ReadonlyRest 7.9.x+ , indice rule with wildcard and field auto discovery

1

Hello !
ReadonlyRest Enterprise user here (1.33.1) on Elasticstack 7.12.1

I think I’ve spotted a bug in a very peculiar setup :
It requires :

  • An account wich only access to wildcarded pattern indices in RO mode (Maybe It only occurs if indice pattern is provided through oidc assertions; I’ve not tested without though)

      - name: "---- SSO :: R4 ----"
    kibana_access: "ro"
    verbosity: error
    indices: [ "*:@explode{jwt:assertion.logmanagement.kibana.indices}", ".kibana*"]
    kibana_hide_apps: ["readonlyrest_kbn", "Enterprise Search", "Management"]
    ror_kbn_auth:
      name: "keycloak"

  • An index pattern which matches the indice but the index pattern must be wider than the allowed indice in the ACL :
    For example: Index : "remote:very.long.name"
    Index Pattern: "*:*.*.na*"
    ACL: "*:very.long.*"

When trying to access data of this index pattern, several errors appears in kibana (with forbiden message; related to the field list)

As a workaround; I tried to add the following rule :

- name: "---- SSO :: R4 Additionnal rules----"
  verbosity: error
  actions: ["indices:data/read/field_caps","indices:data/read/async_search/submit"]
  ror_kbn_auth:
    name: "keycloak"

But this removes all ACL effects; I’m almost sure it hides something in readonlyrest plugin :wink:

2

With a bit more drill down, it seems there is two issues here :

  1. data/read/field_caps is not allowed by default; (or indice patterns do not work well with them)

  2. ACL that matches indexes but do not start like the index pattern seem to behave strangely

1 Like
3

Hi @pchesneau, nice to hear from you!

About the #1: we need to double check RO users are allowed to those actions.
Abou the #2: we need to add some unit test to our indices rule to try reproduce this. I.e. the user attempts to reach the index my_data and we have a indices rule like: indices: ["*_data"] ? Or maybe you can propose a specific test?

@coutoPL can you review this?

4

For the #2, I just discovered a strange error log in the elasticsearch output. However it contains non publicly discloseable informations.
I’ll send you the log through PM.

5

Hello !

For the #2 It is not related to ReadOnlyRest, but it’s an elasticsearch compatibility issue (Remote clusters are supposed to be leniant about versions, but latest version of kibana requires that even remote clusters to be at least 7.9¨+)
I’ll have to upgrade all my remote clusters.