Proxy_auth + headers doesn't quite work

memelet · December 22, 2018, 7:38pm

I have a rule like

        - name: user-plant-operator
          headers:
            - x-forwarded-group:operator
            - x-plant:*
          proxy_auth: '*'
          indices: [kibana_sample_data_ecommerce]
          filter: |
            {
              "term": {"customer_gender": "@{x-plant}"}
            }

Note the headers:false by user-plant-operator for accessing kibana_sample_data_ecommerce index:

[2018-12-22T19:21:29,324][INFO ][tech.beshu.ror.acl.ACL   ] [s-ror-es-1] FORBIDDEN by default req={ ID:1459131250-627264176#406, TYP:MultiSearchRequest, CGR:N/A, USR:john, BRS:false, KDX:null, ACT:indices:data/read/msearch, OA:10.11.136.187, DA:0.0.0.0, IDX:kibana_sample_data_ecommerce, MET:POST, PTH:/_msearch, CNT:<OMITTED, LENGTH=873>, HDR:{content-length=873, x-forwarded-user=john, x-forwarded-proto=http, x-plant=MALE, Connection=close, x-forwarded-port=53497, content-type=application/x-ndjson, Host=10.11.136.187:9200, x-forwarded-for=10.0.192.247}, HIS:[svc-consul->[auth_key->false]], [svc-kibana->[auth_key->false]], [user-admin->[auth_key->false]], [user-plant->[kibana_access->true, headers->true, indices->false, proxy_auth->true]], [user-plant-operator->[headers->false, proxy_auth->true]], [user-plant-maintenance->[headers->false, proxy_auth->true]] }

This works great to get logged in as the correct user, with permissions by group. However, most subsequent requests by kibana fail because, while proxy_auth is using the session cookie (I assume), the header rule is still looking for the header that was used to authenticate.

The proxy extracted the user and group from the jwt and set x-fowarded-group and x-fowarded-user and passed it along for the login. But in subsequent requests by kibana-client thru the proxy, the jwt is no longer there, and hence the proxy does not have any context to set headers. So the rule then fails, eg when trying use discover against the index kibana_sample_data_ecommerce.

If the header is removed from the rule, then the access behavior is as expected.

So I guess this is more of a design question. How does one use a proxy to set headers without being statefull? Does this bump me back to needing an extended proxy_auth rule?

memelet · December 22, 2018, 8:23pm

Ok… This looks like some user error. I made same tweaks, some restarts, … and now it works. All the headers are getting passed thru by kibana. I had elasticsearch.requestHeadersWhitelist set the same, but maybe (probably) it was not applied to kibana.yml.