Not able to put data in Kibana after installing ReadOnlyRest, any ideas?

vernal · March 26, 2020, 6:30pm

I installed new Kibana, elasticsearch and ReadOnlyRest. Then I typed in the following commands in “dev tools”:

PUT /ag2_vehicle_stats
{
“mappings”: {
“doc”: {
“properties”: {
“vin”: {
“type”: “keyword”
},
“error_reported”: {
“type”: “integer”
},
“new_normalized_dist_on_battery”: {
“type”: “double”
},
“new_seg_battery_charge_curr_capacity_in_ah”: {
“type”: “double”
},
“curr_capacity_drive_soh”: {
“type”: “double”
},
“curr_capacity_charge_soh”: {
“type”: “double”
},
“day”: {
“type”: “date”
}
}
}
}
}

However, I got the following error msg:

{
“error” : {
“root_cause” : [
{
“reason” : “forbidden”,
“due_to” : [
“OPERATION_NOT_ALLOWED”
]
}
],
“reason” : “forbidden”,
“due_to” : [
“OPERATION_NOT_ALLOWED”
],
“status” : 403
}
}

What’s wrong here? Any ideas?

sscarduzio · March 26, 2020, 6:41pm

Helo @vernal, most likely you have a kibana_access rule in place, and by design, not even if you set it to “admin” you can get write privileges to indices other than your “kibana_index”.

This is done because the kibana_access rule is designed to allow the use of Kibana in general as a data representation tool, and prevent accidental tampering of data indices.

Possible workarounds:

add an ACL block above the one that represents your user or group, it has to be identical minus the kibana_access rule. Add to it an actions rule that allows some actions you want the user to be able to do from dev tools.
remove the kibana_access rule all together.

vernal · March 26, 2020, 6:53pm

Thanks Simone!

What is “ACL block”? Could you give me an example?

Besides, below is what I set up in readonlyrest.yml for this account. I did use “admin” for the kibana_access:

    - name: "::ADMIN-AG::"
      auth_key: ag-user-admin:ag-user-admin
      kibana_access: admin
      kibana_index: ".kibana_ag"
      verbosity: error

sscarduzio · March 26, 2020, 9:55pm

OK sure,

workaround 1

    - name: "::ADMIN-AG::"   # <-- unchanged
      auth_key: ag-user-admin:ag-user-admin
      kibana_access: admin
      kibana_index: ".kibana_ag"
      verbosity: error

    - name: "::ADMIN-AG extra permissions for dev-tools::" # <-- added ACL block
      auth_key: ag-user-admin:ag-user-admin
      actions: ["indices:data/write/*", "indices:monitor/*"] # <-- ref. documentation for list
      kibana_index: ".kibana_ag"
      verbosity: error

workaround 2

Coment the kibana_access

    - name: "::ADMIN-AG::"
      auth_key: ag-user-admin:ag-user-admin
      #kibana_access: admin
      kibana_index: ".kibana_ag"
      verbosity: error

vernal · March 27, 2020, 3:54pm

Thanks Simone! It works now.

vernal · March 31, 2020, 4:58pm

I would like to create a user who can only view dashboards for ag-indexed data. However, after I logged into ag-user, I only saw something like “No spaces match search criteria”. What is wrong with my setting?

Here is the related setting in readonlyrest.yml

- name: "::RO-AG::"
  auth_key: ag-user:ag-user
  kibana_access: ro
  indices: [".kibana_ag"]
  kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management", "kibana:discover", "kibana:visualize", "canvas", "maps", "apm", "uptime", "siem"]
  verbosity: error

- name: "::ADMIN-AG::"
  auth_key: ag-user-admin:ag-user-admin
  kibana_index: ".kibana_ag"
  verbosity: error

sscarduzio · March 31, 2020, 10:32pm

What ROR version are you using? Sounds like a bug we resolved in ROR 1.19.4.

vernal · March 31, 2020, 11:18pm

Version 7.6 for latest elasticsearch and kibana.

sscarduzio · March 31, 2020, 11:28pm

@vernal the ROR version, go to the ROR kibana app (where the ROR YAML settings can be edited) an scroll to the bottom, you will see in the middle a string with the version. Alternatively:

cat /usr/share/kibana/plugins/readonlyrest_kbn/package.json |grep version

vernal · April 1, 2020, 5:07pm

“version”: “1.19.2”,
“ror_version”: “enterprise-1.19.2_es7.6.0”,
“version”: “7.6.0”

sscarduzio · April 1, 2020, 5:23pm

Yes you’re on an old version, go install 1.19.4 and it should be fine.

vernal · April 1, 2020, 7:51pm

Thanks Simone.

How to upgrade to 1.19.4? Do I need to uninstall and reinstall? Or is there any command to upgrade it directly?

Besides, when I go to “download” page, I can only see version numbers for kibana and elasticsearch, but I cannot see version number for readonlyrest. How could I find the right version for readonlyrest?

Thanks!

sscarduzio · April 1, 2020, 8:27pm

Uninstall both es and kibana plugins, and install the new ones. The download form only gives you the latest versions, so no problem.

vernal · April 2, 2020, 6:26am

Thanks Simon!

I upgraded both ES and kibana to 1.19.4. However, I still got the same error for ag-user account. What might be the cause for this?

Another question is: I have the following two account: one is ag-user, another one is ag-user-admin. Actually I am not quite sure about the creation of indices “.kibana_ag”. Is this the right way to create .kibana_ag by mentioning it as below? So that ag-user-admin can edit the dashboard and ag-user can only view the dashboard? Do I need to do something else for .kibana_ag?

- name: "::RO-AG::"
  auth_key: ag-user:ag-user
  kibana_access: ro
  indices: [".kibana_ag"]
  kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management", "kibana:discover", "kibana:visualize", "canvas", "maps", "apm", "uptime", "siem"]
  verbosity: error

- name: "::ADMIN-AG::"
  auth_key: ag-user-admin:ag-user-admin
  kibana_index: ".kibana_ag"
  verbosity: error

sscarduzio · April 2, 2020, 12:03pm

First question: i’m a bit lost because the topic changed too many times from the original question. Can you post again what’s the error and logs for the CURRENT issue? Do you still get errors in default spaces creation?

Second question: looks good to me, the other thing you could do is to have a “kibana_access: ro” user that can edit the dashboards, but cannot access the readonlyrest_kbn Kibana app.

vernal · April 2, 2020, 3:40pm

Thanks Simone.

My current issue is when I logged in as ag-user, I still cannot see anything and the only message I got from the screen is “No spaces match search criteria”.

sscarduzio · April 2, 2020, 3:59pm

Strange! Can you show me the elasticsearch.yml and the kibana log of when that error happens?

vernal · April 2, 2020, 6:42pm

Here is elasticsearch.yml:

cluster.name: es-prod
node.name: master-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: [“172.15.7.169”, local]
discovery.seed_hosts: [“172.15.7.182”, “172.15.7.183”, “172.15.7.184”, “172.15.7.185”, “172.15.7.186”, “172.15.7.187”, “172.15.7.188”, “172.15.7.189”]
cluster.initial_master_nodes: [“master-1”, “master-2”, “master-3”]
xpack.graph.enabled: false
xpack.ml.enabled: false
xpack.monitoring.enabled: true
xpack.security.enabled: false
xpack.watcher.enabled: false

vernal · April 2, 2020, 6:57pm

Here is the kibana log:

“tags”:[“error”,“readonlyrest_kbn:onPreResponse”],“pid”:437453,“message”:“got an error [404] Not Found for path /internal/spaces/_active_space”}
amp":“2020-04-02T17:54:38Z”,“tags”:[“error”,“readonlyrest_kbn:onPreResponse”],“pid”:437453,“message”:“index not found, will return the useful error.”}

vernal · April 2, 2020, 7:16pm

I figured out the solution. After I made the following change, it works:

from
indices: [".kibana_ag"]
to
kibana_index: “.kibana_ag”