Multi tenancy with group selector and jwt


(Peter Skarmyr) #1

Is it possible to get the group selector (multi tenancy) dropdown in kibana when using JWT?

As a proof of concept I want to achieve the following:

Have two tenancies in kibana, let’s call them “Team A” and “Team B”.

Users have roles in the jwt header and this are read by ROR by specifiing json path for the roles_claim attribute.

Let’s say we have 6 possible roles:

  • kibana_team_a_admin
  • kibana_team_a_rw
  • kibana_team_a_ro
  • kibana_team_b_admin
  • kibana_team_b_rw
  • kibana_team_b_ro

Users with the role “kibana_team_a_admin” should have admin access to the “Team A” tenancy.
Users with the role “kibana_team_b_ro” should have ro access to the “Team B” tenancy.
And so on.

If User1 have both the role “kibana_team_a_admin” and “kibana_team_b_ro” this user should have admin access to the “Team A” tenancy and ro access to the “Team B” tenancy. The user should be able to choose this by using dropdown in kibana. My quesion is if this is possible with ROR enterprise and using jwt? And if so, where can I find the documentation for how to do this? I can’t seem to find how to do this in the documentation so if someone could point me in the right direction that would be great.

Thanks.

If it helps, here is my current config without multitenancy:

readonlyrest:

    access_control_rules:
    - name: "::KIBANA-SRV::"
      auth_key: kibana:kibana
      verbosity: error

    - name: adminuser
      kibana_access: admin
      jwt_auth:
        name: "webseal"
        roles: ["kibana_admin"]

    - name: readwrite
      kibana_access: rw
      jwt_auth:
        name: "webseal"
        roles: ["kibana_user"]

    - name: readonly
      kibana_access: ro
      kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]
      jwt_auth:
        name: "webseal"
        roles: ["kibana_readonly"]

    jwt:
    - name: webseal
      signature_algo: RSA
      signature_key: ***********************
      user_claim: sub
      roles_claim: groups
      header_name: jwt

Edit: Can we use kibana spaces and control the acces to these or do we need to use the ROR-dropdown?


(Peter Skarmyr) #2

I now tried a few different approaches, but no luck so far.

One approach was I tried just adding kibana_index to the blocks, but then I get stuck in an infinate redirect loop when loading kibana.
The config:

readonlyrest:

    access_control_rules:
    - name: "::KIBANA-SRV::"
      auth_key: kibana:kibana
      verbosity: error

    - name: adminuser
      kibana_access: admin
      kibana_index: .kibana_teama
      indices: [ ".kibana_teama"]
      jwt_auth:
        name: "webseal"
        roles: ["kibana_admin"]

    - name: readwrite
      kibana_access: admin
      kibana_index: .kibana_teamb
      indices: [ ".kibana_teamb"]
      jwt_auth:
        name: "webseal"
        roles: ["kibana_user"]

    jwt:
    - name: webseal
      signature_algo: RSA
      signature_key: "****************"
      user_claim: sub
      roles_claim: groups
      header_name: jwt

Log line that is repeated over and over again when trying to use kibana:

[2019-02-08T12:24:52,360][INFO ][t.b.r.a.ACL              ] [NpgnpOt] ALLOWED by { name: 'adminuser', policy: ALLOW, rules: [kibana_access, kibana_index, indices, jwt_auth]} req={ ID:891669212-1216594734#26999, TYP:GetRequest, CGR:N/A, USR:G019496, BRS:false, KDX:.kibana_teama, ACT:indices:data/read/get, OA:127.0.0.1, DA:127.0.0.1, IDX:.kibana_teama, MET:GET, PTH:/.kibana_teama/doc/space%3Adefault, CNT:<N/A>, HDR:{Connection=keep-alive, Host=localhost:9200, Content-Length=0, jwt=eyJraWQiOiJkTmZscXUtU2pyLUgzbVZsU0IwSHIwSHFTQ3dhSFN0cHRxd2RyYTdqRk8wIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJHMDE5NDk2IiwiaXNzIjoiaHR0cHM6Ly93d3cuZ2plbnNpZGlnZS5ubyIsImF1ZCI6InVybjpsaWJlcnR5IiwiaWF0IjoxNTQ5NjI1MjU5LCJleHAiOjE1NDk2Mjg4NTksInNlc3MiOiI5ZDlkMWJhNC0yYjdiLTExZTktYTkyYy0wMDUwNTY4MjZlZDgiLCJncm91cHMiOlsia2liYW5hX3VzZXIiLCJraWJhbmFfYWRtaW4iXX0.OgXr0ba6PksZa1J1akISfR3x2QjJisYQ13s-JeQT2hxcZo7grl-U3oHqDQ_UzGRsdr6Fn2pXbS6J48EN1FAzKRfjuSmF1q0A_u2Pt2dDNimtfbgs92xbccR6AwrcCLjHwHBx6P-Xlfa7EhYTBafCMLVCKHDH9H77S6UUMMV2Vp3VKfwzNEC0R0WRIJACw4lXel4t_eHj7GjNnOYyD_lHXunCBiaNdeEAA93TPeBvQhP8KXZWKhqQxy68c6mso_RMjeVkqe2X63n159hue9aVrVECkcZRXpQ1OQwMgHIC1aKu8te3kt2OQS2wHvmeq8UQDWLy8iqJRSYoWmb8AEnduDDOwyTaXDlr_HxslA0P_2iDn2ABxrKjXiq93WehtaGmiVseehhl1onyuhqzwJjRpXCC3uXav_3exaj6XTWu7naTEFEqqyG8euKmbyBYRZaeIn7et5Uf45qhcUpi96hCppmYbsbWGUt0AlzC0v0okUWqJtlOgA3do1aiQDcDmkP64yFDnUM5bHpzdWrQ1ko5EVekyrqERAUlKfwo4_Hx4bmUjWV4QEWc2WXDVC5z9olNjwTRU31ij72uzQEnQ87eWGFIi7tQiVBf2ThzFNfS1HWfzz5y6sjcRNr3E4K1kIQNVg941QXpDf5YJo7bAwPKr4ryoIyUBjkC992PN1wJQU0}, HIS:[::KIBANA-SRV::->[auth_key->false]], [adminuser->[kibana_access->true, indices->true, jwt_auth->true, kibana_index->true]] }
[2019-02-08T12:24:52,388][INFO ][t.b.r.a.ACL              ] [NpgnpOt] ALLOWED by { name: 'adminuser', policy: ALLOW, rules: [kibana_access, kibana_index, indices, jwt_auth]} req={ ID:1718188808--350773647#27001, TYP:SearchRequest, CGR:N/A, USR:G019496, BRS:false, KDX:.kibana_teama, ACT:indices:data/read/search, OA:127.0.0.1, DA:127.0.0.1, IDX:.kibana_teama, MET:POST, PTH:/.kibana_teama/_search?size=1000&from=0, CNT:<OMITTED, LENGTH=245>, HDR:{Connection=keep-alive, content-type=application/json, Host=localhost:9200, Content-Length=245, jwt=eyJraWQiOiJkTmZscXUtU2pyLUgzbVZsU0IwSHIwSHFTQ3dhSFN0cHRxd2RyYTdqRk8wIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJHMDE5NDk2IiwiaXNzIjoiaHR0cHM6Ly93d3cuZ2plbnNpZGlnZS5ubyIsImF1ZCI6InVybjpsaWJlcnR5IiwiaWF0IjoxNTQ5NjI1MjU5LCJleHAiOjE1NDk2Mjg4NTksInNlc3MiOiI5ZDlkMWJhNC0yYjdiLTExZTktYTkyYy0wMDUwNTY4MjZlZDgiLCJncm91cHMiOlsia2liYW5hX3VzZXIiLCJraWJhbmFfYWRtaW4iXX0.OgXr0ba6PksZa1J1akISfR3x2QjJisYQ13s-JeQT2hxcZo7grl-U3oHqDQ_UzGRsdr6Fn2pXbS6J48EN1FAzKRfjuSmF1q0A_u2Pt2dDNimtfbgs92xbccR6AwrcCLjHwHBx6P-Xlfa7EhYTBafCMLVCKHDH9H77S6UUMMV2Vp3VKfwzNEC0R0WRIJACw4lXel4t_eHj7GjNnOYyD_lHXunCBiaNdeEAA93TPeBvQhP8KXZWKhqQxy68c6mso_RMjeVkqe2X63n159hue9aVrVECkcZRXpQ1OQwMgHIC1aKu8te3kt2OQS2wHvmeq8UQDWLy8iqJRSYoWmb8AEnduDDOwyTaXDlr_HxslA0P_2iDn2ABxrKjXiq93WehtaGmiVseehhl1onyuhqzwJjRpXCC3uXav_3exaj6XTWu7naTEFEqqyG8euKmbyBYRZaeIn7et5Uf45qhcUpi96hCppmYbsbWGUt0AlzC0v0okUWqJtlOgA3do1aiQDcDmkP64yFDnUM5bHpzdWrQ1ko5EVekyrqERAUlKfwo4_Hx4bmUjWV4QEWc2WXDVC5z9olNjwTRU31ij72uzQEnQ87eWGFIi7tQiVBf2ThzFNfS1HWfzz5y6sjcRNr3E4K1kIQNVg941QXpDf5YJo7bAwPKr4ryoIyUBjkC992PN1wJQU0}, HIS:[::KIBANA-SRV::->[auth_key->false]], [adminuser->[kibana_access->true, indices->true, jwt_auth->true, kibana_index->true]] }
[2019-02-08T12:24:52,429][INFO ][t.b.r.a.ACL              ] [NpgnpOt] ALLOWED by { name: 'adminuser', policy: ALLOW, rules: [kibana_access, kibana_index, indices, jwt_auth]} req={ ID:23137856-436819866#27003, TYP:GetRequest, CGR:N/A, USR:G019496, BRS:false, KDX:.kibana_teama, ACT:indices:data/read/get, OA:127.0.0.1, DA:127.0.0.1, IDX:.kibana_teama, MET:GET, PTH:/.kibana_teama/doc/space%3Adefault, CNT:<N/A>, HDR:{Connection=keep-alive, Host=localhost:9200, Content-Length=0, jwt=eyJraWQiOiJkTmZscXUtU2pyLUgzbVZsU0IwSHIwSHFTQ3dhSFN0cHRxd2RyYTdqRk8wIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJHMDE5NDk2IiwiaXNzIjoiaHR0cHM6Ly93d3cuZ2plbnNpZGlnZS5ubyIsImF1ZCI6InVybjpsaWJlcnR5IiwiaWF0IjoxNTQ5NjI1MjU5LCJleHAiOjE1NDk2Mjg4NTksInNlc3MiOiI5ZDlkMWJhNC0yYjdiLTExZTktYTkyYy0wMDUwNTY4MjZlZDgiLCJncm91cHMiOlsia2liYW5hX3VzZXIiLCJraWJhbmFfYWRtaW4iXX0.OgXr0ba6PksZa1J1akISfR3x2QjJisYQ13s-JeQT2hxcZo7grl-U3oHqDQ_UzGRsdr6Fn2pXbS6J48EN1FAzKRfjuSmF1q0A_u2Pt2dDNimtfbgs92xbccR6AwrcCLjHwHBx6P-Xlfa7EhYTBafCMLVCKHDH9H77S6UUMMV2Vp3VKfwzNEC0R0WRIJACw4lXel4t_eHj7GjNnOYyD_lHXunCBiaNdeEAA93TPeBvQhP8KXZWKhqQxy68c6mso_RMjeVkqe2X63n159hue9aVrVECkcZRXpQ1OQwMgHIC1aKu8te3kt2OQS2wHvmeq8UQDWLy8iqJRSYoWmb8AEnduDDOwyTaXDlr_HxslA0P_2iDn2ABxrKjXiq93WehtaGmiVseehhl1onyuhqzwJjRpXCC3uXav_3exaj6XTWu7naTEFEqqyG8euKmbyBYRZaeIn7et5Uf45qhcUpi96hCppmYbsbWGUt0AlzC0v0okUWqJtlOgA3do1aiQDcDmkP64yFDnUM5bHpzdWrQ1ko5EVekyrqERAUlKfwo4_Hx4bmUjWV4QEWc2WXDVC5z9olNjwTRU31ij72uzQEnQ87eWGFIi7tQiVBf2ThzFNfS1HWfzz5y6sjcRNr3E4K1kIQNVg941QXpDf5YJo7bAwPKr4ryoIyUBjkC992PN1wJQU0}, HIS:[::KIBANA-SRV::->[auth_key->false]], [adminuser->[kibana_access->true, indices->true, jwt_auth->true, kibana_index->true]] }
[2019-02-08T12:24:52,464][INFO ][t.b.r.a.ACL              ] [NpgnpOt] ALLOWED by { name: 'adminuser', policy: ALLOW, rules: [kibana_access, kibana_index, indices, jwt_auth]} req={ ID:1279622470--350773647#27005, TYP:SearchRequest, CGR:N/A, USR:G019496, BRS:false, KDX:.kibana_teama, ACT:indices:data/read/search, OA:127.0.0.1, DA:127.0.0.1, IDX:.kibana_teama, MET:POST, PTH:/.kibana_teama/_search?size=1000&from=0, CNT:<OMITTED, LENGTH=245>, HDR:{Connection=keep-alive, content-type=application/json, Host=localhost:9200, Content-Length=245, jwt=eyJraWQiOiJkTmZscXUtU2pyLUgzbVZsU0IwSHIwSHFTQ3dhSFN0cHRxd2RyYTdqRk8wIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJHMDE5NDk2IiwiaXNzIjoiaHR0cHM6Ly93d3cuZ2plbnNpZGlnZS5ubyIsImF1ZCI6InVybjpsaWJlcnR5IiwiaWF0IjoxNTQ5NjI1MjU5LCJleHAiOjE1NDk2Mjg4NTksInNlc3MiOiI5ZDlkMWJhNC0yYjdiLTExZTktYTkyYy0wMDUwNTY4MjZlZDgiLCJncm91cHMiOlsia2liYW5hX3VzZXIiLCJraWJhbmFfYWRtaW4iXX0.OgXr0ba6PksZa1J1akISfR3x2QjJisYQ13s-JeQT2hxcZo7grl-U3oHqDQ_UzGRsdr6Fn2pXbS6J48EN1FAzKRfjuSmF1q0A_u2Pt2dDNimtfbgs92xbccR6AwrcCLjHwHBx6P-Xlfa7EhYTBafCMLVCKHDH9H77S6UUMMV2Vp3VKfwzNEC0R0WRIJACw4lXel4t_eHj7GjNnOYyD_lHXunCBiaNdeEAA93TPeBvQhP8KXZWKhqQxy68c6mso_RMjeVkqe2X63n159hue9aVrVECkcZRXpQ1OQwMgHIC1aKu8te3kt2OQS2wHvmeq8UQDWLy8iqJRSYoWmb8AEnduDDOwyTaXDlr_HxslA0P_2iDn2ABxrKjXiq93WehtaGmiVseehhl1onyuhqzwJjRpXCC3uXav_3exaj6XTWu7naTEFEqqyG8euKmbyBYRZaeIn7et5Uf45qhcUpi96hCppmYbsbWGUt0AlzC0v0okUWqJtlOgA3do1aiQDcDmkP64yFDnUM5bHpzdWrQ1ko5EVekyrqERAUlKfwo4_Hx4bmUjWV4QEWc2WXDVC5z9olNjwTRU31ij72uzQEnQ87eWGFIi7tQiVBf2ThzFNfS1HWfzz5y6sjcRNr3E4K1kIQNVg941QXpDf5YJo7bAwPKr4ryoIyUBjkC992PN1wJQU0}, HIS:[::KIBANA-SRV::->[auth_key->false]], [adminuser->[kibana_access->true, indices->true, jwt_auth->true, kibana_index->true]] }

@sscarduzio : Could you have a look at this and see what I am doing wrong?


(Peter Skarmyr) #3

Here is the network calls from the browser if it helps:


(Simone Scarduzio) #4

Hi @peter123, at the moment the tenancy selector does not work with JWT roles, but we are working on a core rewrite that will unify the concept of JWT roles and ROR groups, so this will be possible. This will take 2-3 weeks though.


(Peter Skarmyr) #5

That is perfect! Thanks for the reply :slight_smile:


(Joe Chop) #6

Hi Simone. Just checking in on this - we are looking for the exact same functionality! Has any progress been made on this front? Do you need any testers :slight_smile:


(Simone Scarduzio) #7

Hi @jchop01: we are running a bit late with LDAP rewrite. This is next in line. And yes we’ll need testers as usual. Will refer to this thread as soon as we have something.