Hide apps not working (ES v6.7.0 / RoR 1.17.6)


(Paul) #1

Hi

I have deployed a new ES cluster 6.7.0, with RoR for ES & KI Pro installed. We are using JWT - and i can see when i have logged in, down the bottom the user logged in matches the rule.

Here is the log showing when i go to the Kibana page, that the rule name is 0001 Admin

[2019-05-10T03:26:12,721][INFO ][t.b.r.a.l.AclLoggingDecorator] [elk01] ALLOWED by { name: '::0001 Admin::', policy: ALLOW, rules: [jwt_auth,kibana_access,indices,users,kibana_hide_apps] req={ ID:681690767-1448692554#1235922, TYP:MultiSearchRequest, CGR:N/A, USR:3f55955c816744f4b4d009a1ee774ffa, BRS:false, KDX:null, ACT:indices:data/read/msearch, OA:172.23.0.5/32, XFF:null, DA:172.23.0.3/32, IDX:0001-tickets-, MET:POST, PTH:/_msearch?rest_total_hits_as_int=true&ignore_throttled=true, CNT:<OMITTED, LENGTH=14879.0 B> , HDR:Connection=keep-alive, Content-Length=14879, Host=es01:9200, authorization=Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV...Q.kx87qI, content-type=application/json, HIS:[ak->[auth_key->false]], [pa->[auth_key->false]], [::0001 Admin::->[jwt_auth->true, kibana_access->true, indices->true, users->true, kibana_hide_apps->true]] }

Here is the conf lines for that rule:

    - name: "::0001 Admin::"
      kibana_access: rw
      indices: [".kibana", "0001-ts-*"]
      kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management", "apm", "monitoring", "kibana:discover","kibana:visualize"]      
      users:       users: ["3f55955c816744fa"]
#      verbosity: error
      jwt_auth:
        name: "0001"

    - name: "::0001 Admin Part 2::"
      type: forbid
      users: ["3f55955c816744fa"]
      jwt_auth:
        name: "0001"

And here you can see that the rule is being saved, and being applied:


[2019-05-10T03:20:48,486][INFO ][t.b.r.e.IndexLevelActionFilter] [elk01] Settings observer refreshing...
...
[2019-05-10T03:20:48,574][INFO ][t.b.r.a.f.CoreFactory    ] [elk01] ADDING BLOCK:       { name: '::0001 Admin::', policy: ALLOW, rules: [jwt_auth,kibana_access,indices,users,kibana_hide_apps]
[2019-05-10T03:20:48,574][INFO ][t.b.r.a.f.CoreFactory    ] [elk01] ADDING BLOCK:       { name: '::0001 Admin Part 2::', policy: FORBID, rules: [jwt_auth,users]
...
[2019-05-10T03:20:48,577][INFO ][t.b.r.e.IndexLevelActionFilter] [elk01] Configuration reloaded - ReadonlyREST enabled
[2019-05-10T03:20:48,593][INFO ][t.b.r.e.IndexLevelActionFilter] [elk01] Settings observer refreshing...
[2019-05-10T03:20:48,608][INFO ][t.b.r.e.SettingsObservableImpl] [elk01] all ok, written settings
...
[2019-05-10T03:20:48,680][INFO ][t.b.r.a.f.CoreFactory    ] [elk01] ADDING BLOCK:       { name: '::0001 Admin::', policy: ALLOW, rules: [jwt_auth,kibana_access,indices,users,kibana_hide_apps]
[2019-05-10T03:20:48,680][INFO ][t.b.r.a.f.CoreFactory    ] [elk01] ADDING BLOCK:       { name: '::0001 Admin Part 2::', policy: FORBID, rules: [jwt_auth,users]
...
[2019-05-10T03:20:48,681][INFO ][t.b.r.e.IndexLevelActionFilter] [elk01] Configuration reloaded - ReadonlyREST enabled
[2019-05-10T03:20:48,707][INFO ][t.b.r.e.SettingsObservableImpl] [elk01] all ok, written settings

Yet when i go in, i see all the menus on the left


(Simone Scarduzio) #2

No errors in the logs or in the JS console?


(Paul) #3

ES logs - not sure, as when i looked i found the log file was going crazy with JWT ket not being long enough - but it is. See io.jsonwebtoken.security.WeakKeyException error - even when key is 70 characters.
Looking at the JS console, i see this come up when i load the kibana page

image


(Paul) #4

Simone

I restarted ES as i wanted to increase the heap memory from the 512m it was setup with to 1g. After this happened, when i went to the dashboard - the items were hidden!

But how do i hide Maps, Machine Learning, Uptime, Graph, as its not in the documentation on github?

Thanks


(mdnuts) #5

easiest way is to see what it calls for on the URL. for example if you click maps you see:

https://yourdomain.com:5601/app/maps

or uptime

https://yourdomain.com:5601/app/uptime

so your

kibana_hide_apps: ["uptime","maps",....]


(Simone Scarduzio) #6

There is some examples of kibana_hide_apps values in the docs, we should update it with all the new apps Kibana team has created. Maybe you can add them yourself, as the docs project is a collaborative effort :slight_smile: