Newbie start problem

Alex · July 27, 2017, 12:34pm

Hi,

I’m having an big issue to make this plugin work. My goal is to make it works against ldap, no luck, so I’ve started from scratch.
ES version: 5.5.0
plugin version: readonlyrest-1.16.8_es5.5.0

I have super simple test environment. on one machine I have both, es + kibana with one index called “test-index”
plugin is installed without problem, elasticsearch.yml contains:

this snippet works, no problem here:

readonlyrest:
    access_control_rules:
    - name: " Allowing anything from localhost"
      hosts: [127.0.0.1]

this snippet doesn’t work and I’m stuck on Kibana status page with “Authorization Exception” :

readonlyrest:
    access_control_rules:
    - name: Accept all requests from localhost
      hosts: [127.0.0.1]
      indices: ['test-index']
      actions: ["indices:data/read/*"]

Default Kibana index is set to ‘test-index’
Also I have question about ldap/groups, how users are authenticated to Kibana? Should I see some browser popup window for credentials or what ?

thanks for any heads up,
-Alex

sscarduzio · July 27, 2017, 1:11pm

Hello @Alex, welcome to ReadonlyREST forum

If you use Free/OSS version, Kibana will ask the user for HTTP Basic Auth, that means you’ll have a native form asking for username and password. Something like this.

If you use the PRO/Enterprise (with the Kibana plugin) you will have a login page and the authentication happen through an encrypted cookie.

In both cases, if you want Kibana users to have a read-only experience, use the kibana_access macro instead of actions.
Have a look at this example: GitHub - sscarduzio/elasticsearch-readonlyrest-plugin: Free Elasticsearch security plugin and Kibana security plugin: super-easy Kibana multi-tenancy, Encryption, Authentication, Authorization, Auditing

Alex · July 27, 2017, 1:43pm

Hi @sscarduzio,

thank you for prompt answer. Now I understand what means in ES logs

[2017-07-27T15:34:22,115][DEBUG][o.e.p.r.e.IndexLevelActionFilter] Sending login prompt header...
[2017-07-27T15:34:22,136][DEBUG][o.e.p.r.e.IndexLevelActionFilter] Sending login prompt header...
[2017-07-27T15:34:24,651][DEBUG][o.e.p.r.e.IndexLevelActionFilter] Sending login prompt header...
[2017-07-27T15:34:27,157][DEBUG][o.e.p.r.e.IndexLevelActionFilter] Sending login prompt header...
[2017-07-27T15:34:29,665][DEBUG][o.e.p.r.e.IndexLevelActionFilter] Sending login prompt header...
[2017-07-27T15:34:32,170][DEBUG][o.e.p.r.e.IndexLevelActionFilter] Sending login prompt header...
[2017-07-27T15:34:34,677][DEBUG][o.e.p.r.e.IndexLevelActionFilter] Sending login prompt header...

but despite this information my broswer is not providing me any form for credentials. I tried Chrome/Firefox and I’m only getting:

elasticsearch.yml:

readonlyrest:

    response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin

    access_control_rules:

    - name: "::KIBANA-SRV::"
      auth_key: kibana:kibana
      verbosity: error # don't log successful request

    - name: "::RW DEVELOPER::"
      auth_key: rw:dev
      kibana_access: rw
      indices: [".kibana", "test-index"]

    - name: "::RO DEVELOPER::"
      auth_key: ro:dev
      kibana_access: ro
      indices: [".kibana", "test-index"]

From access.log for last configuration snippet:

[2017-07-27T15:57:44,725][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ADDING BLOCK #::KIBANA-SRV:::   { name: '::KIBANA-SRV::', policy: ALLOW}
[2017-07-27T15:57:44,730][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ADDING BLOCK #::RW DEVELOPER::: { name: '::RW DEVELOPER::', policy: ALLOW}
[2017-07-27T15:57:44,730][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ADDING BLOCK #::RO DEVELOPER::: { name: '::RO DEVELOPER::', policy: ALLOW}
[2017-07-27T15:57:50,055][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1277933222-1228468339#45, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::RW DEVELOPER::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]] }
[2017-07-27T15:57:50,082][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:395863061-1533855167#46, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::RW DEVELOPER::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]] }
[2017-07-27T15:57:52,600][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:153869043-857795423#47, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]] }
[2017-07-27T15:57:55,108][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1246488878-1151800961#48, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::RW DEVELOPER::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]] }
[2017-07-27T15:57:57,619][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1543619361-1549440546#49, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]] }
[2017-07-27T15:58:00,124][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:444662998-1594971073#50, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::RO DEVELOPER::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]] }
[2017-07-27T15:58:02,631][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:202899784-1232816243#51, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::RW DEVELOPER::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]] }

and I’m getting same Kibana error for:

readonlyrest:
    access_control_rules:
    - name: Accept all requests from localhost
      hosts: [127.0.0.1]
      indices: ['test-index']
      kibana_access: ro

From access.log for last configuration snippet:

[2017-07-27T15:54:00,523][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1894387269-584635291#152, TYP:MultiGetRequest, USR:[no basic auth header], BRS:false, ACT:indices:data/read/mget, OA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/_mget, CNT:{"docs":[{"_index":".kibana","_type":"config","_id":"5.5.0"}]}, HDR:{Connection=keep-alive, Content-Length=62, content-type=application/json, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->false, hosts->true]] }
[2017-07-27T15:54:03,030][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ALLOWED by '{ block=Accept all requests from localhost, match=true }' req={ ID:1620757851-1186387428#153, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->true, hosts->true]] }
[2017-07-27T15:54:03,033][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ALLOWED by '{ block=Accept all requests from localhost, match=true }' req={ ID:1226123047-1772978278#154, TYP:NodesInfoRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, IDX:<N/A>, MET:GET, PTH:/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->true, hosts->true]] }
[2017-07-27T15:54:03,037][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ALLOWED by '{ block=Accept all requests from localhost, match=true }' req={ ID:97632477-865543465#156, TYP:NodesInfoRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, IDX:<N/A>, MET:GET, PTH:/_nodes/_local?filter_path=nodes.*.settings.tribe, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->true, hosts->true]] }
[2017-07-27T15:54:03,043][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1444136519-912261053#158, TYP:MultiGetRequest, USR:[no basic auth header], BRS:false, ACT:indices:data/read/mget, OA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/_mget, CNT:{"docs":[{"_index":".kibana","_type":"config","_id":"5.5.0"}]}, HDR:{Connection=keep-alive, Content-Length=62, content-type=application/json, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->false, hosts->true]] }
[2017-07-27T15:54:05,548][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ALLOWED by '{ block=Accept all requests from localhost, match=true }' req={ ID:1443450914-1565898006#159, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->true, hosts->true]] }
[2017-07-27T15:54:05,552][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ALLOWED by '{ block=Accept all requests from localhost, match=true }' req={ ID:1351360711-409335151#160, TYP:NodesInfoRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, IDX:<N/A>, MET:GET, PTH:/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->true, hosts->true]] }
[2017-07-27T15:54:05,562][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ALLOWED by '{ block=Accept all requests from localhost, match=true }' req={ ID:248106802-1377562046#162, TYP:NodesInfoRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, IDX:<N/A>, MET:GET, PTH:/_nodes/_local?filter_path=nodes.*.settings.tribe, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->true, hosts->true]] }
[2017-07-27T15:54:05,569][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1163130799-1961389530#164, TYP:MultiGetRequest, USR:[no basic auth header], BRS:false, ACT:indices:data/read/mget, OA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/_mget, CNT:{"docs":[{"_index":".kibana","_type":"config","_id":"5.5.0"}]}, HDR:{Connection=keep-alive, Content-Length=62, content-type=application/json, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->false, hosts->true]] }

Thanks for review

madou23 · July 28, 2017, 1:21pm

I think you need to add credentials to your /etc/kibana/kibana.yml

elasticsearch.username: "kibana"
elasticsearch.password: "kibana"

so it can connect to local elastisearch.

Alex · July 28, 2017, 1:49pm

Hi @madou23,

with kibana:kibana credentials in kibana.yml still no magic

[2017-07-28T15:42:15,263][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1739257567-1015233801#45382, TYP:ClusterStateRequest, USR:kibana(?), BRS:false, ACT:cluster:monitor/state, OA:127.0.0.1, IDX:, MET:GET, PTH:/_cluster/settings?include_defaults=true&filter_path=**.script.engine.*.inline, CNT:<N/A>, HDR:{Authorization=Basic a2liYW5hOmtpYmFuYQ==, Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::KIBANA-SRV::->[kibana_access->false, auth_key->true]], [elkstack users->[ldap_authentication->false]] }
[2017-07-28T15:42:17,784][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1989103981-1396789696#45394, TYP:ClusterStateRequest, USR:kibana(?), BRS:false, ACT:cluster:monitor/state, OA:127.0.0.1, IDX:, MET:GET, PTH:/_cluster/settings?include_defaults=true&filter_path=**.script.engine.*.inline, CNT:<N/A>, HDR:{Authorization=Basic a2liYW5hOmtpYmFuYQ==, Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[elkstack users->[ldap_authentication->false]], [::KIBANA-SRV::->[kibana_access->false, auth_key->true]] }
[2017-07-28T15:42:20,399][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1774170053-808004707#45406, TYP:ClusterStateRequest, USR:kibana(?), BRS:false, ACT:cluster:monitor/state, OA:127.0.0.1, IDX:, MET:GET, PTH:/_cluster/settings?include_defaults=true&filter_path=**.script.engine.*.inline, CNT:<N/A>, HDR:{Authorization=Basic a2liYW5hOmtpYmFuYQ==, Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[elkstack users->[ldap_authentication->false]], [::KIBANA-SRV::->[kibana_access->false, auth_key->true]] }

I googled a little and I have found that maybe our domain policy administrators suppressed browser’s authScheme:basic … Anyway this is something I can’t prove yet, because admins are on vacation and I have no idea if this might be a case

-Alex

nan008 · August 11, 2017, 9:11am

Hey should you not have “allow” under Kibana block?

I have this in elasticsearch.yml

  - name: "Kibana Server"
      type: allow
      auth_key: kibana:kibana
      verbosity: error

sscarduzio · August 11, 2017, 10:53am

Hi @nan008!

It’s OK to have it or leave it off to lighten up the yaml structure, as it’s implicitly set to “allow”. The same goes with all the “enable : true”.