Problems configuring readonlyrest

1

Hi people, i am trying make works this but i have some problems.

first:
[2019-04-09T10:16:10,305][INFO ][t.b.r.a.ACL ] [YVlOB8K] FORBIDDEN by default req={ ID:124630587-1149977786#1119, TYP:MainRequest, CGR:N/A, USR:[no basic auth header], BRS:true, KDX:null, ACT:cluster:monitor/main, OA:127.0.0.1, DA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{content-length=0, Connection=Keep-Alive, User-Agent=Manticore 0.6.4, Host=localhost:9200, Accept-Encoding=gzip,deflate, Content-Type=application/json}, HIS:[::user1_kibana::->[auth_key->false]], [::user2_kibana::->[auth_key->false]], [::user3_kibana::->[auth_key->false]], [::user1::->[auth_key->false]], [::user2::->[auth_key->false]], [::user3 only::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [Administrator access->[auth_key->false]] }

And when i try access by http i have this message:

{“statusCode”:500,“error”:“Internal Server Error”,“message”:“An internal server error occurred”}

this is my configuration:

readonlyrest:
#    enable: true
#    response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
    access_control_rules:

    - name: "::user1_kibana::"
      auth_key: "user1"
      indices: [".kibana_user1"]
      actions: ["*"]

    - name: "::user2_kibana::"
      auth_key: "user2"
      indices: [".kibana_user2"]
      actions: ["*"]

    - name: "::user3_kibana::"
      auth_key: "user3"
      indices: [".kibana_user3"]
      actions: ["*"]

    - name: "::user1::"
      auth_key: user1:user1
      actions: ["indices:data/read/*","indices:admin/mappings/*"]
      indices: ["*"]
      kibana_access: rw

    - name: "::user2::"
      auth_key: user2:user2
      actions: ["indices:data/read/*","indices:admin/mappings/*"]
      indices: ["*"]
      kibana_access: rw

    - name: "::user3 only::"
      auth_key: user3:user3
      actions: ["indices:data/read/*","indices:admin/mappings/*"]
      indices: ["*"]
      kibana_access: rw

    - name: "::KIBANA-SRV::"
      auth_key: kibana:kibana

    - name: "Administrator access"
      auth_key: administrator:administrator
      kibana_access: admin
      actions: ["*"]

thanks!

2

this is wrong, should be in the format “username:password”. So the password is missing.

if you use a non standard kibana index, use also kibana_index: ".kibana_user1".
Also it’s weird that you only allow the kibana index, no data indices to be seen for this user?

this notation is equivalent to not having the actions rule at all. You are “limiting” the allowed actions to…“all of them”?

never mix kibana_access to actions rule. It does not make sense because kibana_access is a macro rule that already restrict actions to the minimum needed to support a Kibana session.
Please see the docs about it.

3

thanks for reply,

i change de configuration:

readonlyrest:
prompt_for_basic_auth: false

access_control_rules:

- name: "::LOGSTASH::"
  auth_key: logstash:logstash
  actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
  indices: ["filebeat-*"]

- name: "::KIBANA-SRV::"
  auth_key: kibana:kibana

- name: "supertest2"
  type: allow
  actions: ["cluster:monitor/nodes/stats"]
  verbosity: error

- name: "::RO::"
  auth_key: ro:dev
  kibana_access: ro
  indices: [ ".kibana", ".kibana-devnull", "filebeat-*"]
  kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]

- name: "::RW::"
  auth_key: rw:dev
  kibana_access: rw
  indices: [".kibana", ".kibana-devnull", "filebeat-*"]
  kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]


- name: "::ADMIN::"
  auth_key: admin:dev
  # KIBANA ADMIN ACCESS NEEDED TO EDIT SECURITY SETTINGS IN ROR KIBANA APP!

aparently is all ok, but when i try to acces via web i get this error:
{“statusCode”:500,“error”:“Internal Server Error”,“message”:“An internal server error occurred”}

thanks

4

Hi @cgermanb,

What do you mean web? Is that a line of kibana logs?
Do you have one of our Kibana plugin installed as well?
Maybe have a look at ES logs too if there is something more.