibana server user/pass
one group for operators (full admin to all indices including .readonlyrest)
one group for client admin (full access to all indices except .readonlyrest)
one group for client member(only read access to all indices, no access to .readonlyrest)

I am trying with the following config:

readonlyrest:
access_control_rules:

  • name: “Kibana Server”
    groups: [“kibana-srv”]
    indices: [".kibana*"]

  • name: “Full Admin Users”
    groups: [“full-admin”]
    type: allow

  • name: “Client Admin”
    groups: [“client-admin”]
    kibana_hide_apps: [“readonlyrest_kbn”]

  • name: “Members”
    groups: [“client-ro”]
    actions: [“indices:data/read/*”]
    kibana_hide_apps: [“readonlyrest_kbn”]

  • name: “Protect .readonlyrest from not-full-admin users”
    type: allow
    groups: [“full-admin”]
    actions: [""]
    indices: [".readonlyrest
    "]

  • name: “Protect .readonlyrest from not-full-admin users”
    type: forbid
    groups: [“client-admin”, “client-ro”]
    actions: [""]
    indices: [".readonlyrest
    "]

users:

  • username: kibana
    groups: [“kibana-srv”]
    auth_key: kibana:kibana

  • username: fulladmin
    auth_key: fulladmin:kgvt7
    groups: [“full-admin”]

  • username: clientadmin
    groups: [“client-admin”]
    auth_key: clientadmin:5erj3

  • username: client
    groups: [“client-ro”]
    auth_key: client:zk3h8

When I am trying to access the .readonlyrest with user clientadmin, I can read it and I get

Sep 17 12:41:48 prbiges005es002d01 elasticsearch[48774]: [2019-09-17T12:41:48,164][INFO ][t.b.r.a.l.AclLoggingDecorator] [prbiges005es002d01] ALLOWED by { name: ‘Client Admin’, policy: ALLOW, rules: [groups,kibana_hide_apps] req={ ID:909242607-813465736#777832, TYP:SearchRequest, CGR:N/A, USR:clientadmin, BRS:true, KDX:null, ACT:indices:data/read/search, OA:172.24.135.125/32, XFF:null, DA:172.24.135.125/32, IDX:.readonlyrest, MET:GET, PTH:/.readonlyrest/_search?pretty, CNT:<N/A>, HDR:Accept=/, Authorization=, Content-Type=application/json, Host=prbiges005es002d01:9200, User-Agent=curl/7.58.0, content-length=0, HIS:[Kibana Server-> RULES:[groups->false], RESOLVED:[]], [Full Admin Users-> RULES:[groups->false], RESOLVED:[]], [Client Admin-> RULES:[groups->true, kibana_hide_apps->true], RESOLVED:[user=clientadmin;group=client-admin;av_groups=client-admin;response_hdr=x-ror-kibana-hidden-apps=readonlyrest_kbn]] }