Hide apps doesn't restrict access to apps ES7.11.2 1.29.0

Enterprise RoR 1.29.0
Kibana 7.11.2
Elasticsearch 7.11.2

If you configure:

  • name: “Allow RO read access to relevant indices”
    indices: [".kibana", “.kibana_reporting”, “readonlyrest_audit-*”]
    kibana_index: “.kibana”
    kibana_access: ro
    kibana_hide_apps: [“Analytics|Overview”, “Analytics|Canvas”, “Analytics|Maps”, “Enterprise Search”, “Observability”, “Security”, “Management”, “readonlyrest_kbn”]
    groups: [“RO_master”]

in combination with:

  • username: XXX
    auth_key: XXX:YYY
    groups: [“RO_master”]

And you login with the XXX user.
And then open the URL:
http://XXX/app/enterprise_search/overview
The page opens.
This works for all apps.

In Elasticsearch 7.6.1 in combination with RoR 1.25.0 you would be redirected back to the default page.
I consider this a security risk.

Hi @ronald.vanboven, we have a fix for this in a PR. Will notify you and send a build to you as soonas this gets approved and merged.

2 Likes

I tested the new version ROR Enterprise plugin 1.30.0 for ELK 7.10.2 but my TEST user with restricted kibana_hide_apps: [“Management|Stack Management”]

  • can still see and use Kibana -> Home: Manage
  • he doesn’t see Stack management in left menu but he can still open the link http:///app/management (no redirection back to the default page)

Hi @peterrinka the PR mentioned is not present in 1.30.0, it’ still under review for some reason. Will ping some engineer to review it ASAP.

This is fixed in master, will be in 1.32.0

2 Likes

@sscarduzio a related question. Previously, hide apps was useful, when that was the only way to control access to individual apps. Now using Kibana space also, you can technically achieve same result. Kibana space can also be secured through native xpack security that comes with basic license. Its a simple - all access, read only and none.

Previously, there was no plan to support Kibana space as you were looking at a platform rehaul due to upcoming Kibana 8 changes, So didn’t make sense to add support at that time. But now that ROR has been updated to support the new Kibana platform, would you like to revisit supporting Kibana space in ROR ? What is the roadmap for supporting Kibana space in 7.9 and above, which uses the new ROR platform. Can you please shed some light on it?

Thanks!

Hi @askids, spaces is not incompatible with ROR hidden apps feature. You can use both at the moment.

Although they are similar, there are a few radical differences between disabling features with spaces and using ROR Hidden apps:

  • Granularity: ROR Hidden apps can disable sub-menu items
  • Permissions: unless a tenant has kibana_access “ro” or “ro_strict”, they can go and re-enable the disabled space features. With ROR Hidden apps you need ACL editing permissions (admin)
  • Globality: ROR Hidden apps make sure the tenant cannot see the menu items in ALL spces, included newly created ones.