Multi-tenancy w/ external group provider


(Joe Chop) #1

I tried a config like this:

readonlyrest:
  enable: true
  prompt_for_basic_auth: false

  audit_collector: true

  access_control_rules:

  # MACHINES ##################
  - name: "::Kafka::"
    auth_key: kafka:kafka123

  - name: "::LOGSTASH::"
    auth_key: logstash:logstash
    actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
    indices: ["logstash-*"]

  - name: "::KIBANA-SRV::"
    auth_key: kibana:kibana
    verbosity: error

  # GROUPS ####################

  - name: "::PERSONAL_GRP::"
    kibana_access: rw
    kibana_hide_apps: ["readonlyrest_kbn", "timelion"]
    kibana_index: "[email protected]{user}"
    proxy_auth:
        proxy_auth_config: "proxy1"
        users: ["*"]
    groups_provider_authorization:
      user_groups_provider: "GroupsService"
      groups: ["Personal"]

  - name: "::Infosec::"
    kibana_access: rw
    kibana_hide_apps: ["readonlyrest_kbn", "timelion"]
    kibana_index: ".kibana_infosec"
    proxy_auth:
        proxy_auth_config: "proxy1"
        users: ["*"]
    groups_provider_authorization:
      user_groups_provider: "GroupsService"
      groups: ["Infosec"]

  - name: "::Finance::"
    kibana_access: rw
    kibana_hide_apps: ["readonlyrest_kbn", "timelion"]
    kibana_index: ".kibana_finance"
    proxy_auth:
        proxy_auth_config: "proxy1"
        users: ["*"]
    groups_provider_authorization:
      user_groups_provider: "GroupsService"
      groups: ["Finance"]

  proxy_auth_configs:
    - name: "proxy1"
      user_id_header: "X-Forwarded-User"

  # USERS TO GROUPS ############
  user_groups_providers:
    - name: "GroupsService"
      groups_endpoint: "http://127.0.0.1:3001"
      auth_token_name: "token"
      auth_token_passed_as: QUERY_PARAM                        # HEADER OR QUERY_PARAM
      response_groups_json_path: "$..groups[?(@.name)].name"   # see: https://github.com/json-path/JsonPath
      cache_ttl_in_sec: 60

And kibana.yml
elasticsearch.requestHeadersWhitelist: [ authorization, “X-Forwarded-User”, “X-Forwarded-For”]
readonlyrest_kbn.proxy_auth_passthrough: true

I set X-Forwarded-User to a user with multiple groups. When the login screen is bypassed, the user doesn’t see the drop down list as expected.