Hello,
We are using Kibana and ES 7.12.1 with ROR Enterprise 1.39.0. We are trying to use Kibana APIs for different actions, and we found a strange behavior.
We defined a basic auth user in ROR config and the following ACL blocks for it:
- name: "testapi Kibana"
groups: ["testapi"]
indices: [".kibana_testapi", "metric*"]
kibana_access: "ro_strict"
kibana_index: ".kibana_testapi"
- name: "testapi 0"
groups: ["testapi"]
indices: ["metric*"]
actions: ["indices:data/read/*"]
We are doing basic GETs for the Kibana API, for example:
GET https://127.0.0.1:5601/api/saved_objects/index-pattern/metricbeat-*
Response:
{
"statusCode": 404,
"error": "Not Found",
"message": "Saved object [index-pattern/metricbeat-*] not found"
}
Which is normal, because there is no such index pattern on the .kibana_testapi tenancy.
What is strange:
When doing a POST such as importing objects:
-XPOST "https://127.0.0.1:5601/api/saved_objects/_import?createNewCopies=true" --form file=@full-03-03-2020.ndjson
the result is successful, but all the objects are imported in the .kibana tenant.
Also from the log file:
[2022-08-24T09:40:06,792][INFO ][tech.beshu.ror.accesscontrol.logging.AccessControlLoggingDecorator] ALLOWED by { name: 'testapi Kibana', policy: ALLOW, rules: [groups,kibana_index,kibana_access,indices] req={ ID:2046087262-440317826#18639, TYP:RRUserMetadataRequest, CGR:N/A, USR:M2M000, BRS:true, KDX:.kibana_testapi, ACT:cluster:ror/user_metadata/get, OA:127.0.0.1/32, XFF:null, DA:127.0.0.1/32, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/current_user, CNT:<N/A>, HDR:Accept-Encoding=gzip,deflate, Accept=*/*, Authorization=<OMITTED>, Connection=close, Host=127.0.0.1:9200, User-Agent=node-fetch/1.0 (+https://github.com/bitinn/node-fetch), content-length=0, HIS:[Full Admin Kibana-> RULES:[groups->false]], [Full Admin Users-> RULES:[groups->false]], [Client Admin Group Kibana-> RULES:[groups->false]], [Client Admin Group 0-> RULES:[groups->false]], [testapi Kibana-> RULES:[groups->true, kibana_index->true, kibana_access->true, indices->true] RESOLVED:[user=M2M0000;group=testapi;av_groups=testapi;kibana_idx=.kibana_testapi]], [testapi 0-> RULES:[groups->true, actions->false] RESOLVED:[user=M2M0000;group=testapi;av_groups=testapi]], }
So, i conclude that this user is able to read from the correct tenant (.kibana_testapi) and is able to write to another tenant (.kibana). Do you have any suggestion for this issue?
Also, is there a way to restrict users’ actions on the Kibana API from the ROR config? e.g not being able to import dashboards, create index patterns etc.
Thanks!