Help me dial-in curator_user priviliges

jdepaul · March 29, 2019, 8:46pm

I’ve created ‘curator_user’ in readonlyrest.yml file, like this:

  - name: 'Curator User'
    auth_key: "myuser:mysecret"
    actions: ["indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/*"]

When Curator runs, I get an Unauthorized error. I started investigating and I can’t even access that index from curl:

$ curl -u myuser:mysecret -XGET https://elastic.ecosystem-dev.k8s.us-east-1.dg-commercial-dev-01.satcloud.us/filebeat-2019.03.01
{“error”:{“root_cause”:[{“reason”:“forbidden”}],“reason”:“forbidden”},“status”:403}

DELETE action, of course, is not allowed either… Why?

–P.S.
Here is the entire config:

readonlyrest.yml: |-
readonlyrest:
# IMPORTANT FOR LOGIN/LOGOUT TO WORK
prompt_for_basic_auth: false
audit_collector: true

  access_control_rules:

  - name: 'Localhost'
    hosts: [127.0.0.1]

  - name: 'Probes'
    type: allow
    actions: ['cluster:monitor/*']
  -
    ldap_authentication: everyone
    ldap_authorization: {name: everyone, groups: [SG-App-Kibana-Ecosystem]}
    name: Admins
    kibana_access: admin

  - name: 'Kibana Admin'
    auth_key: "{{ .Values.secrets.kibana.userid }}:{{ .Values.secrets.kibana.password }}"

  - name: 'Lander Account'
    auth_key: "{{ .Values.secrets.lander.userid }}:{{ .Values.secrets.lander.password }}"
    kibana_access: ro

  - name: 'Logstash User'
    auth_key: "{{ .Values.secrets.logstash.userid }}:{{ .Values.secrets.logstash.password }}"
    actions: ["cluster:monitor/main","indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]

  - name: 'Rover User'
    actions: ['cluster:monitor/main', 'indices:data/read/*']
    auth_key: "{{ .Values.secrets.rover.userid }}:{{ .Values.secrets.rover.password }}"

  - name: 'Curator User'
    auth_key: "{{ .Values.secrets.curator.userid }}:{{ .Values.secrets.curator.password }}"
    actions: ["indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/*"]

  - name: Local Auth for admin 2
    type: allow
    groups: ["Admins"]

  - name: Local Auth for admin
    type: allow
    kibana_access: admin
    groups: ["Admins"]

  users:
  - username: es_admin
    auth_key: "{{ .Values.secrets.es_admin.userid }}:{{ .Values.secrets.es_admin.password }}"
    groups: ["Admins"]

  ldaps:
  - name: everyone
    host: "{{ .Values.ldaps.host }}"
    port: "{{ .Values.ldaps.port }}"
    ssl_enabled: false
    ssl_trust_all_certs: true
    bind_dn: "{{ .Values.ldaps.bind_dn }}"
    bind_password: "{{ .Values.secrets.ldap.bind_password }}"
    search_user_base_DN: "{{ .Values.ldaps.search_user_base_DN }}"
    user_id_attribute: "{{ .Values.ldaps.user_id_attribute }}"
    search_groups_base_DN: "{{ .Values.ldaps.search_groups_base_DN }}"
    unique_member_attribute: "{{ .Values.ldaps.unique_member_attribute }}"

sscarduzio · March 30, 2019, 12:37am

Hi @jdepaul,
The answer to your question is in the ES logs, look for “FORBIDDEN” and analyse the “ACT:” part.

jdepaul · April 1, 2019, 2:09pm

Simone, thanks - that was a good clue. Working on that now…

jdepaul · April 1, 2019, 5:52pm

So I keep getting this error in ES log:
[2019-04-01T17:45:41,264][INFO ][t.b.r.a.ACL ] [elasticsearch-client-7898cb4cb8-vtn2z] FORBIDDEN by default req={ ID:1578983330–50375367#32575, TYP:GetSettingsRequest, CGR:N/A, USR:[no basic auth header], BRS:false, KDX:null, ACT:indices:monitor/settings/get, OA:192.168.131.74, DA:192.168.131.46, IDX:_all, MET:GET, PTH:/_all/_settings?expand_wildcards=open%2Cclosed, CNT:<N/A>, HDR:{content-length=0, connection=keep-alive, content-type=application/json, Host=elasticsearch-client:9200, Accept-Encoding=identity}, HIS:[Localhost->[hosts->false]], [Probes->[actions->false]], [Admins->[ldap_authentication->false]], [Kibana Admin->[auth_key->false]], [Lander Account->[auth_key->false]], [Logstash User->[auth_key->false]], [Rover User->[auth_key->false]], [Curator User->[auth_key->false]], [Local Auth for admin->[groups->false]] }

I have this defined for the curator_user:

name: ‘Curator User’
auth_key: “curator_user:******"
actions: [“indices:admin/types/exists”,"indices:data/read/","indices:data/write/","indices:admin/template/","indices:admin/”,“indices:monitor/settings/get”,“indices:monitor/stats”]

I don’t know why it’s still FORBIDDEN

sscarduzio · April 1, 2019, 8:47pm

See:

And

As you can see ROR cannot extract a user from the request because there is no Authorization header. You need to tell curator to use HTTP “Basic” auth.

Once you do that, you need also to review your actions rule, as some of the rules you write end in “/”, I guess you forgot the star, i.e. "indices:data/read/* " instead of “indices:data/read/”.

Once you fix your actions rule, observe curator’s traffic. There will be the “ACT:” field in ROR ES log lines, it will tell you what action is Curator requesting.

After some trial and error you will be able to obtain the list of actions that curator needs to do, and authorize it for those only.

jdepaul · April 2, 2019, 8:35pm

Your guidance was very good on this, thank you very much - got it all ironed out now. Grazie benne!

sscarduzio · April 3, 2019, 4:05pm

Glad to help, @jdepaul