Hi Simone,
Here are the logs from Elasticsearch :
[2021-09-13T09:17:12,008][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [slap-indexer] FORBIDDEN by default req={ ID:812471764-1121914204#10928145, TYP:SearchRequest, CGR:N/A, USR:[no info about user], BRS:true, KDX:null, ACT:indices:data/read/search, OA:127.0.0.1/32, XFF:null, DA:127.0.0.1/32, IDX:.kibana_7.14.1, MET:POST, PTH:/.kibana_7.14.1/_search, CNT:<OMITTED, LENGTH=312.0 B> , HDR:Connection=keep-alive, Host=localhost:9200, content-length=312, content-type=application/json, user-agent=elasticsearch-js/7.14.0-canary.7 (linux 3.10.0-1160.24.1.el7.x86_64-x64; Node.js v14.17.5), x-elastic-client-meta=es=7.14.0p,js=14.17.5,t=7.14.0p,hc=14.17.5, x-elastic-product-origin=kibana, x-opaque-id=55e4a6a0-a618-48a3-9110-8ee2d4bc6ef2, HIS:[logstash with write and create permissions for its own indices-> RULES:[auth_key->false] RESOLVED:[indices=.kibana_7.14.1]], [Kibana Server-> RULES:[auth_key->false] RESOLVED:[indices=.kibana_7.14.1]], [TGCD users-> RULES:[ldap_auth->false] RESOLVED:[indices=.kibana_7.14.1]], [Administrator-> RULES:[ldap_auth->false] RESOLVED:[indices=.kibana_7.14.1]], }
[2021-09-13T09:17:17,317][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [slap-indexer] FORBIDDEN by default req={ ID:2082594779--1159173687#10928434, TYP:SearchRequest, CGR:N/A, USR:[no info about user], BRS:true, KDX:null, ACT:indices:data/read/search, OA:127.0.0.1/32, XFF:null, DA:127.0.0.1/32, IDX:.kibana_7.14.1, MET:POST, PTH:/.kibana_7.14.1/_search, CNT:<OMITTED, LENGTH=500.0 B> , HDR:Connection=keep-alive, Host=localhost:9200, content-length=500, content-type=application/json, user-agent=elasticsearch-js/7.14.0-canary.7 (linux 3.10.0-1160.24.1.el7.x86_64-x64; Node.js v14.17.5), x-elastic-client-meta=es=7.14.0p,js=14.17.5,t=7.14.0p,hc=14.17.5, x-elastic-product-origin=kibana, HIS:[logstash with write and create permissions for its own indices-> RULES:[auth_key->false] RESOLVED:[indices=.kibana_7.14.1]], [Kibana Server-> RULES:[auth_key->false] RESOLVED:[indices=.kibana_7.14.1]], [TGCD users-> RULES:[ldap_auth->false] RESOLVED:[indices=.kibana_7.14.1]], [Administrator-> RULES:[ldap_auth->false] RESOLVED:[indices=.kibana_7.14.1]], }
[2021-09-13T09:17:21,968][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [slap-indexer] FORBIDDEN by default req={ ID:470609856-1121914204#10928695, TYP:SearchRequest, CGR:N/A, USR:[no info about user], BRS:true, KDX:null, ACT:indices:data/read/search, OA:127.0.0.1/32, XFF:null, DA:127.0.0.1/32, IDX:.kibana_7.14.1, MET:POST, PTH:/.kibana_7.14.1/_search, CNT:<OMITTED, LENGTH=312.0 B> , HDR:Connection=keep-alive, Host=localhost:9200, content-length=312, content-type=application/json, user-agent=elasticsearch-js/7.14.0-canary.7 (linux 3.10.0-1160.24.1.el7.x86_64-x64; Node.js v14.17.5), x-elastic-client-meta=es=7.14.0p,js=14.17.5,t=7.14.0p,hc=14.17.5, x-elastic-product-origin=kibana, x-opaque-id=d86610a8-6068-4e6d-9863-ce20efdb4b72, HIS:[logstash with write and create permissions for its own indices-> RULES:[auth_key->false] RESOLVED:[indices=.kibana_7.14.1]], [Kibana Server-> RULES:[auth_key->false] RESOLVED:[indices=.kibana_7.14.1]], [TGCD users-> RULES:[ldap_auth->false] RESOLVED:[indices=.kibana_7.14.1]], [Administrator-> RULES:[ldap_auth->false] RESOLVED:[indices=.kibana_7.14.1]], }
[2021-09-13T09:17:43,756][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [slap-indexer] FORBIDDEN by default req={ ID:281463817-1121914204#10929210, TYP:SearchRequest, CGR:N/A, USR:[no info about user], BRS:true, KDX:null, ACT:indices:data/read/search, OA:127.0.0.1/32, XFF:null, DA:127.0.0.1/32, IDX:.kibana_7.14.1, MET:POST, PTH:/.kibana_7.14.1/_search, CNT:<OMITTED, LENGTH=312.0 B> , HDR:Connection=keep-alive, Host=localhost:9200, content-length=312, content-type=application/json, user-agent=elasticsearch-js/7.14.0-canary.7 (linux 3.10.0-1160.24.1.el7.x86_64-x64; Node.js v14.17.5), x-elastic-client-meta=es=7.14.0p,js=14.17.5,t=7.14.0p,hc=14.17.5, x-elastic-product-origin=kibana, x-opaque-id=5c859167-6bda-4838-929a-73c3f4d14e36, HIS:[logstash with write and create permissions for its own indices-> RULES:[auth_key->false] RESOLVED:[indices=.kibana_7.14.1]], [Kibana Server-> RULES:[auth_key->false] RESOLVED:[indices=.kibana_7.14.1]], [TGCD users-> RULES:[ldap_auth->false] RESOLVED:[indices=.kibana_7.14.1]], [Administrator-> RULES:[ldap_auth->false] RESOLVED:[indices=.kibana_7.14.1]], }
The Readonlyrest yaml file :
parts of your configuration.
readonlyrest:
force_load_from_file: true
audit_collector: true
prompt_for_basic_auth: false
access_control_rules:
- name: "logstash with write and create permissions for its own indices"
auth_key: logstash:logstash
actions: ["cluster:monitor/main","cluster:monitor/nodes/stats","cluster:monitor/xpack/info","cluster:admin/xpack/monitoring/bulk","indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
indices: ["logstash-*","error-*","monitoring-*","tomcat-*","nginx-*","squid-*"]
- name: "Kibana Server"
auth_key: kibana:kibana
verbosity: error
- name: "TGCD users"
ldap_auth:
name: "ldap-ep"
groups: ["MUST-MBX-TGCD"]
kibana_access: rw
indices: [".kibana", ".kibana-devnull","tomcat-*","nginx-*","error-*","squid-*"]
kibana_hide_apps: ["timelion", "kibana:dev_tools", "kibana:management","ml","uptime","apm","infra:home","infra:logs","maps","canvas","monitoring"]
- name: "Administrator"
ldap_auth:
name: "ldap-ep"
groups: ["MUST-MBX-AMDIN"]
kibana_access: admin
ldaps:
- name: ldap-ep
host: "xxxx"
port: 389
ssl_enabled: false
ssl_trust_all_certs: false
bind_dn: "xxx"
bind_password: "xxx"
search_user_base_DN: "xxx"
user_id_attribute: "sAMAccountName"
search_groups_base_DN: "xxx"
unique_member_attribute: "member"
connection_pool_size: 10
connection_timeout_in_sec: 10
request_timeout_in_sec: 10
cache_ttl_in_sec: 60
Regards
Hassen