Kibana Access allow anonymous access to Cluster Settings/Options

Hey,

We have the following rules:

readonlyrest:
  enable: true
  response_if_req_forbidden: <h1>Forbidden</h1>
  access_control_rules:
  - actions:
    - cluster:monitor/main
    headers:
    - User-Agent:ELB-HealthChecker/2.0
    name: ELB Check
    verbosity: error
  - hosts:
    - 127.0.0.1
    name: Accept all requests from ES instances
    type: allow
    verbosity: error
  - groups:
    - admin
    name: Admin role
    type: allow
    verbosity: error
  - kibana_access: rw
    name: Allow access to Kibana
    verbosity: info
  - actions:
    - indices:data/read/*
    - indices:data/write/*
    groups:
    - dummy_readwrite
    indices:
    - event-splitter.*
    name: Read/Write dummy indice
  - actions:
    - indices:data/read/*
    groups:
    - dummy_readonly
    indices:
    - dummy.*
    name: Read dummy Index
  - actions:
    - indices:admin/*
    - indices:data/*
    groups:
    - kibana_readwrite
    indices:
    - .kibana
    - .kibana*
    name: Kibana RW Index
  users:
  - auth_key_sha256: dummy
    groups:
    - admin
    username: admin
  - auth_key_sha256: dummy
    groups:
    - dummy_readwrite
    username: td-stg-dummy
  - auth_key_sha256: dummy
    groups:
    - dummy_readonly
    - kibana_readwrite
    username: kibana

With these rules, any user that can access Elasticsearch Endpoint, can do requests for example to _cluster/ endpoints, even if it is PUT requests.

Logs:

{"type": "server", "timestamp": "2020-09-18T08:27:21,785Z", "level": "INFO", "component": "t.b.r.a.l.AccessControlLoggingDecorator", "cluster.name": "elasticsearch-dummy", "node.name": "elasticsearch-dummy-1", "message": "\u001B[36mALLOWED by { name: 'Allow access to Kibana', policy: ALLOW, rules: [kibana_access,indices] req={  ID:723989435-2131570439#253,  TYP:ClusterStateRequest,  CGR:N/A,  USR:[no info about user],  BRS:true,  KDX:null,  ACT:cluster:monitor/state,  OA:10.4.0.177/32,  XFF:null,  DA:10.4.59.39/32,  IDX:*,  MET:GET,  PTH:/_cat/nodes,  CNT:<N/A>,  HDR:Accept-Encoding=gzip, deflate, Accept-Language=en-GB,en;q=0.9, Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9, Cache-Control=no-cache, Connection=keep-alive, Host=10.4.59.39:9200, Pragma=no-cache, Upgrade-Insecure-Requests=1, User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36, content-length=0,  HIS:[ELB Check-> RULES:[headers_and->false], RESOLVED:[indices=*]], [Accept all requests from ES instances-> RULES:[hosts->false], RESOLVED:[indices=*]], [Admin role-> RULES:[groups->false], RESOLVED:[indices=*]], [Allow access to Kibana-> RULES:[kibana_access->true, indices->true], RESOLVED:[indices=.kibana_task_manager,.kibana-event-log-7.9.1,.kibana_1,.kibana_task_manager_1,.kibana-event-log-7.9.1-000001,.kibana]]  }\u001B[0m", "cluster.uuid": "ulfNZ1IBTdu9ILkUKlAU2g", "node.id": "TsQX-qy6Qb-M1_iL0MNFaA"  }
{"type": "server", "timestamp": "2020-09-18T08:28:41,035Z", "level": "INFO", "component": "t.b.r.a.l.AccessControlLoggingDecorator", "cluster.name": "elasticsearch-dummy", "node.name": "elasticsearch-dummy-1", "message": "\u001B[36mALLOWED by { name: 'Allow access to Kibana', policy: ALLOW, rules: [kibana_access,indices] req={  ID:1979336414-1257419521#660,  TYP:ClusterUpdateSettingsRequest,  CGR:N/A,  USR:[no info about user],  BRS:true,  KDX:null,  ACT:cluster:admin/settings/update,  OA:10.4.0.177/32,  XFF:null,  DA:10.4.59.39/32,  IDX:<N/A>,  MET:PUT,  PTH:/_cluster/settings,  CNT:<OMITTED, LENGTH=131.0 B> ,  HDR:Accept=*/*, Content-Length=131, Content-Type=application/json, Host=10.4.59.39:9200, User-Agent=curl/7.64.1,  HIS:[ELB Check-> RULES:[headers_and->false]], [Accept all requests from ES instances-> RULES:[hosts->false]], [Admin role-> RULES:[groups->false]], [Allow access to Kibana-> RULES:[kibana_access->true, indices->true]]  }\u001B[0m", "cluster.uuid": "ulfNZ1IBTdu9ILkUKlAU2g", "node.id": "TsQX-qy6Qb-M1_iL0MNFaA"  }
{"type": "server", "timestamp": "2020-09-18T08:28:57,389Z", "level": "INFO", "component": "t.b.r.a.l.AccessControlLoggingDecorator", "cluster.name": "elasticsearch-dummy", "node.name": "elasticsearch-dummy-1", "message": "\u001B[36mALLOWED by { name: 'Allow access to Kibana', policy: ALLOW, rules: [kibana_access,indices] req={  ID:1235277208-144460522#743,  TYP:ClusterUpdateSettingsRequest,  CGR:N/A,  USR:[no info about user],  BRS:true,  KDX:null,  ACT:cluster:admin/settings/update,  OA:10.4.0.177/32,  XFF:null,  DA:10.4.59.39/32,  IDX:<N/A>,  MET:PUT,  PTH:/_cluster/settings,  CNT:<OMITTED, LENGTH=128.0 B> ,  HDR:Accept=*/*, Content-Length=128, Content-Type=application/json, Host=10.4.59.39:9200, User-Agent=curl/7.64.1,  HIS:[ELB Check-> RULES:[headers_and->false]], [Accept all requests from ES instances-> RULES:[hosts->false]], [Admin role-> RULES:[groups->false]], [Allow access to Kibana-> RULES:[kibana_access->true, indices->true]]  }\u001B[0m", "cluster.uuid": "ulfNZ1IBTdu9ILkUKlAU2g", "node.id": "TsQX-qy6Qb-M1_iL0MNFaA"  }

If we have auth_key_sha256 in Kibana ACL, Kibana starts to request basic auth to the users and this is not an option.

Can someone help us? It can be an issue on our rules.

Thanks

  - kibana_access: rw
    name: Allow access to Kibana
    verbosity: info

This is wrong in two ways:

1. Missing basic auth credentials requirement i.e. put here a rule like auth_key_sha256: "xxxx" and remember to use these credentials in kibana.yml (elasticsearch.username: "bar" and elasticsearch.password: "baz".

2. kibana_access rule is reserved for human users, not for kibana daemon (which instead requires full unrestricted access). So remove it.

Do you mean that:

readonlyrest:
  enable: true
  response_if_req_forbidden: <h1>Forbidden</h1>
  access_control_rules:
  - actions:
    - cluster:monitor/main
    headers:
    - User-Agent:ELB-HealthChecker/2.0
    name: ELB Check
    verbosity: error
  - hosts:
    - 127.0.0.1
    name: Accept all requests from ES instances
    type: allow
    verbosity: error
  - groups:
    - admin
    name: Admin role
    type: allow
    verbosity: error
  - kibana_access: rw
    auth_key_sha256: dummy
    name: Allow access to Kibana
    verbosity: info
  - actions:
    - indices:data/read/*
    - indices:data/write/*
    groups:
    - dummy_readwrite
    indices:
    - event-splitter.*
    name: Read/Write dummy indice
  - actions:
    - indices:data/read/*
    groups:
    - dummy_readonly
    indices:
    - dummy.*
    name: Read dummy Index
  - actions:
    - indices:admin/*
    - indices:data/*
    groups:
    - kibana_readwrite
    indices:
    - .kibana
    - .kibana*
    name: Kibana RW Index
  users:
  - auth_key_sha256: dummy
    groups:
    - admin
    username: admin
  - auth_key_sha256: dummy
    groups:
    - dummy_readwrite
    username: td-stg-dummy
  - auth_key_sha256: dummy
    groups:
    - dummy_readonly
    - kibana_readwrite
    username: kibana

With that, kibana requests basic authentication to the clients and we don’t want that.

No, you still have that kibana_access rule in place, remove it.

And please edit kibana.yml and configure the credentials in it.

TIP: in your readonlyrest.yml, add prompt_for_basic_auth: false as a field under “readonlyrest:” to avoid the basic auth prompt in general.

Ok, i understand.

It's also worth mentioning, that when prompt_for_basic_auth is set to true (that is, the default value), ROR is going to return 401 instead of 404 HTTP status code. It is relevant for users who don't use ROR Kibana's plugin and who would like to take advantage of default Kibana's behaviour which shows the native browser basic auth dialog, when it receives HTTP 401 response.

But the true value isn’t is the default value for prompt_for_basic_auth ?

Sorry I mean false! Amended the commend above