Is it possible to get RW access to .kibana but only R access to logstash-*?


(Krešimir Nesek) #1

I have requirements to have people be able to setup their own dashboards in kibana, but only have read-only access to the log data.

Unfortunately, I cannot seem to achieve this with RoR :frowning:

Attempt 1: We allow read-only access to developer group to log indices, and in a separate rule we allow RW access to .kibana index.

access_control_rules:

- name: "Allow write-only access to logs to the log collector system group"
  type: allow
  groups: ["logcollector"]
  actions: ["indices:data/write/index", "indices:data/write/bulk*", "indices:admin/template/*", "indices:admin/create", "cluster:monitor/main"]
  verbosity: error

- name: "Deny access to kibana user from outside reverse proxy server"
  type: forbid
  auth_key: xxxxxxx
  x_forwarded_for: ["0.0.0.0/0"]
  verbosity: error

- name: "Allowing full access to kibana analytics server from localhost"
  type: allow
  auth_key: xxxxxxxxx
  hosts: [127.0.0.1]
  verbosity: error

- name: "Allow access to developers dashboard"
  type: allow
  groups: ["developers"]
  kibana_access: rw
  indices: [".kibana"]

- name: "Allow access to application logs to the developers"
  type: allow
  groups: ["developers"]
  actions: ["indices:admin/*", "indices:data/read/*", "cluster:monitor/*", "cluster:admin/*"]
  indices: ["logstash-ops-*", ".kibana"]

With this config kibana hangs when perform a search in Discover tab. Any query resuts in a time-out and examinig request/response logs in the browser, it indeed seems that the response never comes back. Elasticsearch log indicates that all requests were allowed, however unfortunately, response never comes back. This is the only output in elasticsearch log:

[2017-05-25T12:53:47,421][INFO ][o.e.p.r.a.ACL            ] request: { ID:2114639969-1318819892, TYP:FieldStatsRequest, USR:knesek, BRS:false, ACT:indices:data/read/field_stats, OA:127.0.0.1, IDX:logstash-ops-app-*, MET:POST, PTH:/logstash-ops-app-*/_field_stats, CNT:<OMITTED, LENGTH=178>, HDR:authorization,Connection,content-length,content-type,Host,x-forwarded-for,x-forwarded-port,x-forwarded-proto, HIS:[Allowing full access to kibana analytics server from localhost->[auth_key->false]], [Allow write-only access to logs to the log collector system group->[actions->false]], [Deny access to kibana user from outside reverse proxy server->[auth_key_sha256->false]], [Allow access to developers dashboard->[kibana_access->true, indices->false]], [Allow access to application logs to the developers->[indices->true, groups->true, actions->true, verbosity->true]] } matched block: Allow access to application logs to the developers match: true}
[2017-05-25T12:53:47,781][INFO ][o.e.p.r.a.b.r.i.IndicesSyncRule] found 1 subrequests
[2017-05-25T12:53:47,783][INFO ][o.e.p.r.a.ACL            ] request: { ID:179488923-1873182215, TYP:MultiSearchRequest, USR:knesek, BRS:false, ACT:indices:data/read/msearch, OA:127.0.0.1, IDX:logstash-ops-app-2017.05.25, MET:POST, PTH:/_msearch, CNT:<OMITTED, LENGTH=978>, HDR:authorization,Connection,content-length,content-type,Host,x-forwarded-for,x-forwarded-port,x-forwarded-proto, HIS:[Allow write-only access to logs to the log collector system group->[actions->false]], [Allow access to application logs to the developers->[indices->true, groups->true, actions->true, verbosity->true]], [Deny access to kibana user from outside reverse proxy server->[auth_key_sha256->false]], [Allowing full access to kibana analytics server from localhost->[auth_key->false]], [Allow access to developers dashboard->[kibana_access->true, indices->false]] } matched block: Allow access to application logs to the developers match: true}

Attempt 2: Try to combine action rules for R-only on log indices and RW for kibana:

- name: "Allow write-only access to logs to the log collector system group"
  type: allow
  groups: ["logcollector"]
  actions: ["indices:data/write/index", "indices:data/write/bulk*", "indices:admin/template/*", "indices:admin/create", "cluster:monitor/main"]
  verbosity: error

- name: "Deny access to kibana user from outside reverse proxy server"
  type: forbid
  auth_key_sha256: xxxxxxxxxxx
  x_forwarded_for: ["0.0.0.0/0"]
  verbosity: error

- name: "Allowing full access to kibana analytics server from localhost"
  type: allow
  auth_key: xxxxxxxxx
  hosts: [127.0.0.1]
  verbosity: error

- name: "Allow access to application logs to the developers"
  type: allow
  groups: ["developers"]
  actions: ["indices:admin/*", "indices:data/read/*", "cluster:monitor/*", "cluster:admin/*"]
  kibana_access: rw
  indices: ["logstash-ops-*", ".kibana"]

This works in a sense that discover searches do work, but now the action rules are preventing access to kibana index and dashboards cannot be edited.

[2017-05-25T13:02:09,464][INFO ][o.e.p.r.a.ACL            ] request: { ID:669410367-2009641601, TYP:FieldStatsRequest, USR:knesek, BRS:false, ACT:indices:data/read/field_stats, OA:127.0.0.1, IDX:logstash-ops-app-*, MET:POST, PTH:/logstash-ops-app-*/_field_stats, CNT:<OMITTED, LENGTH=178>, HDR:authorization,Connection,content-length,content-type,Host,x-forwarded-for,x-forwarded-port,x-forwarded-proto, HIS:[Allow write-only access to logs to the log collector system group->[actions->false]], [Deny access to kibana user from outside reverse proxy server->[auth_key_sha256->false]], [Allow access to application logs to the developers->[kibana_access->true, indices->true, groups->true, actions->true, verbosity->true]], [Allowing full access to kibana analytics server from localhost->[auth_key->false]] } matched block: Allow access to application logs to the developers match: true}
[2017-05-25T13:02:09,862][INFO ][o.e.p.r.a.b.r.i.IndicesSyncRule] found 1 subrequests
[2017-05-25T13:02:09,864][INFO ][o.e.p.r.w.r.SubRequestContext] id: 1035184604-486880334-sub-1803026945 - Not replacing in sub-request. Indices are the same. Old:[logstash-ops-app-2017.05.25] New:[logstash-ops-app-2017.05.25]
[2017-05-25T13:02:09,864][INFO ][o.e.p.r.a.ACL            ] request: { ID:1035184604-486880334, TYP:MultiSearchRequest, USR:knesek, BRS:false, ACT:indices:data/read/msearch, OA:127.0.0.1, IDX:logstash-ops-app-2017.05.25, MET:POST, PTH:/_msearch, CNT:<OMITTED, LENGTH=978>, HDR:authorization,Connection,content-length,content-type,Host,x-forwarded-for,x-forwarded-port,x-forwarded-proto, HIS:[Deny access to kibana user from outside reverse proxy server->[auth_key_sha256->false]], [Allowing full access to kibana analytics server from localhost->[auth_key->false]], [Allow write-only access to logs to the log collector system group->[actions->false]], [Allow access to application logs to the developers->[kibana_access->true, indices->true, groups->true, actions->true, verbosity->true]] } matched block: Allow access to application logs to the developers match: true}
[2017-05-25T13:02:09,866][INFO ][o.e.p.r.a.ACL            ] request: { ID:1035184604-1803026945, TYP:SearchRequest, USR:knesek, BRS:false, ACT:indices:data/read/search, OA:127.0.0.1, IDX:logstash-ops-app-2017.05.25, MET:POST, PTH:/_msearch, CNT:<OMITTED, LENGTH=978>, HDR:authorization,Connection,content-length,content-type,Host,x-forwarded-for,x-forwarded-port,x-forwarded-proto, HIS:[Allow write-only access to logs to the log collector system group->[actions->false]], [Allow access to application logs to the developers->[kibana_access->true, indices->true, groups->true, actions->true, verbosity->true]], [Allowing full access to kibana analytics server from localhost->[auth_key->false]], [Deny access to kibana user from outside reverse proxy server->[auth_key_sha256->false]] } matched block: Allow access to application logs to the developers match: true}

(Shini31) #2

Hello,

I am very interested in the solution. I also try to combine 3 types of access:

  • Read only on .kibana indice with kibana_user parameter
  • Read/Write on . kibana indice with kibana_user parameter
  • Read only on other indices

I tried this following configuration without success:
- name: “:: KIBANA RO GROUP::“
groups: [“kibana_ro”]
indices: [”.kibana”, “.kibana-devnull”]
kibana_access: ro
verbosity: error

    - name: ":: KIBANA RW GROUP ::"
      groups: ["kibana_rw "]
      indices: [".kibana", ".kibana-devnull"]
      kibana_access: rw
      verbosity: error

    - name: ":: KIBANA RO LOGS INDICES ::"
      groups: ["logs_ro"]
      indices: ["*-*"] 
      actions: ["indices:data/read/*"]

    users:

    - username: user1
      auth_key_sha256: "xxxxx"
      groups: ["kibana_rw", "]

    - username: user2
      auth_key_sha256: "xxx"
      groups: ["kibana_rw"]

    - username: user3
      auth_key_sha256: "xxx"
      groups: ["kibana_ro"]

Is it possible to add kibana_access in group section?

Regards


(Simone Scarduzio) #3

There’s a space too much here

This is non-valid YAML

There’s no such group under users:

Also I didn’t really understand exactly what you want to do.


(Shini31) #4

Hello,

Thanks for your response. By correcting typo errors, everything works perfectly.
I wanted to create a group that has only read-only access to my indices.

Regards.