Hide apps doesn't restrict access to apps ES7.11.2 1.29.0

ronald.vanboven · May 14, 2021, 3:28pm

Enterprise RoR 1.29.0
Kibana 7.11.2
Elasticsearch 7.11.2

If you configure:

name: “Allow RO read access to relevant indices”
indices: [".kibana", “.kibana_reporting”, “readonlyrest_audit-*”]
kibana_index: “.kibana”
kibana_access: ro
kibana_hide_apps: [“Analytics|Overview”, “Analytics|Canvas”, “Analytics|Maps”, “Enterprise Search”, “Observability”, “Security”, “Management”, “readonlyrest_kbn”]
groups: [“RO_master”]

in combination with:

username: XXX
auth_key: XXX:YYY
groups: [“RO_master”]

And you login with the XXX user.
And then open the URL:
http://XXX/app/enterprise_search/overview
The page opens.
This works for all apps.

In Elasticsearch 7.6.1 in combination with RoR 1.25.0 you would be redirected back to the default page.
I consider this a security risk.

sscarduzio · May 17, 2021, 9:11pm

Hi @ronald.vanboven, we have a fix for this in a PR. Will notify you and send a build to you as soonas this gets approved and merged.

peterrinka · May 24, 2021, 7:56am

I tested the new version ROR Enterprise plugin 1.30.0 for ELK 7.10.2 but my TEST user with restricted kibana_hide_apps: [“Management|Stack Management”]

can still see and use Kibana -> Home: Manage
he doesn’t see Stack management in left menu but he can still open the link http:///app/management (no redirection back to the default page)

sscarduzio · May 27, 2021, 2:34pm

Hi @peterrinka the PR mentioned is not present in 1.30.0, it’ still under review for some reason. Will ping some engineer to review it ASAP.

sscarduzio · June 3, 2021, 2:14pm

This is fixed in master, will be in 1.32.0

askids · June 3, 2021, 6:57pm

@sscarduzio a related question. Previously, hide apps was useful, when that was the only way to control access to individual apps. Now using Kibana space also, you can technically achieve same result. Kibana space can also be secured through native xpack security that comes with basic license. Its a simple - all access, read only and none.

Previously, there was no plan to support Kibana space as you were looking at a platform rehaul due to upcoming Kibana 8 changes, So didn’t make sense to add support at that time. But now that ROR has been updated to support the new Kibana platform, would you like to revisit supporting Kibana space in ROR ? What is the roadmap for supporting Kibana space in 7.9 and above, which uses the new ROR platform. Can you please shed some light on it?

Thanks!

sscarduzio · June 7, 2021, 1:56pm

Hi @askids, spaces is not incompatible with ROR hidden apps feature. You can use both at the moment.

Although they are similar, there are a few radical differences between disabling features with spaces and using ROR Hidden apps:

Granularity: ROR Hidden apps can disable sub-menu items
Permissions: unless a tenant has kibana_access “ro” or “ro_strict”, they can go and re-enable the disabled space features. With ROR Hidden apps you need ACL editing permissions (admin)
Globality: ROR Hidden apps make sure the tenant cannot see the menu items in ALL spces, included newly created ones.