Help me dial-in curator_user priviliges


(JamesD) #1

I’ve created ‘curator_user’ in readonlyrest.yml file, like this:

  - name: 'Curator User'
    auth_key: "myuser:mysecret"
    actions: ["indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/*"]

When Curator runs, I get an Unauthorized error. I started investigating and I can’t even access that index from curl:

$ curl -u myuser:mysecret -XGET https://elastic.ecosystem-dev.k8s.us-east-1.dg-commercial-dev-01.satcloud.us/filebeat-2019.03.01
{“error”:{“root_cause”:[{“reason”:“forbidden”}],“reason”:“forbidden”},“status”:403}

DELETE action, of course, is not allowed either… Why?

–P.S.
Here is the entire config:

readonlyrest.yml: |-
readonlyrest:
# IMPORTANT FOR LOGIN/LOGOUT TO WORK
prompt_for_basic_auth: false
audit_collector: true

  access_control_rules:

  - name: 'Localhost'
    hosts: [127.0.0.1]

  - name: 'Probes'
    type: allow
    actions: ['cluster:monitor/*']
  -
    ldap_authentication: everyone
    ldap_authorization: {name: everyone, groups: [SG-App-Kibana-Ecosystem]}
    name: Admins
    kibana_access: admin

  - name: 'Kibana Admin'
    auth_key: "{{ .Values.secrets.kibana.userid }}:{{ .Values.secrets.kibana.password }}"

  - name: 'Lander Account'
    auth_key: "{{ .Values.secrets.lander.userid }}:{{ .Values.secrets.lander.password }}"
    kibana_access: ro

  - name: 'Logstash User'
    auth_key: "{{ .Values.secrets.logstash.userid }}:{{ .Values.secrets.logstash.password }}"
    actions: ["cluster:monitor/main","indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]

  - name: 'Rover User'
    actions: ['cluster:monitor/main', 'indices:data/read/*']
    auth_key: "{{ .Values.secrets.rover.userid }}:{{ .Values.secrets.rover.password }}"

  - name: 'Curator User'
    auth_key: "{{ .Values.secrets.curator.userid }}:{{ .Values.secrets.curator.password }}"
    actions: ["indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/*"]

  - name: Local Auth for admin 2
    type: allow
    groups: ["Admins"]

  - name: Local Auth for admin
    type: allow
    kibana_access: admin
    groups: ["Admins"]

  users:
  - username: es_admin
    auth_key: "{{ .Values.secrets.es_admin.userid }}:{{ .Values.secrets.es_admin.password }}"
    groups: ["Admins"]

  ldaps:
  - name: everyone
    host: "{{ .Values.ldaps.host }}"
    port: "{{ .Values.ldaps.port }}"
    ssl_enabled: false
    ssl_trust_all_certs: true
    bind_dn: "{{ .Values.ldaps.bind_dn }}"
    bind_password: "{{ .Values.secrets.ldap.bind_password }}"
    search_user_base_DN: "{{ .Values.ldaps.search_user_base_DN }}"
    user_id_attribute: "{{ .Values.ldaps.user_id_attribute }}"
    search_groups_base_DN: "{{ .Values.ldaps.search_groups_base_DN }}"
    unique_member_attribute: "{{ .Values.ldaps.unique_member_attribute }}"

(Simone Scarduzio) #2

Hi @jdepaul,
The answer to your question is in the ES logs, look for “FORBIDDEN” and analyse the “ACT:” part.


(JamesD) #3

Simone, thanks - that was a good clue. Working on that now…


(JamesD) #4

So I keep getting this error in ES log:
[2019-04-01T17:45:41,264][INFO ][t.b.r.a.ACL ] [elasticsearch-client-7898cb4cb8-vtn2z] FORBIDDEN by default req={ ID:1578983330–50375367#32575, TYP:GetSettingsRequest, CGR:N/A, USR:[no basic auth header], BRS:false, KDX:null, ACT:indices:monitor/settings/get, OA:192.168.131.74, DA:192.168.131.46, IDX:_all, MET:GET, PTH:/_all/_settings?expand_wildcards=open%2Cclosed, CNT:<N/A>, HDR:{content-length=0, connection=keep-alive, content-type=application/json, Host=elasticsearch-client:9200, Accept-Encoding=identity}, HIS:[Localhost->[hosts->false]], [Probes->[actions->false]], [Admins->[ldap_authentication->false]], [Kibana Admin->[auth_key->false]], [Lander Account->[auth_key->false]], [Logstash User->[auth_key->false]], [Rover User->[auth_key->false]], [Curator User->[auth_key->false]], [Local Auth for admin->[groups->false]] }

I have this defined for the curator_user:

  • name: ‘Curator User’
    auth_key: “curator_user:******"
    actions: [“indices:admin/types/exists”,"indices:data/read/
    ","indices:data/write/
    ","indices:admin/template/
    ","indices:admin/
    ”,“indices:monitor/settings/get”,“indices:monitor/stats”]

I don’t know why it’s still FORBIDDEN


(Simone Scarduzio) #5

See:

And

As you can see ROR cannot extract a user from the request because there is no Authorization header. You need to tell curator to use HTTP “Basic” auth.

Once you do that, you need also to review your actions rule, as some of the rules you write end in “/”, I guess you forgot the star, i.e. "indices:data/read/* " instead of “indices:data/read/”.

Once you fix your actions rule, observe curator’s traffic. There will be the “ACT:” field in ROR ES log lines, it will tell you what action is Curator requesting.

After some trial and error you will be able to obtain the list of actions that curator needs to do, and authorize it for those only.


(JamesD) #6

Your guidance was very good on this, thank you very much - got it all ironed out now. Grazie benne!


(Simone Scarduzio) #7

Glad to help, @jdepaul :sunglasses::tada::raised_hands: