Logout when following a short link from web messengers

driveirk · November 21, 2023, 12:58pm

Support request

ROR Version: 1.43.0_es7.15.1 enterprise, Enterprise 1.49.1_es7.15.1

Kibana Version: 7.15.1

Elasticsearch Version: 7.15.1

Steps to reproduce the issue
Open the web version of the messenger in your default browser. For example:

https://app.ringcentral.com/

Send a message with a short link to kibana
Click on the link, you will be logged out in Kibana, and following the link you will be taken to the authorization window.

If the link is copied and pasted, the error does not reproduce.
Very similar to the problem with Adblock, maybe related.

Actual Result:
Must be logged into Kibana as authorized. Since I logged in to the system earlier.

I can’t create a ticket in the Enterprise Support category, I see the error:
An error occurred: You are not permitted to view the requested resource.

{“customer_id”: “6c4a385b-2ae8-4f02-a9cd-ef24addfb5b3”, “subscription_id”: “32d4073f-dc2f-4056-a868-842727c637cd”}

driveirk · November 21, 2023, 1:08pm

Adblock problem

sscarduzio · November 22, 2023, 2:38pm

Thank you @driveirk for reporting. We’ll try to reproduce this.
I have flagged your user as Enterprise in the forum, so we give you the right priority.

driveirk · November 27, 2023, 11:13am

Were you able to reproduce the error or did you encounter any difficulties? Maybe I can help?

sscarduzio · November 27, 2023, 11:50am

Hi @driveirk,

We are a bit busy with support, sorry for the wait. In the meantime, can you tell us how do user get authenticated in ROR in your environment? Some ACL and kibana.yml are appreciated.

Would be useful if you can simplify the test case as follows:

does it work ok if link is sent via email?
does It works ok clicking on a < a href=“http://…shortlink…”> HTML tag in a random dummy test.html local page?
the issue ONLY involves short links? All is fine with non shortened links?

driveirk · November 27, 2023, 1:57pm

does it work ok if link is sent via email?

The problem is reproducible. Use ya.ru and https://outlook.office.com/

does It works ok clicking on a < a href=“http://…shortlink…”> HTML tag in a random dummy test.html local page?

It was not possible to reproduce it locally, installed Nginx on the server and added the html file there. And there it was reproduced.

the issue ONLY involves short links? All is fine with non shortened links?

With any links.

ROR

readonlyrest:
    audit_collector: true
    audit_serializer: tech.beshu.ror.requestcontext.QueryAuditLogSerializer
    audit_index_template: "'.kcs-readonlyrest-audit-xcs'-yyyy-MM-DD"
    prompt_for_basic_auth: false
    response_if_req_forbidden: Wrong password or try clearing your browser cache
    access_control_rules:
    - name: "Allow unrestricted access to Admin users"
      type: allow
      ldap_authentication:
        name: "ldap-name"
      ldap_authorization:
        name: "ldap-name"
        groups: ["admin-group"]
      kibana_access: unrestricted

sscarduzio · November 27, 2023, 2:41pm

Thanks! What about kibana.yml? And are you using a reverse proxy?
Other question: does it happen with incognito mode? Or with another browser? What browser is this?

driveirk · November 27, 2023, 3:08pm

What about kibana.yml?

server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://localhost:9200"]
server.publicBaseUrl: "http://url"
logging.verbose: false
migrations.enableV2: false
monitoring.enabled: false
console.enabled: true
elasticsearch.username: user
elasticsearch.password: pass

xpack.apm.ui.enabled: true
xpack.spaces.enabled: true
xpack.infra.enabled: true
xpack.security.enabled: false
xpack.ml.enabled: false
xpack.canvas.enabled: false
xpack.apm.enabled: true
xpack.uptime.enabled: false
xpack.graph.enabled: false
xpack.grokdebugger.enabled: true
xpack.reporting.encryptionKey: "kibana key"
xpack.task_manager.max_workers: 60
xpack.task_manager.poll_interval: 1000

logging:
  appenders:
    rolling-file:
      type: rolling-file
      fileName: /var/log/kibana/kibana.log
      policy:
        type: time-interval
        interval: 24h
        modulate: true
      strategy:
        type: numeric
        pattern: '-%i'
        max: 7
      layout:
        type: json
  loggers:
    - name: root
      appenders: [rolling-file]
      level: debug


apm_oss.indexPattern: "*:*-apm-*"
apm_oss.errorIndices: "*:*-apm-*"
apm_oss.onboardingIndices: "*:*-apm-*"
apm_oss.spanIndices: "*:*-apm-*"
apm_oss.transactionIndices: "*:*-apm-*"
apm_oss.metricsIndices: "*:*-apm-*"
apm_oss.sourcemapIndices: "*:*-apm-*"


readonlyrest_kbn.clearSessionOnEvents: ["login"]
readonlyrest_kbn.kibana_custom_css_inject: "[data-test-subj*=spacesNavSelector] { display: none !important } [data-test-subj*=homeLink] { display: none !important } [data-test-subj*=discover-addRuntimeField-popove] { display: none !important } [data-test-subj*=discoverOptionsButton] { display: none !important }"
readonlyrest_kbn.kibana_custom_js_inject: "$('[data-test-subj*=spacesNavSelector]').remove() $('[data-test-subj*=homeLink').remove() $('[data-test-subj=discover-addRuntimeField-popover').remove() $('[data-test-subj*=discoverOptionsButton]').remove()"
elasticsearch.requestHeadersWhitelist: ["authorization", "x-forwarded-for", "x-passed-nginx"]
readonlyrest_kbn.cookiePass: "pass"
readonlyrest_kbn.cookieName: "rorCookie"
readonlyrest_kbn.store_sessions_in_index: true
readonlyrest_kbn.sessions_index_name: ".readonlyrest_kibana_tribe_sessions"
readonlyrest_kbn.sessions_refresh_after: 100
readonlyrest_kbn.whitelistedPaths: [".*/api/status$"]
readonlyrest_kbn.sessions_probe_interval_seconds: 600

readonlyrest_kbn.login_html_head_inject: "<style> body {  background: #eee !important;}.ror-logo {  visibility: hidden;}.login > h1 {  margin: 0 auto;  background: url('https://psp.int.com/img/logo.png') no-repeat;  background-position: center center;  background-size: auto;}.ror-logolink {  display: none !important;}#form-username, #form-password {  background: none white !important;  outline: 0;  padding: 10px;  color: #777; text-shadow: none !important;  border: 1px solid #aaa !important;  border-radius: 2px !important;}#form-username:focus, #form-password:focus {  background: none white !important;  color: #777 !important;}.loginButton { color:#fff !important;  text-decoration:none;  font-size:16px;  width:100%;  padding:10px 15px;  background: #1890ff !important;  border:solid 1px #1890ff !important;  border-radius: 2px !important;  -webkit-border-radius: 2px; -moz-border-radius: 2px}.loginButton:hover{  color:#666;  border-color:#40a9ff !important;  background: #40a9ff !important;  border-radius:2px;  -webkit-border-radius:2px;  -moz-border-radius:2px}.ror-footer {  background: #eee!important;  color: #444 !important;}.ror-footer > div > p {  visibility: hidden !important;  position: relative;}.ror-footer > div > p:after {  content: '© 2022';  visibility: visible;  display: block; position:absolute;  top: 0;  left: 0;  width: 100%;  margin: 0 auto;} .message {color: #f7981d;}</style>

And are you using a reverse proxy?

Usually yes, but where it is not used the problem is also reproduced.

Other question: does it happen with incognito mode?

reproduced

Or with another browser? What browser is this?

Reproducible issue on Safari FireFox Chrome. The problem is also reproduced on other computers. Our users reported the problem.

driveirk · November 27, 2023, 4:26pm

I see you have already tried to solve the problem, successfully? Did the pre-release from here really help?

sscarduzio · November 27, 2023, 5:44pm

Yes I recall in that particular support case, setting sameSite: lax in ror cookies was making the difference. We could reproduce.

@Dzuming do you need any extra info for this case ?

Dzuming · November 28, 2023, 6:11pm

Yes, we introduced a fix for this issue in the ROR 1.51.0 version. As @sscarduzio said, sameSite: lax set during a cookie creation fixed the problem. Based on the first message you use 1.43.0 and 1.49.1so the upgrade of the ROR will fix the issue.