Newbie start problem

Hi,

I’m having an big issue to make this plugin work. My goal is to make it works against ldap, no luck, so I’ve started from scratch.
ES version: 5.5.0
plugin version: readonlyrest-1.16.8_es5.5.0

I have super simple test environment. on one machine I have both, es + kibana with one index called "test-index"
plugin is installed without problem, elasticsearch.yml contains:

this snippet works, no problem here:

readonlyrest:
    access_control_rules:
    - name: " Allowing anything from localhost"
      hosts: [127.0.0.1]

this snippet doesn’t work and I’m stuck on Kibana status page with “Authorization Exception” :

readonlyrest:
    access_control_rules:
    - name: Accept all requests from localhost
      hosts: [127.0.0.1]
      indices: ['test-index']
      actions: ["indices:data/read/*"]

Default Kibana index is set to 'test-index’
Also I have question about ldap/groups, how users are authenticated to Kibana? Should I see some browser popup window for credentials or what ?

thanks for any heads up,
-Alex

Hello @Alex, welcome to ReadonlyREST forum :slight_smile:

If you use Free/OSS version, Kibana will ask the user for HTTP Basic Auth, that means you’ll have a native form asking for username and password. Something like this.

If you use the PRO/Enterprise (with the Kibana plugin) you will have a login page and the authentication happen through an encrypted cookie.

In both cases, if you want Kibana users to have a read-only experience, use the kibana_access macro instead of actions.
Have a look at this example: GitHub - sscarduzio/elasticsearch-readonlyrest-plugin: Free Elasticsearch security plugin and Kibana security plugin: super-easy Kibana multi-tenancy, Encryption, Authentication, Authorization, Auditing

Hi @sscarduzio,

thank you for prompt answer. Now I understand what means in ES logs

[2017-07-27T15:34:22,115][DEBUG][o.e.p.r.e.IndexLevelActionFilter] Sending login prompt header...
[2017-07-27T15:34:22,136][DEBUG][o.e.p.r.e.IndexLevelActionFilter] Sending login prompt header...
[2017-07-27T15:34:24,651][DEBUG][o.e.p.r.e.IndexLevelActionFilter] Sending login prompt header...
[2017-07-27T15:34:27,157][DEBUG][o.e.p.r.e.IndexLevelActionFilter] Sending login prompt header...
[2017-07-27T15:34:29,665][DEBUG][o.e.p.r.e.IndexLevelActionFilter] Sending login prompt header...
[2017-07-27T15:34:32,170][DEBUG][o.e.p.r.e.IndexLevelActionFilter] Sending login prompt header...
[2017-07-27T15:34:34,677][DEBUG][o.e.p.r.e.IndexLevelActionFilter] Sending login prompt header...

but despite this information my broswer is not providing me any form for credentials. I tried Chrome/Firefox and I’m only getting:

elasticsearch.yml:

readonlyrest:
    response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
    access_control_rules:
    - name: "::KIBANA-SRV::"
      auth_key: kibana:kibana
      verbosity: error # don't log successful request
    - name: "::RW DEVELOPER::"
      auth_key: rw:dev
      kibana_access: rw
      indices: [".kibana", "test-index"]
    - name: "::RO DEVELOPER::"
      auth_key: ro:dev
      kibana_access: ro
      indices: [".kibana", "test-index"]

From access.log for last configuration snippet:

[2017-07-27T15:57:44,725][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ADDING BLOCK #::KIBANA-SRV:::   { name: '::KIBANA-SRV::', policy: ALLOW}
[2017-07-27T15:57:44,730][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ADDING BLOCK #::RW DEVELOPER::: { name: '::RW DEVELOPER::', policy: ALLOW}
[2017-07-27T15:57:44,730][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ADDING BLOCK #::RO DEVELOPER::: { name: '::RO DEVELOPER::', policy: ALLOW}
[2017-07-27T15:57:50,055][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1277933222-1228468339#45, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::RW DEVELOPER::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]] }
[2017-07-27T15:57:50,082][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:395863061-1533855167#46, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::RW DEVELOPER::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]] }
[2017-07-27T15:57:52,600][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:153869043-857795423#47, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]] }
[2017-07-27T15:57:55,108][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1246488878-1151800961#48, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::RW DEVELOPER::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]] }
[2017-07-27T15:57:57,619][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1543619361-1549440546#49, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]] }
[2017-07-27T15:58:00,124][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:444662998-1594971073#50, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::RO DEVELOPER::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]] }
[2017-07-27T15:58:02,631][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:202899784-1232816243#51, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::RW DEVELOPER::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]] }

and I’m getting same Kibana error for:

readonlyrest:
    access_control_rules:
    - name: Accept all requests from localhost
      hosts: [127.0.0.1]
      indices: ['test-index']
      kibana_access: ro

From access.log for last configuration snippet:

[2017-07-27T15:54:00,523][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1894387269-584635291#152, TYP:MultiGetRequest, USR:[no basic auth header], BRS:false, ACT:indices:data/read/mget, OA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/_mget, CNT:{"docs":[{"_index":".kibana","_type":"config","_id":"5.5.0"}]}, HDR:{Connection=keep-alive, Content-Length=62, content-type=application/json, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->false, hosts->true]] }
[2017-07-27T15:54:03,030][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ALLOWED by '{ block=Accept all requests from localhost, match=true }' req={ ID:1620757851-1186387428#153, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->true, hosts->true]] }
[2017-07-27T15:54:03,033][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ALLOWED by '{ block=Accept all requests from localhost, match=true }' req={ ID:1226123047-1772978278#154, TYP:NodesInfoRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, IDX:<N/A>, MET:GET, PTH:/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->true, hosts->true]] }
[2017-07-27T15:54:03,037][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ALLOWED by '{ block=Accept all requests from localhost, match=true }' req={ ID:97632477-865543465#156, TYP:NodesInfoRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, IDX:<N/A>, MET:GET, PTH:/_nodes/_local?filter_path=nodes.*.settings.tribe, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->true, hosts->true]] }
[2017-07-27T15:54:03,043][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1444136519-912261053#158, TYP:MultiGetRequest, USR:[no basic auth header], BRS:false, ACT:indices:data/read/mget, OA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/_mget, CNT:{"docs":[{"_index":".kibana","_type":"config","_id":"5.5.0"}]}, HDR:{Connection=keep-alive, Content-Length=62, content-type=application/json, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->false, hosts->true]] }
[2017-07-27T15:54:05,548][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ALLOWED by '{ block=Accept all requests from localhost, match=true }' req={ ID:1443450914-1565898006#159, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->true, hosts->true]] }
[2017-07-27T15:54:05,552][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ALLOWED by '{ block=Accept all requests from localhost, match=true }' req={ ID:1351360711-409335151#160, TYP:NodesInfoRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, IDX:<N/A>, MET:GET, PTH:/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->true, hosts->true]] }
[2017-07-27T15:54:05,562][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ALLOWED by '{ block=Accept all requests from localhost, match=true }' req={ ID:248106802-1377562046#162, TYP:NodesInfoRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, IDX:<N/A>, MET:GET, PTH:/_nodes/_local?filter_path=nodes.*.settings.tribe, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->true, hosts->true]] }
[2017-07-27T15:54:05,569][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1163130799-1961389530#164, TYP:MultiGetRequest, USR:[no basic auth header], BRS:false, ACT:indices:data/read/mget, OA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/_mget, CNT:{"docs":[{"_index":".kibana","_type":"config","_id":"5.5.0"}]}, HDR:{Connection=keep-alive, Content-Length=62, content-type=application/json, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->false, hosts->true]] }

Thanks for review

I think you need to add credentials to your /etc/kibana/kibana.yml

elasticsearch.username: "kibana"
elasticsearch.password: "kibana"

so it can connect to local elastisearch.

1 Like

Hi @madou23,

with kibana:kibana credentials in kibana.yml still no magic :frowning:

[2017-07-28T15:42:15,263][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1739257567-1015233801#45382, TYP:ClusterStateRequest, USR:kibana(?), BRS:false, ACT:cluster:monitor/state, OA:127.0.0.1, IDX:, MET:GET, PTH:/_cluster/settings?include_defaults=true&filter_path=**.script.engine.*.inline, CNT:<N/A>, HDR:{Authorization=Basic a2liYW5hOmtpYmFuYQ==, Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::KIBANA-SRV::->[kibana_access->false, auth_key->true]], [elkstack users->[ldap_authentication->false]] }
[2017-07-28T15:42:17,784][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1989103981-1396789696#45394, TYP:ClusterStateRequest, USR:kibana(?), BRS:false, ACT:cluster:monitor/state, OA:127.0.0.1, IDX:, MET:GET, PTH:/_cluster/settings?include_defaults=true&filter_path=**.script.engine.*.inline, CNT:<N/A>, HDR:{Authorization=Basic a2liYW5hOmtpYmFuYQ==, Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[elkstack users->[ldap_authentication->false]], [::KIBANA-SRV::->[kibana_access->false, auth_key->true]] }
[2017-07-28T15:42:20,399][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1774170053-808004707#45406, TYP:ClusterStateRequest, USR:kibana(?), BRS:false, ACT:cluster:monitor/state, OA:127.0.0.1, IDX:, MET:GET, PTH:/_cluster/settings?include_defaults=true&filter_path=**.script.engine.*.inline, CNT:<N/A>, HDR:{Authorization=Basic a2liYW5hOmtpYmFuYQ==, Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[elkstack users->[ldap_authentication->false]], [::KIBANA-SRV::->[kibana_access->false, auth_key->true]] }

I googled a little and I have found that maybe our domain policy administrators suppressed browser’s authScheme:basic … Anyway this is something I can’t prove yet, because admins are on vacation and I have no idea if this might be a case :slight_smile:

-Alex

Hey should you not have “allow” under Kibana block?

I have this in elasticsearch.yml

  - name: "Kibana Server"
      type: allow
      auth_key: kibana:kibana
      verbosity: error

Hi @nan008!

It’s OK to have it or leave it off to lighten up the yaml structure, as it’s implicitly set to “allow”. The same goes with all the “enable : true”. :slight_smile: