Kibana doesn't support 'allow_explicit_index' but RoR requires it. How do people deal with this?

chris_jones32 · July 6, 2017, 4:52am

Hello…

I have purchased ReadOnlyRest Pro and I’m just implementing/testing the security and validating the ACLs I’m configuring are working; however, there is one issue I can’t seem to get past.

In the RoR documentation on GitHub https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin#user-content-disallow-explicit-indices - it specifies that ElasticSearch must be configured with the ‘multi.allow_explicit_index’ set to false.

However… Kibana does not support Elasticsearch with this option set: https://github.com/elastic/kibana/pull/10855

Is the documentation still correct, or is there another way we can implement this?

Possible issue related to this setting

I’m not 100% sure this is related, but if I issue a query from Kibana Dev tools without an explicit index, I definitely do get records back that the user should have no access to. For example:

Above I just run a search on all indices, filtering by an index that that user shouldn’t be able to see, but as shown, all records do come back for that index. The next screenshot (*note: I had to merge the images into one because I couldn’t post 2) shows what happens when I query the index directly (i.e. it gets blocked by RoR as I would expect).

Note that there is an error in the Elasticsearch logs for the first query, so maybe these are actually two separate issues… apologies if that is the case.

The truncated stacktrace from the first query is:

[2017-07-06T04:05:46,901][ERROR][o.e.p.r.e.a.ACLActionListener] indices_rewrite error handling response: 
java.util.NoSuchElementException
	at java.util.HashMap$HashIterator.nextNode(HashMap.java:1439)
	at java.util.HashMap$KeyIterator.next(HashMap.java:1461)
	at org.elasticsearch.plugin.readonlyrest.es.actionlisteners.IndicesRewriteSyncRuleActionListener.handleSearchResponse(IndicesRewriteSyncRuleActionListener.java:122)
	at org.elasticsearch.plugin.readonlyrest.es.actionlisteners.IndicesRewriteSyncRuleActionListener.onResponse(IndicesRewriteSyncRuleActionListener.java:62)
	at org.elasticsearch.plugin.readonlyrest.es.actionlisteners.IndicesRewriteSyncRuleActionListener.onResponse(IndicesRewriteSyncRuleActionListener.java:45)
	at org.elasticsearch.plugin.readonlyrest.es.actionlisteners.RuleActionListener.onResponse(RuleActionListener.java:46)
	at org.elasticsearch.plugin.readonlyrest.es.actionlisteners.ACLActionListener.lambda$onResponse$0(ACLActionListener.java:61)
	at java.util.Optional.map(Optional.java:215)
	at org.elasticsearch.plugin.readonlyrest.es.actionlisteners.ACLActionListener.onResponse(ACLActionListener.java:61)
	...

Since this is my first query, I wasn’t sure whether the preferred option was to post on the forum or raise an issue on Github. I’m happy to raise an issue on GitHub if that is required (and I can work out whether it is actually an issue or not).

Thanks for you time…

sscarduzio · July 6, 2017, 8:54am

Hi Chris, thanks for reporting this. Could you please share your settings? And also the ES & ROR versions

chris_jones32 · July 10, 2017, 4:33am

Hi Simone, thanks for the reply.

Versions at the moment are:

Elasticsearch: 5.4.0
RoR: readonlyrest-1.16.4_es5.4.0.jar
Kibana: 5:4.0
Kibana RoR: 0.1.4 (from package.json in the module directory)

The configuration of the user in the screenshots above look like this:

    - name: "tennant_ro"
      auth_key_sha256: "...key here obviously..."

      indices: [".kibana", ".kibana-devnull", ".kibana-tennant", "class_tennant_*"]
      indices_rewrite: ["^\\.kibana$", ".kibana-tennant"]

      actions: ["indices:data/read/*", "indices:admin/mappings/fields/get", "indices:admin/mappings/fields/get*", "cluster:monitor/nodes/info"]

      kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:management", "kibana:discover", "kibana:visualize"]
      kibana_access: ro

sscarduzio · July 10, 2017, 4:24pm

Hey @chris_jones32, I see what you are trying to do here. Unfortunately you can’t do that yet, rewrite rule is not effective enough to support multi tenancy in Kibana right now.

At the moment, to support multi-tenancy Kibana, you’d need a Kibana instance for each user.

An actual solution for supporting multi-tenancy (own indices, own dashboards), as opposed to multi-user (own indices, shared dashboards) is in the works on the Kibana plugin level at the moment.

chris_jones32 · July 11, 2017, 3:39am

Hi Simone,

Thanks for the reply. I have removed the indices_rewrite rule and can see that it is working as expected now. It must have just been the rewrite rule failing and then letting the query through…

Just to clarify: is the documentation on the 'multi.allow_explicit_index' needing to be set to false no longer required?

sscarduzio · July 11, 2017, 7:52am

You are right, It should be no longer required. Especially since we introduced the sub-requests scanning, (i.e. we go through every and each request in multisearch, multiget, bulk requests) 3 months ago.