Readonlyrest audit and hiding kibana:management and readonlyrest_kbn

Hello all,

Recently we purchased the license, so I’m playing with it I discover few things:

  1. When i allow readonlyrest audit, my cluster will fail completly, when i check the indices the audit index is red, when i delete it manually it will be recreated with red status again, only solution is to remove audit feature and delete the index afterwards with

audit_collector: false

My cluster is in green state, but if i add this audit log, it will be red, dont understand why.

  1. When i try to hide the kibana:management in the config the button is still visible for all users.

the setting is the same as others, i was able to hide other apps but the kibana:management is still in place even if i use it in config.

Can you somehow help ?

Hi @Sinedko, this behaviour of audit collector is definitely not supposed to happen.
Can you share your elasticsearch.yml? How many nodes do you have?

What version of ROR Kibana do you use? If you ROR the ror logo in Kibana top right corner, you will have the version string. Can you paste it here?

In order to understand what’s wrong with the hide apps, it will be useful to see the readonlyrest.yml to understand what ACL blocks you have declared, and also to observe elasticsearch.log during the Kibana login, to see if the block with kibana_hide_apps is being matched correctly for such user.

Hello,

The version is: Enterprise 1.26.1_es7.7.1

I have 6 nodes, 1client, 4 data and 1 master node.

I hard to share my configs, but i dont think there is any issue, because other apps are hidden correctly, only the management is not hidden, i have like 50+ acls blocks, and in every except one im hidding the management page, but every user can see it.

But something like this (… meaning there lots of more and all of them works, but the management not):

readonlyrest:
  access_control_rules:
    - name: Test user
      type: allow
      kibana_hide_apps: ["kibana:management", "logs" ...]
      indices: ["*"]
      actions: ["*"] 

Where in the log its ? its some kind of header ?

For that audit thingy, im using the SSL and aswell internode ssl and i force loading readonlyrest config from file, nothing more special there.

Cluster is working fine, is in green state, but after audit_collector: true, it jump to red, kibana stop working, lots of crazy logs that they cannot read readonlyrest_audit index, then i need to stop everything remove audit_collector config, delete the audit index manually with CURL call and then everything will start to work.

Hi @Sinedko, please avoid using actions rule for a kibana user account. It only messes up things as soon as you change “*” with anything else. If needed, please move to the “kibana_access” rule instead, which better encompasses the kibana user privileges (rw, ro, etc).

  • tail -f the “elasticsearch.log” file (its location depends on your installation).
  • Go to Kibana and login as the user that cannot hide the management app
  • Back to elasticsearch.log, find the log line that contains “PTH:/_readonlyrest/metadata/current_user” and paste it here.

About audit logs:

Need the crazy log. Take a pic if you can’t paste it.

Ok so,

There is my access block that was resolved as ALLOWED (as you can see there is kibana:management):
Aswell the readonlyrest_kbn is not hidden

 - name: "Proxy - dna - Kibana"
  type: allow
  uri_re: ["^/dna.*","^/.kibana.*","^/_mapping","^/_aliases","^/_template","^/_cat.*","^/_count.*","^/_search/scroll","^/_msearch", "^/_mget", "^/_readonlyrest"]
  headers: ["XXXX:XXXXX"]
  proxy_auth:
    proxy_auth_config: "proxy1"
    users: ["*"]
  ldap_authorization:
    name: "ldap1"
    groups: ["CHR-GP-SV-INL-D-ElasticserviceDna-Dev", "CHR-GP-SV-DNA-P-USER-Dev", "CHR-GP-SV-DNA-P-ADMIN-Dev"]
  indices: [".kibana*"]
  kibana_hide_apps: [ "timelion","logs","metrics","canvas","maps", "code", "ml", "infra:home", "infra:logs", "apm", "uptime", "siem", "graph", "monitoring", "kibana:management", "readonlyrest_kbn" ]
  actions: ["indices:data/read/*","indices:data/write/*", "indices:admin/mappings/get", "indices:admin/template/get", "indices:admin/get", "cluster:monitor/state", "indices:admin/aliases/get", "indices:data/read/mget", "cluster:ror/user_metadata/get"]

There is log in that regards, i trimmed the logs because otherwise it will be too big, because of too many ACL blocks we have:

[2021-02-16T15:10:09,347][INFO ][tech.beshu.ror.accesscontrol.logging.AccessControlLoggingDecorator] [elasticsearch-client-01] e[36mALLOWED by { name: 'Proxy - dna - Kibana', policy: ALLOW, rules: [proxy_auth,ldap_authorization,uri_re,headers_and,actions,indices,kibana_hide_apps] req={  ID:1491628833-148778721#10272,  TYP:RRUserMetadataRequest,  CGR:CHR-GP-SV-INL-D-ElasticserviceDna-Dev,  USR:XXXX,  BRS:false,  KDX:null,  ACT:cluster:ror/user_metadata/get,  OA:XXXX,  XFF:null,  DA:XXXX,  IDX:<N/A>,  MET:GET,  PTH:/_readonlyrest/metadata/current_user,  CNT:<N/A>,  HDR:Authorization=<OMITTED>, Connection=keep-alive, Content-Length=0, Host=dev-ire-elasticsearch.swissre.com:9200, x-auth-key=<OMITTED>, x-forwarded-user=XXXX, x-ror-current-group=CHR-GP-SV-INL-D-ElasticserviceDna-Dev, x-ror-kibana-request-method=get, x-ror-kibana-request-path=/switch-group,  HIS:[... [Proxy - dna - Kibana-> RULES:[proxy_auth->true, ldap_authorization->true, uri_re->true, headers_and->true, actions->true, indices->true, kibana_hide_apps->true] RESOLVED:[user=XXXX;group=CHR-GP-SV-INL-D-ElasticserviceDna-Dev;av_groups=CHR-GP-SV-INL-D-ElasticserviceTreatyPC-Dev,CHR-GP-SV-DNA-P-USER-Dev,CHR-GP-SV-INL-D-ElasticserviceDna-Dev,CHR-GP-SV-INL-D-ElasticserviceTreatyLH-Dev,CHR-GP-SV-INL-D-ElasticserviceTreaty-Dev,CHR-GP-SV-INL-D-Elasticservice-Dev,CHR-GP-SV-INL-D-ElasticserviceBmpf-Dev]] ...  }e[0m

And there is crazy logs when i enabled audit till i deleted the index manually:

2021.02.15 13:47:13.903 - 
[2021-02-15T14:47:09,572][INFO ][o.e.c.m.MetaDataDeleteIndexService] [elasticsearch-master-01] [readonlyrest_audit-2021-02-15/x9THhGLrQFGAzB6D4PC9DA] deleting index
2021.02.15 13:46:13.831 - 
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.831 - 
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [netty-common-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.831 - 
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.831 - 
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.831 - 
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.831 - 
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.831 - 
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.831 - 
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) [netty-codec-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.831 - 
	at java.lang.Thread.run(Thread.java:834) [?:?]
2021.02.15 13:46:13.831 - 
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.831 - 
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:615) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.831 - 
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.831 - 
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:578) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.831 - 
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) [netty-codec-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.831 - 
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.831 - 
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.831 - 
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501) [netty-codec-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.831 - 
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286) [netty-handler-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:176) [elasticsearch-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.830 - 
	at org.elasticsearch.client.support.AbstractClient.get(AbstractClient.java:497) [elasticsearch-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.830 - 
	at org.elasticsearch.client.node.NodeClient.executeLocally(NodeClient.java:83) [elasticsearch-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.830 - 
	at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:64) [elasticsearch-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.830 - 
	at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:129) [elasticsearch-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.830 - 
	at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23) [scala-library-2.12.10.jar:?]
2021.02.15 13:46:13.830 - 
	at monix.eval.Task.runAsync(Task.scala:659) [monix-eval_2.12-3.0.0.jar:3.0.0]
2021.02.15 13:46:13.830 - 
	at tech.beshu.ror.es.request.handler.RegularRequestHandler.commitResult(RegularRequestHandler.scala:64) [readonlyrest-1.26.1_es7.7.1.jar:?]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111) [netty-codec-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:54) [transport-netty4-client-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.830 - 
	at org.elasticsearch.http.AbstractHttpServerTransport.dispatchRequest(AbstractHttpServerTransport.java:329) [elasticsearch-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.830 - 
	at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:236) [elasticsearch-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.830 - 
	at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:115) [elasticsearch-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.830 - 
	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:399) [elasticsearch-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.830 - 
	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:151) [elasticsearch-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.830 - 
	at tech.beshu.ror.es.IndexLevelActionFilter.apply(IndexLevelActionFilter.scala:82) [readonlyrest-1.26.1_es7.7.1.jar:?]
2021.02.15 13:46:13.830 - 
	at java.security.AccessController.doPrivileged(Native Method) [?:?]
2021.02.15 13:46:13.830 - 
	at tech.beshu.ror.es.IndexLevelActionFilter.$anonfun$apply$1(IndexLevelActionFilter.scala:101) [readonlyrest-1.26.1_es7.7.1.jar:?]
2021.02.15 13:46:13.830 - 
	at monix.eval.Task$Map.apply(Task.scala:4510) [monix-eval_2.12-3.0.0.jar:3.0.0]
2021.02.15 13:46:13.830 - 
	at monix.eval.Task$Map.apply(Task.scala:4514) [monix-eval_2.12-3.0.0.jar:3.0.0]
2021.02.15 13:46:13.830 - 
	at tech.beshu.ror.es.request.handler.RegularRequestHandler.$anonfun$handle$1$adapted(RegularRequestHandler.scala:54) [readonlyrest-1.26.1_es7.7.1.jar:?]
2021.02.15 13:46:13.830 - 
	at tech.beshu.ror.es.request.handler.RegularRequestHandler.$anonfun$handle$2(RegularRequestHandler.scala:56) [readonlyrest-1.26.1_es7.7.1.jar:?]
2021.02.15 13:46:13.830 - 
	at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:324) [netty-codec-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:29) [transport-netty4-client-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.830 - 
	at tech.beshu.ror.es.ReadonlyRestPlugin.$anonfun$getRestHandlerWrapper$2(ReadonlyRestPlugin.scala:219) [readonlyrest-1.26.1_es7.7.1.jar:?]
2021.02.15 13:46:13.830 - 
	at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:72) [elasticsearch-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.830 - 
	at tech.beshu.ror.es.IndexLevelActionFilter.handleRequest(IndexLevelActionFilter.scala:127) [readonlyrest-1.26.1_es7.7.1.jar:?]
2021.02.15 13:46:13.830 - 
	at tech.beshu.ror.es.request.handler.RegularRequestHandler.$anonfun$handle$1(RegularRequestHandler.scala:55) [readonlyrest-1.26.1_es7.7.1.jar:?]
2021.02.15 13:46:13.830 - 
	at tech.beshu.ror.utils.ScalaOps$AutoCloseableOps$.bracket$extension(ScalaOps.scala:155) [core-1.26.1.jar:?]
2021.02.15 13:46:13.830 - 
	at tech.beshu.ror.es.request.handler.RegularRequestHandler.$anonfun$handle$2$adapted(RegularRequestHandler.scala:55) [readonlyrest-1.26.1_es7.7.1.jar:?]
2021.02.15 13:46:13.830 - 
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1533) [netty-handler-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:296) [netty-codec-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at org.elasticsearch.http.netty4.Netty4HttpPipeliningHandler.channelRead(Netty4HttpPipeliningHandler.java:58) [transport-netty4-client-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.830 - 
	at org.elasticsearch.rest.RestController.tryAllHandlers(RestController.java:318) [elasticsearch-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.830 - 
	at tech.beshu.ror.utils.AccessControllerHelper$$anon$1.run(AccessControllerHelper.scala:25) [core-1.26.1.jar:?]
2021.02.15 13:46:13.830 - 
	at monix.eval.Task.runAsyncOpt(Task.scala:709) [monix-eval_2.12-3.0.0.jar:3.0.0]
2021.02.15 13:46:13.830 - 
	at monix.eval.Task.runAsyncOptF(Task.scala:811) [monix-eval_2.12-3.0.0.jar:3.0.0]
2021.02.15 13:46:13.830 - 
	at monix.eval.internal.TaskRunLoop$.startLight(TaskRunLoop.scala:331) [monix-eval_2.12-3.0.0.jar:3.0.0]
2021.02.15 13:46:13.830 - 
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1329) [netty-handler-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1282) [netty-handler-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99) [netty-transport-4.1.53.Final.jar:4.1.53.Final]
2021.02.15 13:46:13.830 - 
	at org.elasticsearch.http.AbstractHttpServerTransport.incomingRequest(AbstractHttpServerTransport.java:308) [elasticsearch-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.830 - 
	at org.elasticsearch.http.AbstractHttpServerTransport.handleIncomingRequest(AbstractHttpServerTransport.java:383) [elasticsearch-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.830 - 
	at org.elasticsearch.rest.action.document.RestGetAction.lambda$prepareRequest$0(RestGetAction.java:98) [elasticsearch-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.830 - 
	at tech.beshu.ror.utils.AccessControllerHelper$.doPrivileged(AccessControllerHelper.scala:24) [core-1.26.1.jar:?]
2021.02.15 13:46:13.830 - 
	at scala.util.Try$.apply(Try.scala:213) [scala-library-2.12.10.jar:?]
2021.02.15 13:46:13.829 - 
	at org.elasticsearch.action.support.single.shard.TransportSingleShardAction.doExecute(TransportSingleShardAction.java:62) [elasticsearch-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.829 - 
	at org.elasticsearch.action.support.single.shard.TransportSingleShardAction$AsyncSingleAction.start(TransportSingleShardAction.java:201) [elasticsearch-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.829 - 
	at org.elasticsearch.action.support.single.shard.TransportSingleShardAction$AsyncSingleAction.perform(TransportSingleShardAction.java:224) [elasticsearch-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.829 - 
	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:153) [elasticsearch-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.829 - 
	at org.elasticsearch.action.support.single.shard.TransportSingleShardAction.doExecute(TransportSingleShardAction.java:103) [elasticsearch-7.7.1.jar:7.7.1]
2021.02.15 13:46:13.829 - 
org.elasticsearch.action.NoShardAvailableActionException: No shard available for [get [.kibana][_doc][space:default]: routing [null]]
2021.02.15 13:46:13.829 - 
	at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23) [scala-library-2.12.10.jar:?]
2021.02.15 13:46:13.829 - 
	at tech.beshu.ror.es.request.handler.RegularRequestHandler.$anonfun$commitResult$1(RegularRequestHandler.scala:66) [readonlyrest-1.26.1_es7.7.1.jar:?]
2021.02.15 13:46:13.829 - 
	at tech.beshu.ror.es.request.handler.RegularRequestHandler.proceed(RegularRequestHandler.scala:195) [readonlyrest-1.26.1_es7.7.1.jar:?]
2021.02.15 13:46:13.829 - 
[2021-02-15T14:46:12,436][WARN ][r.suppressed             ] [elasticsearch-client-01] path: /.kibana/_doc/space%3Adefault, params: {index=.kibana, id=space:default}
2021.02.15 13:46:13.829 - 
	at tech.beshu.ror.es.request.handler.RegularRequestHandler.onAllow(RegularRequestHandler.scala:102) [readonlyrest-1.26.1_es7.7.1.jar:?]
2021.02.15 13:46:12.273 - 
[2021-02-15T14:46:10,951][INFO ][t.b.r.b.RorInstance      ] [elasticsearch-data-04] ReadonlyREST core was loaded ...

Hello @sscarduzio do we have any update ? :slight_smile:

@coutoPL WDYT about the audit log stack trace?

@Sinedko can you check if when you click on management app, you can actually see the management links? I suspect it can be due to a feature we introduced in the previous build

at a first glance it doesn’t tell me much.

@Sinedko could you please enable debug logs, reproduce the issue and send a whole log (from ROR start to the end of your test)

Hello,

Yes, user can click on them and see the correct link there, it look like that as the config is not there but its there about the hide, they can see link and click aswell on the setting pages, but it cannot load, because they dont have any rules to do that, so this is correct, but it should be hidden aswell.

On idea come to my mind, i have cluster with data nodes, only on that node the indices can be stored, can it be that the data nodes started little bit later than client and kibana node ? Then it cannot store the readonly index anywhere, is there any check on kibana app that will ensure all nodes are green and loaded ? Just guessing this.

@coutoPL i will try to download them, but its little bit complicated in our side.

Hello,

Unfortunately, i cannot break our environment now, so i cannot change debug logs or turn on on audit for testing.

Can we resolve atleast the kibana hide apps thing ?

If I cannot touch a running system, I’d copy-paste the ACL in my laptop and make it reproduce the issue locally for testing. Can you do that? Or can you (privately?) send us your ACL (minus the secrets).

But the issue with hide apps is still there and i can reproduce it everytime can you atleast look on that issue ? Then we can look into the audit thing.

I already shared acl block.

I think I reproduced the issue. As a user with hidden kibana:management app, I still can see the link in the sidebar.

When I click it, I can navigate to management, but its submenu is empty:

This empty page is a side effect of allowing navigation to management in order to visualize the reporting page, which is reachable through ROR menu:

I think the bug here is simply that the management link in the sidebar is still visible. Will tweak and send you a build.

Thank you!

Have a look on readonlyrest_kbn too, this is aswell visible when hidden.

Ok I found the issue. Try to add also “kibana:stack_management” to the hidden_apps rule. It should hide it.

This bug arised when Kibana changed the app ID from “kibana:management” to “kibana:stack_management”.

I will update ROR to take this into account. Just use both kibana:management and kibana:stack_management in the meantime.

To be clear:

  • ROR <= 1.27.1 use:
    kibana_hide_apps: ["kibana:management","kibana:stack_management"]

  • ROR > 1.27.1 and older, use:
    kibana_hide_apps: ["kibana:stack_management"]

Documentation is updated too.

1 Like

I don’t understand this: we don’t have a readonlyrest app link in the sidebar anymore… Or are you using a super old version of Kibana? Aren’t you on 7.7.1?

Hello,

I though with the kibana_app option you can hide the button about setting page.

Screen Shot 2021-03-04 at 08.50.05

I will try to test the stack_management, but currently im overwhelmed by other things, i will get back to you.

This works, thanks! we are using 1.26.1 so i needed to add the stack_management aswell

1 Like

The button disappears automatically if the user has “kibana_access” rule with value rw, ro, ro_strict.
The same button will show automatically if “kibana_access” is absent, or has values: admin, or unrestricted.


An extra button “Go to reporting” will automatically appear if the user has “kibana:stack_management” (or kibana:management, in ROR < 1.26.2) within “kibana_hidden_apps” rule array of values.

This is because in Kibana (for a questionable design choice) the list of CSV reports is only accessible as a sub-page of stack management.

Hmmm, that a pitty, i though if i use the hide thing, i can hide the settings button, because we dont use the kibana_access at all, so i cannot hide this button to the users. Maybe new feature ? :smiley:

1 Like