Hi, I’m quite confused about adding nginx authentication in readonlyrest. I’m trying to allow users to sign into Kibana with gmail accounts and assign READ/WRITE access rules to different user groups, which should be achieved by ReadonlyRest at Elasticsearch level. I used oauth2_proxy with nginx to sign in with Google, and installed ReadonlyRest on Elasticsearch. But all calls to ES are forbidden. I’m not sure what is wrong. Could you take a look at my configurations? Any help will be appreciated!
Kibana.yml
# load kibana server
elasticsearch.username: "kibana"
elasticsearch.password: "kibana"
# forward authentication from proxy server to elasticsearch
elasticsearch.requestHeadersWhitelist: [ exlog-security, authorization ]
I tried two configuration for ReadonlyRest but both failed with similar errors:
Error Log in Elasticsearch:
FORBIDDEN by default req={ ID:2076378645-891330992#166, TYP:SearchRequest, CGR:N/A, USR:nginx(?), BRS:false, KDX:null, ACT:indices:data/read/search, OA:127.0.0.1, DA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/.kibana/_search?size=1000&from=0, CNT:<OMITTED, LENGTH=245>, HDR:{authorization=<OMITTED>, exlog-security=aliu, Connection=keep-alive, content-type=application/json, Host=localhost:9200, Content-Length=245}, HIS:[::KIBANA-SERVER::->[auth_key->false]], [::VIEWER::->[proxy_auth->false]], [::ADMIN::->[groups->false]] }
It captures the exlog-security=aliu which is passed by nginx in HDR but failed to find a match in ACL.
First Config I tried:
readonlyrest:
enabled: true
response_if_req_forbidden: Sorry, request is forbidden.
prompt_for_basic_auth: false
access_control_rules:
- name: "::KIBANA-SERVER::"
auth_key: kibana:kibana
verbosity: error
- name: "::VIEWER::"
type: allow
# I didn't specify a user group but directly use username
proxy_auth: ["aliu"]
actions: ["indices:data/read/*"]
indices: [".kiban*", "logstash-*"]
- name: "::ADMIN::"
kibana_access: rw
actions: ["indices:data/*"]
# trying to assign all accesses to admin group
indices: ["*"]
groups: ["admin"]
Second Config:
readonlyrest:
enabled: true
response_if_req_forbidden: Sorry, request is forbidden.
prompt_for_basic_auth: false
access_control_rules:
- name: "::KIBANA-SERVER::"
auth_key: kibana:kibana
verbosity: error
- name: "::VIEWER::"
type: allow
group: ["viewer"]
actions: ["indices:data/read/*"]
indices: [".kibana", "logstash-*"]
- name: "::ADMIN::"
kibana_access: rw
actions: ["indices:data/*"]
indices: ["*"]
groups: ["admin"]
users:
- username: aliu
proxy_auth: ["*"]
groups: ["viewer"]
- username: test
proxy_auth: ["*"]
groups: ["admin"]
My understanding is that when a user logins with Gmail, the username will be passed through Kibana to ES, then ReadonlyRest match the username to corresponding user group, in this case [“aliu”] is matched with [“Viewer”] group and then the user should be granted the rule for “::VIEWER::”.
Is my understanding correct? I’m confused why ReadonlyRest can’t find a matching block in ACL.