ReadonlyREST opensource


(yuvak) #1

HI,

My requirement is to

my users are stored in ldap. i need to provide access to the users based on indices.

  1. user1 - indices1, indices2, indices3 (read only)
  2. user2- indices2 (read/write)
  3. admin - all indices

i do see the ldap is supported with opensource product , but i confuse how to verify my scenario with opensource. ?

Lets say when the user access the kibana url, it should ask for http credential, after it provide the user(user1), then from the kibana he should able to see indices1, indices2 and indices3.

i have seen somewhere to integrate nginx with ldap… but not sure how to implement it


(Simone Scarduzio) #2

Hi @yuva,
The only clean way to do achieve your requirements is to install ReadonlyREST PRO in Kibana.

You could use Nginx to authenticate users, so you would get rid of the browser’s native credentials dialogue. But you would not have a logout button in the UI.

Also, your read only users will still see all the save, add, delete buttons and when they press them, kibana would crash and they would need a refresh.

But more importantly, Kibana would log users out every now and then due to a long standing bug.


(yuvak) #3

thanks for your reply. i would like to test opensource first and then i will go for PRO next and i would like to understand restpro in depth. Could u please help me on how to proceed with opensource?


(Simone Scarduzio) #4

Yep, I encourage you to do so as well.

You can see some example configuration:


(yuvak) #5

thank you… let me try and update you.


(yuvak) #6

Hi ,

is there any way to test the PRO with out mention the credit card details ? If you can let me know the PRO files , it will be helpful for doing my testing and get back to you for further discussion.


(yuvak) #7

Finally downloaded PRO. thanks


(yuvak) #8

Hi,

My ldap authentication is working fine. But authorization is not working. can you help me to advice , what am i doing wrong?

readonlyrest.yml

readonlyrest:
  enable: true
  audit_collector: true
  prompt_for_basic_auth: false
  access_control_rules:
  - name: "Access allow from TS groups"
    ldap_authentication: "ldap1"
    ldap_authorization:
      name: "ldap1"
      groups: "ts"
    indices: ['*']
  - name: "::ADMIN::"
    auth_key: admin:dev
    kibana_access: admin
  - name: "::KIBANA-SRV::"
    auth_key: kibana:kibana
    verbosity: error
  - name: "Allow cluster main"
    type: allow
    actions: ["cluster:monitor/main"]
  - name: "Allow localhost"
    hosts: [0.0.0.0]
  ldaps:
  - name: ldap1
    host: "***"
    port: 389    
    ssl_enabled: false                                                 
    bind_dn: "uid=testadmin,cn=users,cn=accounts,dc=**,dc=net,dc=sg"                         
    bind_password: '*****                                     
    search_user_base_DN: "cn=users,cn=accounts,dc=**,dc=net,dc=sg"
    user_id_attribute: "uid" 
    search_groups_base_DN: "cn=groups,cn=accounts,dc=**,dc=net,dc=sg"
    group_name_attribute: "cn"
    group_search_filter: "(objectClass=group)"
    connection_pool_size: 10                                      # optional, default 30
    connection_timeout_in_sec: 10                                 # optional, default 1
    request_timeout_in_sec: 10                                    # optional, default 1
    cache_ttl_in_sec: 60     

Logs:-

[2018-07-17T10:10:44,927][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘Allow localhost’, policy: ALLOW} req={ ID:735085428-742161209#475953, TYP:NodesInfoRequest, CGR:N/A, USR:test2(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:10.150.12.8, DA:, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic dGVzdDI6UEBzc3cwcmQwOTg=, Connection=close, Authorization=, content-length=0, Host=:9200}, HIS:[Access allow from TS groups->[ldap_authorization->false, ldap_authentication->true]], [::ADMIN::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [Allow cluster main->[actions->false]], [Allow localhost->[hosts->true]] }
[2018-07-17T10:10:45,061][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘Allow localhost’, policy: ALLOW} req={ ID:585353493-3570037#475962, TYP:GetRequest, CGR:N/A, USR:test2(?), BRS:false, KDX:null, ACT:indices:data/read/get, OA:10.150.12.8, DA:, IDX:.kibana, MET:GET, PTH:/.kibana/doc/config%3A6.3.1, CNT:<N/A>, HDR:{authorization=Basic dGVzdDI6UEBzc3cwcmQwOTg=, Connection=keep-alive, Authorization=, Host=:9200, Content-Length=0}, HIS:[Access allow from TS groups->[ldap_authorization->false, ldap_authentication->true]], [::ADMIN::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [Allow cluster main->[actions->false]], [Allow localhost->[hosts->true]] }
[2018-07-17T10:10:48,060][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘Allow localhost’, policy: ALLOW} req={ ID:1302515216-1097341713#476052, TYP:SearchRequest, CGR:N/A, USR:test2(?), BRS:false, KDX:null, ACT:indices:data/read/search, OA:10.150.12.8, DA:*, IDX:.kibana, MET:POST, PTH:/.kibana/_search?size=10000&from=0, CNT:<OMITTED, LENGTH=80>, HDR:{authorization=Basic dGVzdDI6UEBzc3cwcmQwOTg=, Connection=keep-alive, Authorization=, content-type=application/json, Host=:9200, Content-Length=80}, HIS:[Access allow from TS groups->[ldap_authorization->false, ldap_authentication->true]], [::ADMIN::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [Allow cluster main->[actions->false]], [Allow localhost->[hosts->true]]


(yuvak) #9

i fixed the above issues. Now my authorisation is working fine.

Solution:-

I just added this “unique_member_attribute: “member”” in ldap configuration.

thank you.


(Simone Scarduzio) #10

Great job @yuva :slight_smile:
Curiosity: where did you encounter the solution? Forum or documentation?


(yuvak) #11

Forum. thanks you. your product is awesome

FYI:-