Proxy_auth and dynamic user


(Daniel Mota Leite) #1

Hi

I’m trying to use a proxy auth, using my already existent google auth config… so i setup my nginx to pass the google username in the x-forwarded-user and use a nginx map to find the correct group for that user. In RoR i setup this:

  users:
    - username: @{x-forwarded-user}
      groups: [@{x-user-group}]
      proxy_auth:
        proxy_auth_config: "proxy-user"
        users: ["*"]

  proxy_auth_configs:
      - name: "proxy-user"
        user_id_header: "X-Forwarded-User"

The idea is to get the username and group dynamically … and looks good in paper… but fails to work! :smiley:

RoR returns this:

[2018-05-11T16:09:51,341][INFO ][t.b.r.e.SettingsObservableImpl] Loaded good settings from /etc/elasticsearch/readonlyrest.yml
mai 11 16:09:52 kafka-live-a01 sh[25329]: [6935361.682974] elasticsearch[6]: tech.beshu.ror.commons.settings.SettingsMalformedException: Could not find required attribute 'readonlyrest' 

Removing the username part, it works fine. Replacing the @{variables} with hardcoded ones, RoR works fine. So I would say that the user do not accept dynamic user/group config.

How can i create a config where the users are dynamic? Right now i have a few users manually configured, but i want to expand that to all users and of course, i do not want to manage user list in readonlyrest and right now i still do not have a external group service


(Simone Scarduzio) #2

How about you use double quotes? Will it work?


(Daniel Mota Leite) #3

:smiley:

Yes, with quote, this config loads now! thanks!

But this do not work yet, i can tcpdump the elasticsearch request and i see the x-forwarded-user and x-user-group headers with valid info (x-forwarded-user: my_username and x-user-group: sysadmin group), yet the log fails:

mai 14 14:01:32 elk-live-a01 sh[783]: [7186862.214483] elasticsearch[6]: [2018-05-14T14:01:32
060][INFO ][t.b.r.a.ACL              ] FORBIDDEN by default req={ ID:1731961231--12124909#1438
 TYP:SearchRequest
 CGR:N/A
 USR:[no basic auth header]
 BRS:false
 ACT:indices:data/read/search
 OA:172.26.1.18
 IDX:.kibana
 MET:POST
 PTH:/.kibana/_search
 CNT:<OMITTED
 LENGTH=279>
 HDR:Connection
Content-Length
content-type
Host
Req-ID
X-Forwarded-For
X-Forwarded-Proto
x-forwarded-user
X-Real-IP
x-user-group
 HIS: (...)
 [Accept sysadmin users->[groups->false]]
(...)

The action above is this one:

- name: "Accept sysadmin users"
  type: allow
  groups: ["sysadmin"]

I tried to merge this in the action above, but didn’t help

  proxy_auth:
    proxy_auth_config: "proxy-user"
    users: ["*"]

It just says[proxy_auth->true, groups->false]

So looks the group part is not working… any idea why?

Again, thanks for the help
Daniel


(Simone Scarduzio) #4

in your yaml you didn’t show anything under the "users: " section, so there is no user->group association. Of course your group rule fails.


(Daniel Mota Leite) #5

Sorry, i do not understand what you said! :slightly_smiling_face:

Here is my config (removed only other users and actions). I have a users: , with the dynamic user-group association. Are you saying i need to put users before the access_control_rules? … nope, also do not work :frowning:

readonlyrest:
  enable: true
  access_control_rules:

    - name: "Accept sysadmin users"
      type: allow
      groups: ["sysadmin"]


  # Users
  users:
    - username: "@{x-forwarded-user}"
      groups: ["@{x-user-group}"]
      proxy_auth:
        proxy_auth_config: "proxy-user"
        users: ["*"]

  proxy_auth_configs:
      - name: "proxy-user"
        user_id_header: "x-forwarded-user"

Thanks!


(Simone Scarduzio) #6

You’re making this too complicated. How about this?

readonlyrest:
  enable: true
  access_control_rules:

    - name: "Accept sysadmin users"
      proxy_auth:
        proxy_auth_config: "proxy-user"
        users: ["*"]

  proxy_auth_configs:
      - name: "proxy-user"
        user_id_header: "x-forwarded-user"

The only missing thing is the x-proxy-user information handling, which would benefit the existence of a header rule.


(Daniel Mota Leite) #7

But that way i’m allowing everyone to be a sysadmin! :slight_smile:

I want to allow some users as sysadmin, other users for their own teams/projects

I could use my x-user-group as a user … but then i will lose the info who is the user, i will only know it was a sysadmin, a team1, team2 user

That is why i’m trying use user and group, sent by the reverse-proxy :slight_smile:


(Simone Scarduzio) #8

Yep got it. Makes sense, but apparently proxy_auth does not play well with local groups at the moment. This needs investigation.

The short term solution, simpler solution would be to create a headers rule which would let you skip the groups entirely.