ReadonlyREST opensource

yuva · July 16, 2018, 2:01pm

HI,

My requirement is to

my users are stored in ldap. i need to provide access to the users based on indices.

user1 - indices1, indices2, indices3 (read only)
user2- indices2 (read/write)
admin - all indices

i do see the ldap is supported with opensource product , but i confuse how to verify my scenario with opensource. ?

Lets say when the user access the kibana url, it should ask for http credential, after it provide the user(user1), then from the kibana he should able to see indices1, indices2 and indices3.

i have seen somewhere to integrate nginx with ldap… but not sure how to implement it

sscarduzio · July 16, 2018, 2:13pm

Hi @yuva,
The only clean way to do achieve your requirements is to install ReadonlyREST PRO in Kibana.

You could use Nginx to authenticate users, so you would get rid of the browser’s native credentials dialogue. But you would not have a logout button in the UI.

Also, your read only users will still see all the save, add, delete buttons and when they press them, kibana would crash and they would need a refresh.

But more importantly, Kibana would log users out every now and then due to a long standing bug.

yuva · July 16, 2018, 3:20pm

thanks for your reply. i would like to test opensource first and then i will go for PRO next and i would like to understand restpro in depth. Could u please help me on how to proceed with opensource?

sscarduzio · July 16, 2018, 3:54pm

Yep, I encourage you to do so as well.

You can see some example configuration:

how to set up ReadonlyREST Free for Elasticsearch for authenticated Kibana (with the drawbacks I mentioned)
how to set up encrypted and authenticated logstash data ingestion.

yuva · July 17, 2018, 2:17am

thank you… let me try and update you.

yuva · July 17, 2018, 2:29am

Hi ,

is there any way to test the PRO with out mention the credit card details ? If you can let me know the PRO files , it will be helpful for doing my testing and get back to you for further discussion.

yuva · July 17, 2018, 6:21am

Finally downloaded PRO. thanks

yuva · July 17, 2018, 10:20am

Hi,

My ldap authentication is working fine. But authorization is not working. can you help me to advice , what am i doing wrong?

readonlyrest.yml

readonlyrest:
  enable: true
  audit_collector: true
  prompt_for_basic_auth: false
  access_control_rules:
  - name: "Access allow from TS groups"
    ldap_authentication: "ldap1"
    ldap_authorization:
      name: "ldap1"
      groups: "ts"
    indices: ['*']
  - name: "::ADMIN::"
    auth_key: admin:dev
    kibana_access: admin
  - name: "::KIBANA-SRV::"
    auth_key: kibana:kibana
    verbosity: error
  - name: "Allow cluster main"
    type: allow
    actions: ["cluster:monitor/main"]
  - name: "Allow localhost"
    hosts: [0.0.0.0]
  ldaps:
  - name: ldap1
    host: "***"
    port: 389    
    ssl_enabled: false                                                 
    bind_dn: "uid=testadmin,cn=users,cn=accounts,dc=**,dc=net,dc=sg"                         
    bind_password: '*****                                     
    search_user_base_DN: "cn=users,cn=accounts,dc=**,dc=net,dc=sg"
    user_id_attribute: "uid" 
    search_groups_base_DN: "cn=groups,cn=accounts,dc=**,dc=net,dc=sg"
    group_name_attribute: "cn"
    group_search_filter: "(objectClass=group)"
    connection_pool_size: 10                                      # optional, default 30
    connection_timeout_in_sec: 10                                 # optional, default 1
    request_timeout_in_sec: 10                                    # optional, default 1
    cache_ttl_in_sec: 60

Logs:-

[2018-07-17T10:10:44,927][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘Allow localhost’, policy: ALLOW} req={ ID:735085428-742161209#475953, TYP:NodesInfoRequest, CGR:N/A, USR:test2(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:10.150.12.8, DA:, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic dGVzdDI6UEBzc3cwcmQwOTg=, Connection=close, Authorization=, content-length=0, Host=:9200}, HIS:[Access allow from TS groups->[ldap_authorization->false, ldap_authentication->true]], [::ADMIN::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [Allow cluster main->[actions->false]], [Allow localhost->[hosts->true]] }
[2018-07-17T10:10:45,061][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘Allow localhost’, policy: ALLOW} req={ ID:585353493-3570037#475962, TYP:GetRequest, CGR:N/A, USR:test2(?), BRS:false, KDX:null, ACT:indices:data/read/get, OA:10.150.12.8, DA:, IDX:.kibana, MET:GET, PTH:/.kibana/doc/config%3A6.3.1, CNT:<N/A>, HDR:{authorization=Basic dGVzdDI6UEBzc3cwcmQwOTg=, Connection=keep-alive, Authorization=, Host=:9200, Content-Length=0}, HIS:[Access allow from TS groups->[ldap_authorization->false, ldap_authentication->true]], [::ADMIN::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [Allow cluster main->[actions->false]], [Allow localhost->[hosts->true]] }
[2018-07-17T10:10:48,060][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘Allow localhost’, policy: ALLOW} req={ ID:1302515216-1097341713#476052, TYP:SearchRequest, CGR:N/A, USR:test2(?), BRS:false, KDX:null, ACT:indices:data/read/search, OA:10.150.12.8, DA:*, IDX:.kibana, MET:POST, PTH:/.kibana/_search?size=10000&from=0, CNT:<OMITTED, LENGTH=80>, HDR:{authorization=Basic dGVzdDI6UEBzc3cwcmQwOTg=, Connection=keep-alive, Authorization=, content-type=application/json, Host=:9200, Content-Length=80}, HIS:[Access allow from TS groups->[ldap_authorization->false, ldap_authentication->true]], [::ADMIN::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [Allow cluster main->[actions->false]], [Allow localhost->[hosts->true]]

yuva · July 17, 2018, 11:13am

i fixed the above issues. Now my authorisation is working fine.

Solution:-

I just added this “unique_member_attribute: “member”” in ldap configuration.

thank you.

sscarduzio · July 17, 2018, 12:47pm

Great job @yuva
Curiosity: where did you encounter the solution? Forum or documentation?

yuva · July 17, 2018, 2:31pm

Forum. thanks you. your product is awesome

FYI:-