Index interpolation in kibana_index

Hello !
Ror 1.40-pre on Elastic+Kibana 7.16.3

It seems that the Kibana index from headers feature is broken in this version :
Here is what I tried :

• set up an account with the following config :

            - name: "::Import::Export"
              kibana_access: "rw"
              verbosity: info
              auth_key: "import:${ELASTICSEARCH_IMPORT_PASSWORD}"
              indices: [".kibana*"]
              kibana_index: ".@{header:x-kibana-index}" 

• Connect to this account with the following header :
  

• I expected to have an empty space, but in reality I’m connected to the .kibana !
  Logs from ES confirms this :

{"type": "server", "timestamp": "2022-05-05T16:24:33,068+02:00", "level": "INFO", "component": "t.b.r.a.l.AccessControlLoggingDecorator", "cluster.name": "REDACTED", "node.name": "elasticsearch-45-sxwbf", "message": "\u001B[36mALLOWED by { name: '::Import::Export tool ::', policy: ALLOW, rules: [auth_key,kibana_index,kibana_access,indices] req={ ID:566996114--320231449#383558, TYP:SearchRequest, CGR:N/A, USR:import, BRS:true, KDX:.kibana_test2, ACT:indices:data/read/search, OA:REDACTED/32, XFF:REDACTED, DA:REDACTED/32, IDX:.kibana, MET:POST, PTH:/.kibana/_search, CNT:<OMITTED, LENGTH=316.0 B> , HDR:Accept-Charset=utf-8, Authorization=<OMITTED>, Host=elasticsearch-service:9200, connection=close, content-length=316, content-type=application/json, user-agent=elasticsearch-js/7.16.0-canary.7 (linux 3.10.0-957.12.2.el7.x86_64-x64; Node.js v16.13.0), x-elastic-client-meta=es=7.16.0p,js=16.13.0,t=7.16.0p,hc=16.13.0, x-elastic-product-origin=kibana, x-forwarded-for=REDACTED, x-kibana-index=kibana_test2, x-opaque-id=01059a6f-9118-4673-b8bd-6697d0907638, x-ror-kibana-request-method=get, x-ror-kibana-request-path=/api/saved_objects/_find, HIS: [[::Import::Ex
port tool ::-> RULES:[auth_key->true, kibana_index->true, kibana_access->true, indices->true] RESOLVED:[user=import;indices=.kibana;kibana_idx=.kibana_test2]], }\u001B[0m", "cluster.uuid": "dfU-4Q0gQwaBg1Wq9Oa51g", "node.id": "B72n4nuWQuCClFp1SXWlmQ"  }

Even though KDX = .kibana_test2, IDX== .kibana?!
However if i switch kibana_index to a static value, it works like a charm.

I’ve tried with ".@{x-kibana-index}" but to no avail.

Can you confirm you have these headers in requestHeadersWhitelist: [] in kibana.yml ?

By any chance, @pchesneau are you in the process of upgrading from Kibana pre 7.9.1 to a more recent one?

You’re right! Previously we where on 7.8.1.

OK, that explains why you notice behaviour changes: you moved to what we call “new platform”, the whole architecture is completely different, written in another language, etc.

Once your upgrade is completed, it’s going to be quicker, prettier and more stable.

For the question about whitelist :
I have this line in my config :
elasticsearch.requestHeadersWhitelist: ["x-kibana-index","authorization"]

OK because I can see in the ES logs the presence of the header, the Kibana plugin is working correctly. The only thing not working here is the ACL dynamic variable for headers in “kibana_index” rule.

@coutoPL WDYT?

it was resolved like this:
RESOLVED:[user=import;indices=.kibana;kibana_idx=.kibana_test2]]

Any idea what’s going wrong ? If I can help/Test things, let me know

@pchesneau this is a search request. Can you intercept a current user metadata request (the one you can see logged when the user logs in)?

Sure, I’ll send you this through PM.

(I had a quick look : the header seem to be missing from the /_readonlyrest/metadata/current_user request; but present afterwards. )

Ok so here is the bug. I remember fixing something like this, what pre version do you have exactly?

here is a snapshot of package.json :

image743×150 5.07 KB

I can reproduce this in develop branch, unfortunately the bug is still current. I will take a look this evening.

OK I created a solution for this in a PR, will have this reviewed, will run CI, and then send you a build.

Lightning fast, as usual!