Is response_if_req_forbidden message functionality changed

On ROR login screen, if I type wrong creds, I get this message

Could not login: { “kibanaIndex”: “.kibana”, “authHeaders”: “”,…

instead of what is defined in

enable: true
response_if_req_forbidden: Access Denied! Please contact …

I am using Enterprise version 1.24

1 Like

Hi @praveenmak, got it. Will have a look!

This was tricky.

Actually you should not see that message, unless your incorrect credentials have been matched by an ACL block that does not carry user identity information.

One of the classic pitfalls is to have a “catch all” ACL block with “hosts” rule in the bottom of the ACL.

Simple try: try and log in again, but this time observe the Elasticsearch logs, and it won’t show “FORBIDDEN” when you put wrong credentials. It will say ALLOWED by

Sorry I have not got a chance to look into this. But my users still complain about this.

Are you saying I should have “catch all” ACL block with “hosts” rule in the bottom of the ACL?

No, I always advise no to have a block with only “hosts” rule.

@sscarduzio Any idea on what I should be doing here to get a “readable” error message?
It would help us, if you provide a simple example.

You have a point @praveenmak. I guess we could reject login attempts (user metadata API request) with an eloquent error message when there is no info about a user in the matched ACL block (i.e. an ACL block with hosts rule alone).

Will add to Jira. edit: added ID RORDEV-490