Hi,
My ldap authentication is working fine. But authorization is not working. can you help me to advice , what am i doing wrong?
readonlyrest.yml
readonlyrest:
enable: true
audit_collector: true
prompt_for_basic_auth: false
access_control_rules:
- name: "Access allow from TS groups"
ldap_authentication: "ldap1"
ldap_authorization:
name: "ldap1"
groups: "ts"
indices: ['*']
- name: "::ADMIN::"
auth_key: admin:dev
kibana_access: admin
- name: "::KIBANA-SRV::"
auth_key: kibana:kibana
verbosity: error
- name: "Allow cluster main"
type: allow
actions: ["cluster:monitor/main"]
- name: "Allow localhost"
hosts: [0.0.0.0]
ldaps:
- name: ldap1
host: "***"
port: 389
ssl_enabled: false
bind_dn: "uid=testadmin,cn=users,cn=accounts,dc=**,dc=net,dc=sg"
bind_password: '*****
search_user_base_DN: "cn=users,cn=accounts,dc=**,dc=net,dc=sg"
user_id_attribute: "uid"
search_groups_base_DN: "cn=groups,cn=accounts,dc=**,dc=net,dc=sg"
group_name_attribute: "cn"
group_search_filter: "(objectClass=group)"
connection_pool_size: 10 # optional, default 30
connection_timeout_in_sec: 10 # optional, default 1
request_timeout_in_sec: 10 # optional, default 1
cache_ttl_in_sec: 60
Logs:-
[2018-07-17T10:10:44,927][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘Allow localhost’, policy: ALLOW} req={ ID:735085428-742161209#475953, TYP:NodesInfoRequest, CGR:N/A, USR:test2(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:10.150.12.8, DA:, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic dGVzdDI6UEBzc3cwcmQwOTg=, Connection=close, Authorization=, content-length=0, Host=:9200}, HIS:[Access allow from TS groups->[ldap_authorization->false, ldap_authentication->true]], [::ADMIN::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [Allow cluster main->[actions->false]], [Allow localhost->[hosts->true]] }
[2018-07-17T10:10:45,061][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘Allow localhost’, policy: ALLOW} req={ ID:585353493-3570037#475962, TYP:GetRequest, CGR:N/A, USR:test2(?), BRS:false, KDX:null, ACT:indices:data/read/get, OA:10.150.12.8, DA:, IDX:.kibana, MET:GET, PTH:/.kibana/doc/config%3A6.3.1, CNT:<N/A>, HDR:{authorization=Basic dGVzdDI6UEBzc3cwcmQwOTg=, Connection=keep-alive, Authorization=, Host=:9200, Content-Length=0}, HIS:[Access allow from TS groups->[ldap_authorization->false, ldap_authentication->true]], [::ADMIN::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [Allow cluster main->[actions->false]], [Allow localhost->[hosts->true]] }
[2018-07-17T10:10:48,060][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘Allow localhost’, policy: ALLOW} req={ ID:1302515216-1097341713#476052, TYP:SearchRequest, CGR:N/A, USR:test2(?), BRS:false, KDX:null, ACT:indices:data/read/search, OA:10.150.12.8, DA:*, IDX:.kibana, MET:POST, PTH:/.kibana/_search?size=10000&from=0, CNT:<OMITTED, LENGTH=80>, HDR:{authorization=Basic dGVzdDI6UEBzc3cwcmQwOTg=, Connection=keep-alive, Authorization=, content-type=application/json, Host=:9200, Content-Length=80}, HIS:[Access allow from TS groups->[ldap_authorization->false, ldap_authentication->true]], [::ADMIN::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [Allow cluster main->[actions->false]], [Allow localhost->[hosts->true]]