ROR Basic continual logins

As we configured ROR with LDAP and got it running, we realize now that with any navigation in ELK we must login. So to move from monitoring to dev, I login. Then to move from dev to discovery I login, then to move to a different index in Discovery I also login.

Is there something missing in my configuration? Is there a way to only login to ELK only once and only have access errors as I navigate to places I don’t have access?

Thank you

Hi @ksondere, please share your YML settings file (minus secrets) otherwise it’s really difficult to help you :slight_smile:

Heh, Sorry :slight_smile: here are the settings

http.type: ssl_netty4
readonlyrest:
    ssl:
      enable: true
      keystore_file: "/opt/elasticsearch-5.4.1/config/ks.jks"
      keystore_pass: pw
      key_alias: elastickey1
      key_pass: pw

    access_control_rules:

    - name: "::LOGSTASH::"
      auth_key: logstash:pw
      type: allow

    - name: "::KIBANA-SRV::"
      auth_key: kibana:pw
      type: allow
      verbosity: info

   - name: "::ELK-ADMIN::"
      type: allow
      ldap_auth:
         name: "ldap1"
         groups: ["elk-admin"]

    - name: "::ELK-USER::"
      type: allow
      ldap_auth:
         name: "ldap1"
         groups: ["elk-users"]
      indices: ["metricbeat-*","packetbeat-*","winlogbeat-*",".kibana",".kibana-devnull" ]

    ldaps:

    - name: ldap1
      host: "ds.local.company.com"
      port: 389                
      ssl_enabled: false 
      ssl_trust_all_certs: false
      bind_dn: "cn=sys-elastic,ou=sys_users,ou=users,dc=company,dc=com" 
      bind_password: "pw"                                 
      search_user_base_DN: "ou=users,dc=company,dc=com"
      user_id_attribute: "uid"                                  
      search_groups_base_DN: "ou=groups,dc=company,dc=com"
      unique_member_attribute: "uniqueMember" 
      connection_pool_size: 10                              
      connection_timeout_in_sec: 10                     
      request_timeout_in_sec: 10                          
      cache_ttl_in_sec: 60                                     

    - name: ldap2
      host: "ds.local.ldap.com"
      port: 636
      search_user_base_DN: "ou=users,dc=company,dc=com"
      search_groups_base_DN: "ou=groups,dc=company,dc=com"

Hi @ksondere, please inspect the elasticsearch logs to see exactly what requests get rejected: you’ll find the “HST” log field useful as it’s a trace of what blocks/rules passed ok and what didn’t.

Hi @sscarduzio and @ksondere, I have similar issue.
I’m trying ROR basic in order to have multiple Kibana users. I’ve copied/pasted some configuration examples.
I’m playing with a single server test environment (collapsed ELK stack).
When I access Kibana from browser, I’m asked “just” twice for user credential

My ROR config is:

readonlyrest:

    ssl:
      enable: true
      keystore_file: "/etc/elasticsearch/keystore.jks"
      keystore_pass: readonlyrest
      key_pass: readonlyrest

    response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin

    access_control_rules:

    - name: "::LOGSTASH::"
      auth_key: logstash:logstash
      actions: ["cluster:monitor/main","indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
      indices: ["logstash-*"]

    - name: "::KIBANA-SRV::"
      # auth_key is good for testing, but replace it with `auth_key_sha256`!
      auth_key: kibana:kibana
      verbosity: error # don't log successful request

    - name: "::RW DEVELOPER::"
      auth_key: rw:dev
      kibana_access: rw
      indices: [".kibana", ".kibana-devnull", "shakespeare"]

    - name: "::RO DEVELOPER::"
      auth_key: ro:dev
      kibana_access: ro
      indices: [".kibana", ".kibana-devnull", "shakespeare"]

Kibana is configured with ::KIBANA SRV:: credential:

elasticsearch.username: "kibana"
elasticsearch.password: "kibana"

When I access Kibana from browser I’m asked twice for user credential.

These areElasticsearch logs for the first login request:

[2017-10-13T12:15:28,718][INFO ][o.e.p.r.a.ACL            ] FORBIDDEN by default req={ ID:1740919866-127920579#9971, TYP:GetRequest, CGR:N/A, USR:[no basic auth header], BRS:false, ACT:indices:data/read/get, OA:127.0.0.1, IDX:.kibana, MET:GET, PTH:/.kibana/config/5.5.1, CNT:<N/A>, HDR:Connection,Content-Length,Host, HIS:[::RW DEVELOPER::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]] }
[2017-10-13T12:15:28,857][INFO ][o.e.p.r.a.ACL            ] FORBIDDEN by default req={ ID:469270478-1372077889#9984, TYP:GetRequest, CGR:N/A, USR:[no basic auth header], BRS:false, ACT:indices:data/read/get, OA:127.0.0.1, IDX:.kibana, MET:GET, PTH:/.kibana/config/5.5.1, CNT:<N/A>, HDR:Connection,Content-Length,Host, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]] }

After first successful login, I’m requested for second authentication:

Elasticsearch logs:

[2017-10-13T12:21:39,922][INFO ][o.e.p.r.a.ACL            ] ALLOWED by '{ block=::RO DEVELOPER::, match=true }' req={ ID:195942657-1078251637#11808, TYP:GetRequest, CGR:N/A, USR:ro, BRS:false, ACT:indices:data/read/get, OA:127.0.0.1, IDX:.kibana, MET:GET, PTH:/.kibana/config/5.5.1, CNT:<N/A>, HDR:authorization,Connection,Content-Length,Host, HIS:[::LOGSTASH::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]], [::RO DEVELOPER::->[kibana_access->true, indices->true, auth_key->true]], [::KIBANA-SRV::->[auth_key->false]] }
[2017-10-13T12:21:41,245][INFO ][o.e.p.r.a.ACL            ] FORBIDDEN by default req={ ID:625695617-1301760087#11810, TYP:SearchRequest, CGR:N/A, USR:[no basic auth header], BRS:false, ACT:indices:data/read/search, OA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/.kibana/index-pattern/_search?stored_fields=, CNT:<OMITTED, LENGTH=39>, HDR:Connection,content-length,content-type,Host,x-forwarded-for,x-forwarded-port,x-forwarded-proto, HIS:[::LOGSTASH::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]] }

And after second successful login:

[2017-10-13T12:21:45,361][INFO ][o.e.p.r.a.ACL            ] ALLOWED by '{ block=::RO DEVELOPER::, match=true }' req={ ID:746718058-1301760087#11835, TYP:SearchRequest, CGR:N/A, USR:ro, BRS:false, ACT:indices:data/read/search, OA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/.kibana/index-pattern/_search?stored_fields=, CNT:<OMITTED, LENGTH=39>, HDR:authorization,Connection,content-length,content-type,Host,x-forwarded-for,x-forwarded-port,x-forwarded-proto, HIS:[::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]], [::RO DEVELOPER::->[kibana_access->true, indices->true, auth_key->true]] }
[2017-10-13T12:21:45,404][INFO ][o.e.p.r.a.ACL            ] FORBIDDEN by default req={ ID:715144801-960126676#11837, TYP:GetFieldMappingsRequest, CGR:N/A, USR:[no basic auth header], BRS:false, ACT:indices:admin/mappings/fields/get, OA:127.0.0.1, IDX:.kibana, MET:GET, PTH:/.kibana/_mapping/*/field/_source, CNT:<N/A>, HDR:Connection,content-length,Host,x-forwarded-for,x-forwarded-port,x-forwarded-proto, HIS:[::KIBANA-SRV::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]] }
[2017-10-13T12:21:45,421][INFO ][o.e.p.r.a.ACL            ] ALLOWED by '{ block=::RO DEVELOPER::, match=true }' req={ ID:49897651-107129350#11838, TYP:GetFieldMappingsRequest, CGR:N/A, USR:ro, BRS:false, ACT:indices:admin/mappings/fields/get, OA:127.0.0.1, IDX:.kibana, MET:GET, PTH:/.kibana/_mapping/*/field/_source, CNT:<N/A>, HDR:authorization,Connection,content-length,Host,x-forwarded-for,x-forwarded-port,x-forwarded-proto, HIS:[::RO DEVELOPER::->[kibana_access->true, indices->true, auth_key->true]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]] }
[2017-10-13T12:21:45,421][INFO ][o.e.p.r.a.ACL            ] ALLOWED by '{ block=::RO DEVELOPER::, match=true }' req={ ID:49897651-1248114176#11839, TYP:GetFieldMappingsIndexRequest, CGR:N/A, USR:ro, BRS:false, ACT:indices:admin/mappings/fields/get[index], OA:127.0.0.1, IDX:.kibana, MET:GET, PTH:/.kibana/_mapping/*/field/_source, CNT:<N/A>, HDR:authorization,Connection,content-length,Host,x-forwarded-for,x-forwarded-port,x-forwarded-proto, HIS:[::RO DEVELOPER::->[kibana_access->true, indices->true, auth_key->true]], [::KIBANA-SRV::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]] }
[2017-10-13T12:21:45,460][INFO ][o.e.p.r.a.ACL            ] FORBIDDEN by default req={ ID:1957507666-2022268324#11841, TYP:MultiGetRequest, CGR:N/A, USR:[no basic auth header], BRS:false, ACT:indices:data/read/mget, OA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/_mget, CNT:<OMITTED, LENGTH=75>, HDR:Connection,content-length,content-type,Host,x-forwarded-for,x-forwarded-port,x-forwarded-proto, HIS:[::RW DEVELOPER::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]] }
[2017-10-13T12:21:45,478][INFO ][o.e.p.r.a.ACL            ] ALLOWED by '{ block=::RO DEVELOPER::, match=true }' req={ ID:157960993-1578005720#11842, TYP:MultiGetRequest, CGR:N/A, USR:ro, BRS:false, ACT:indices:data/read/mget, OA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/_mget, CNT:<OMITTED, LENGTH=75>, HDR:authorization,Connection,content-length,content-type,Host,x-forwarded-for,x-forwarded-port,x-forwarded-proto, HIS:[::LOGSTASH::->[auth_key->false]], [::RO DEVELOPER::->[kibana_access->true, indices->true, auth_key->true]], [::KIBANA-SRV::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]] }
[2017-10-13T12:21:45,479][INFO ][o.e.p.r.a.ACL            ] ALLOWED by '{ block=::RO DEVELOPER::, match=true }' req={ ID:157960993-1200412825#11843, TYP:MultiGetShardRequest, CGR:N/A, USR:ro, BRS:false, ACT:indices:data/read/mget[shard], OA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/_mget, CNT:<OMITTED, LENGTH=75>, HDR:authorization,Connection,content-length,content-type,Host,x-forwarded-for,x-forwarded-port,x-forwarded-proto, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::RO DEVELOPER::->[kibana_access->true, indices->true, auth_key->true]] }
[2017-10-13T12:21:45,998][INFO ][o.e.p.r.a.ACL            ] FORBIDDEN by default req={ ID:424412532-807539838#11845, TYP:MultiSearchRequest, CGR:N/A, USR:[no basic auth header], BRS:false, ACT:indices:data/read/msearch, OA:127.0.0.1, IDX:shakespeare, MET:POST, PTH:/_msearch, CNT:<OMITTED, LENGTH=436>, HDR:Connection,content-length,content-type,Host,x-forwarded-for,x-forwarded-port,x-forwarded-proto, HIS:[::RO DEVELOPER::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]] }
[2017-10-13T12:21:46,013][INFO ][o.e.p.r.a.ACL            ] ALLOWED by '{ block=::RO DEVELOPER::, match=true }' req={ ID:728480146-250604187#11846, TYP:MultiSearchRequest, CGR:N/A, USR:ro, BRS:false, ACT:indices:data/read/msearch, OA:127.0.0.1, IDX:shakespeare, MET:POST, PTH:/_msearch, CNT:<OMITTED, LENGTH=436>, HDR:authorization,Connection,content-length,content-type,Host,x-forwarded-for,x-forwarded-port,x-forwarded-proto, HIS:[::RW DEVELOPER::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[kibana_access->true, indices->true, auth_key->true]] }
[2017-10-13T12:21:46,014][INFO ][o.e.p.r.a.ACL            ] ALLOWED by '{ block=::RO DEVELOPER::, match=true }' req={ ID:728480146-1864178784#11847, TYP:SearchRequest, CGR:N/A, USR:ro, BRS:false, ACT:indices:data/read/search, OA:127.0.0.1, IDX:shakespeare, MET:POST, PTH:/_msearch, CNT:<OMITTED, LENGTH=436>, HDR:authorization,Connection,content-length,content-type,Host,x-forwarded-for,x-forwarded-port,x-forwarded-proto, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::RO DEVELOPER::->[kibana_access->true, indices->true, auth_key->true]] }

Can you tell me what is wrong?

@CorbMax That’s different, it’s the usual Kibana bug they always promise to fix. See:

Thank you @sscarduzio
This Kibana bug is also “affecting” ROR PRO & ENT version?

No because in PRO and Enterprise we use a cookie for authentication. Trivia: this annoying bug is what made me write the Kibana plugin in the first place.

We’ve bought pro at this point and don’t see this issue at all. It works nicely.

1 Like