Hey,
We have the following rules:
readonlyrest:
enable: true
response_if_req_forbidden: <h1>Forbidden</h1>
access_control_rules:
- actions:
- cluster:monitor/main
headers:
- User-Agent:ELB-HealthChecker/2.0
name: ELB Check
verbosity: error
- hosts:
- 127.0.0.1
name: Accept all requests from ES instances
type: allow
verbosity: error
- groups:
- admin
name: Admin role
type: allow
verbosity: error
- kibana_access: rw
name: Allow access to Kibana
verbosity: info
- actions:
- indices:data/read/*
- indices:data/write/*
groups:
- dummy_readwrite
indices:
- event-splitter.*
name: Read/Write dummy indice
- actions:
- indices:data/read/*
groups:
- dummy_readonly
indices:
- dummy.*
name: Read dummy Index
- actions:
- indices:admin/*
- indices:data/*
groups:
- kibana_readwrite
indices:
- .kibana
- .kibana*
name: Kibana RW Index
users:
- auth_key_sha256: dummy
groups:
- admin
username: admin
- auth_key_sha256: dummy
groups:
- dummy_readwrite
username: td-stg-dummy
- auth_key_sha256: dummy
groups:
- dummy_readonly
- kibana_readwrite
username: kibana
With these rules, any user that can access Elasticsearch Endpoint, can do requests for example to _cluster/
endpoints, even if it is PUT requests.
Logs:
{"type": "server", "timestamp": "2020-09-18T08:27:21,785Z", "level": "INFO", "component": "t.b.r.a.l.AccessControlLoggingDecorator", "cluster.name": "elasticsearch-dummy", "node.name": "elasticsearch-dummy-1", "message": "\u001B[36mALLOWED by { name: 'Allow access to Kibana', policy: ALLOW, rules: [kibana_access,indices] req={ ID:723989435-2131570439#253, TYP:ClusterStateRequest, CGR:N/A, USR:[no info about user], BRS:true, KDX:null, ACT:cluster:monitor/state, OA:10.4.0.177/32, XFF:null, DA:10.4.59.39/32, IDX:*, MET:GET, PTH:/_cat/nodes, CNT:<N/A>, HDR:Accept-Encoding=gzip, deflate, Accept-Language=en-GB,en;q=0.9, Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9, Cache-Control=no-cache, Connection=keep-alive, Host=10.4.59.39:9200, Pragma=no-cache, Upgrade-Insecure-Requests=1, User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36, content-length=0, HIS:[ELB Check-> RULES:[headers_and->false], RESOLVED:[indices=*]], [Accept all requests from ES instances-> RULES:[hosts->false], RESOLVED:[indices=*]], [Admin role-> RULES:[groups->false], RESOLVED:[indices=*]], [Allow access to Kibana-> RULES:[kibana_access->true, indices->true], RESOLVED:[indices=.kibana_task_manager,.kibana-event-log-7.9.1,.kibana_1,.kibana_task_manager_1,.kibana-event-log-7.9.1-000001,.kibana]] }\u001B[0m", "cluster.uuid": "ulfNZ1IBTdu9ILkUKlAU2g", "node.id": "TsQX-qy6Qb-M1_iL0MNFaA" }
{"type": "server", "timestamp": "2020-09-18T08:28:41,035Z", "level": "INFO", "component": "t.b.r.a.l.AccessControlLoggingDecorator", "cluster.name": "elasticsearch-dummy", "node.name": "elasticsearch-dummy-1", "message": "\u001B[36mALLOWED by { name: 'Allow access to Kibana', policy: ALLOW, rules: [kibana_access,indices] req={ ID:1979336414-1257419521#660, TYP:ClusterUpdateSettingsRequest, CGR:N/A, USR:[no info about user], BRS:true, KDX:null, ACT:cluster:admin/settings/update, OA:10.4.0.177/32, XFF:null, DA:10.4.59.39/32, IDX:<N/A>, MET:PUT, PTH:/_cluster/settings, CNT:<OMITTED, LENGTH=131.0 B> , HDR:Accept=*/*, Content-Length=131, Content-Type=application/json, Host=10.4.59.39:9200, User-Agent=curl/7.64.1, HIS:[ELB Check-> RULES:[headers_and->false]], [Accept all requests from ES instances-> RULES:[hosts->false]], [Admin role-> RULES:[groups->false]], [Allow access to Kibana-> RULES:[kibana_access->true, indices->true]] }\u001B[0m", "cluster.uuid": "ulfNZ1IBTdu9ILkUKlAU2g", "node.id": "TsQX-qy6Qb-M1_iL0MNFaA" }
{"type": "server", "timestamp": "2020-09-18T08:28:57,389Z", "level": "INFO", "component": "t.b.r.a.l.AccessControlLoggingDecorator", "cluster.name": "elasticsearch-dummy", "node.name": "elasticsearch-dummy-1", "message": "\u001B[36mALLOWED by { name: 'Allow access to Kibana', policy: ALLOW, rules: [kibana_access,indices] req={ ID:1235277208-144460522#743, TYP:ClusterUpdateSettingsRequest, CGR:N/A, USR:[no info about user], BRS:true, KDX:null, ACT:cluster:admin/settings/update, OA:10.4.0.177/32, XFF:null, DA:10.4.59.39/32, IDX:<N/A>, MET:PUT, PTH:/_cluster/settings, CNT:<OMITTED, LENGTH=128.0 B> , HDR:Accept=*/*, Content-Length=128, Content-Type=application/json, Host=10.4.59.39:9200, User-Agent=curl/7.64.1, HIS:[ELB Check-> RULES:[headers_and->false]], [Accept all requests from ES instances-> RULES:[hosts->false]], [Admin role-> RULES:[groups->false]], [Allow access to Kibana-> RULES:[kibana_access->true, indices->true]] }\u001B[0m", "cluster.uuid": "ulfNZ1IBTdu9ILkUKlAU2g", "node.id": "TsQX-qy6Qb-M1_iL0MNFaA" }
If we have auth_key_sha256
in Kibana ACL, Kibana starts to request basic auth to the users and this is not an option.
Can someone help us? It can be an issue on our rules.
Thanks