Hosts_local question

When should the hosts_local ACL rule match true, under what conditions? All of the combinations I have tried have come back “[hosts_local->false]”

The ACL

• name: “::Test::”
  hosts_local: [ “10.1.1.199”, “127.0.0.1” , “127.1.1.1”]

This is the elasticsearch config:

network.host: [ “10.1.1.199”, “127.0.0.1” , “127.1.1.1”]

I have tried locally on the server via the curl command to all the above IP addresses. I have also tried from a different machine to 10.1.1.199 address. Am I missing something obvious?

ELK 6.2.3
ROR 1.16.18

Hi @brian, your ES logs should show OA/DA (origin address, destination address) fields, so you can debug what addresses the request contains.

ALLOWED by { name: ‘::ADMIN_GRP::’, policy: ALLOW} req={ ID:1475216662–1212640048#16672, TYP:SearchRequest, CGR:N/A, USR:admin, BRS:false, KDX:.kibana_123, ACT:indices:data/read/search, OA:127.0.0.1, DA:127.0.0.1, IDX:.kibana_123, MET:POST, PTH:/.kibana_123/_search?size=10000&from=0&_source=index-pattern.title%2Ctype%2Ctitle, CNT:<OMITTED, LENGTH=80>, HDR:{authorization=Basic YWRtaW46ZGV2, Connection=keep-alive, Authorization=, content-type=application/json, Host=localhost:9200, Content-Length=80}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::PERSONAL_GRP::->[auth_key->false]], [::ADMIN_GRP::->[kibana_access->true, auth_key->true, kibana_index->true]] }

ACL block:

- name: "::CLI::"
  type: allow
  hosts_local: ["127.1.1.1"]

The request:

[root@readonlyrest ~]# curl 127.1.1.1:9200
{“error”:{“root_cause”:[{“type”:“status_exception”,“reason”:“Forbidden by ReadonlyREST ES plugin”}],“type”:“status_exception”,“reason”:“Forbidden by ReadonlyREST ES plugin”},"

The error log:

FORBIDDEN by default req={ ID:1064258065-1857026019#543, TYP:MainRequest, CGR:N/A, USR:[no basic auth header], BRS:true, KDX:null, ACT:cluster:monitor/main, OA:127.0.0.1, DA:127.1.1.1, IDX:<N/A>, MET:GET, PTH:/, CNT:<N/A>, HDR:{Accept=/, content-length=0, Host=127.1.1.1:9200, User-Agent=curl/7.29.0}, HIS:[::CLI::->[hosts_local->false]] }

And from the debug messaging:

[DEBUG][t.b.r.a.b.Block ] [::CLI::] the request matches no rules in this block: { ID:1064258065-1857026019#543, TYP:MainRequest, CGR:N/A, USR:[no basic auth header], BRS:true, KDX:null, ACT:cluster:monitor/main, OA:127.0.0.1, DA:127.1.1.1, IDX:<N/A>, MET:GET, PTH:/, CNT:<N/A>, HDR:{Accept=/, content-length=0, Host=127.1.1.1:9200, User-Agent=curl/7.29.0}, HIS:[::CLI::->[hosts_local->false]] }

Fixed this in master and added unit test. Will give you a test build ASAP.

Here is the build with the fix, please let me know if all is good now!

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/build/1.16.19-pre1/readonlyrest-1.16.19-pre1_es6.2.3.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ/20180414/eu-west-1/s3/aws4_request&X-Amz-Date=20180414T015456Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=16c47b421c6a571f618acca7699f4df56eb128c6c85f4e1334435ef6d3e9bae5

Hi, I am getting the same issue with elastic search 6.2.1 and readonlyrest plugin readonlyrest-1.16.18_es6.2.1. Do you have fix for 6.2.1 too? Thanks

Hi, sure:

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/build/1.16.19-pre2/readonlyrest-1.16.19-pre2_es6.2.1.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ/20180417/eu-west-1/s3/aws4_request&X-Amz-Date=20180417T083909Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=8665d87a7d479a9f44ae65bc7cae122701d90a00b8f2a933b15fccafa8f558a2

Great! Thanks @sscarduzio

Also I have one more issue. I am getting the same response for hosts setting. Does it work?

I verified that it is same as what I see in OA field in logs…

hosts: [172.21.5.208]

[2018-04-17T03:35:26,891][INFO ][t.b.r.a.ACL ] FORBIDDEN by default req={ ID:480489791-844682771#4625, TYP:MainRequest, CGR:N/A, USR:logstash(?), BRS:true, KDX:null, ACT:cluster:monitor/main, OA:172.21.5.208, DA:172.21.14.173, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Accept-Encoding=gzip,deflate, Authorization=Basic bG9nc3Rhc2g6bG9nc3Rhc2gwbmx5, Connection=Keep-Alive, content-length=0, Content-Type=application/json, Host=172.21.14.173:9200, User-Agent=Manticore 0.6.1}, HIS: }

why the “HIS” history bit is missing?

Thanks again @sscarduzio. Is there anything I should do to see this HIS history?

it should log all the blocks and rules the request is checked against as it walks down its way through the ACL.

Thanks for your input @sscarduzio. It’s YAML formatting issue. access_control_rules was in the same level as readonlyrest. After fixing that, things are looking good.

I am going through list of action rules mentioned @ readonlyrest-docs/elasticsearch.md at master · beshu-tech/readonlyrest-docs · GitHub

Is there any documentation explaining which action should be used for what? I want to allow category indices (http://xxx:9200/_cat/indices?v) but don’t know which action to use?

Please advise.

Thanks.

Just send a _cat/indices request and read the ROR log line. It will print the ACT (action). Consider that this is so specific that you could just use uri_re rule to intercept the right HTTP path.

Great! Thanks @sscarduzio.

Hi @sscarduzio, one more question please. I am unable to create index patterns in Kibana with following rule:

- name: "::KIBANA RW DEVELOPER::"
  auth_key: kibanaadmin:admin0nly
  kibana_access: rw
  indices: [".kibana", "log_index-*"]

What am I missing?

I tried adding read indices ACT like below but did not get through…
actions: [“indices:data/read/*”]

Thanks,

@sairamvla

Might be related, might not. I had weird problems when I did not specify a Kibana index. You might try that.

kibana_index: ".kibana"

kibana_index: is which index to use to store Kibana settings and kibana_access: is what permissions to grant to that index. These two deal with the inner workings of Kibana.

indices: is which indexes to give permission to and actions: is what permissions to give to them. From the perspective of a Kibana user, these two deal with the indexes that you see in Kibana and not the .kibana index itself.

This looks ok to me, even for writing the index pattern. Not sure how the rest of the settings looks like though.

Anyway, please show us the Elasticsearch log lines where you get the “FORBIDDEN” request when you try to create the index pattern.

(for future people searching, since the title of this thread is descriptive)

This feature is absolutely amazing especially when dealing with more then one service connecting to localhost:9200. Such as Kibana, Kibana X-Pack monitoring, CLI access, Curator, etc all running on the same host.

Also, many thanks @sscarduzio It took some time to fully embrace the flexibility of the permission architecture using ACL blocks but I’m starting to gain appreciation of it.

Take for instance Kibana, without the hosts_local: feature; it is very difficult to do the following all at the same time:

1. Kibana needs full access and can log in with an user:pass
2. Kibana X-Pack needs to connect without a user or pass due to an limitation in X-Pack
3. You want to allow CLI access without authentication for basic RO troubleshooting

What you do is use a different loopback IP for each service and then use the hosts_local: variable to filter on it. That way multiple services all running on the same server can be distinguished from each other. In short, you can say “This ACL block apply only to this particular service”. RoR ACL is top->down first match so being able to distinguis one service from another is incredibly powerful. In the example below, the main Kibana service connects to 127.1.1.1, the Kibana Xpack service connects to 127.1.1.2, and the CLI for localhost:9200 allows basic view only troubleshooting options with zero authentication.

# Local command line
- name: "::CLI::"
  actions: ["cluster:monitor/*","indices:monitor/*"]
  hosts_local: ["127.0.0.1"]

# Kibana service
- name: "::KIBANA::"
  auth_key: kibanauser:kibanapass
  verbosity: error
  hosts_local: ["127.1.1.1"]

# Allow Kibana monitoring to work
- name: "::KIBANA::XPACK::"
  type: allow
  actions: ["cluster:monitor/*","cluster:admin/xpack/*","indices:data/read/*","indices:data/write/*","indices:admin/*"]
  indices: [".kibana*",".monitoring*"]
  hosts: ["127.1.1.2"]      
  verbosity: error

And then in kibana.yml:

elasticsearch.url: "http://127.1.1.1:9200"
elasticsearch.username: "kibanauser"
elasticsearch.password: "kibanapass"

xpack.monitoring.elasticsearch.url: "http://127.1.1.2:9200"

Theoretically, a person on the CLI could access 127.1.1.2:9200 and gain higher level privledges with zero authentication to the .kibana and .monitoring* indexes. The importance of this is debatable though, once a person has access to the server the user/password are in kibana.yml for full access anyways.

Another common usage would be to secure ONLY Kibana. Many users of ELK only use Kibana and could care less what is happening on the back end and only want security in Kibana itself. Adding security in the back end is an unnecessary nuisance since only administrators have access to that level anyways. Remove the actions: restriction to the above example and this will allow full access for everythign except for Kibana. In short it makes RoR only secure Kibana, nothing else.

# Local command line
- name: "::CLI::"
  hosts_local: ["127.0.0.1"]

# Kibana service
- name: "::KIBANA::"
  auth_key: kibana:readonlyrest
  verbosity: error
  hosts_local: ["127.1.1.1"]

[2018-04-23T02:19:03,598][INFO ][t.b.r.a.ACL ] FORBIDDEN by default req={ ID:1878695106–301404706#1022, TYP:FieldCapabilitiesRequest, CGR:N/A, USR:[no basic auth header], BRS:false, KDX:null, ACT:indices:data/read/field_caps, OA:172.21.32.159, DA:172.21.32.159, IDX:log_index-, MET:POST, PTH:/log_index-/_field_caps?fields=*&ignore_unavailable=true&allow_no_indices=false, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=172.21.32.159:9200}, HIS:[::LOGSTASH::->[auth_key->false]], [::DOCSHOUND::->[auth_key->false]], [::ES READONLY::->[auth_key->false]], [::ES ADMIN::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::KIBANA RW DEVELOPER::->[auth_key->false]], [::KIBANA RO DEVELOPER::->[auth_key->false]] }