ROR Enterprise: 1.70.1
Elasticsearch: 9.4.2
Situation:
Have a lens visualization saved in visualization library.
Add lens visualization to a dashboard.
Have a user in kibana RO mode.
Get error:
There is HTTP request:
/s/default/internal/lens/visualizations/84b53bbe-a079-48ca-ac21-b36acf9b46eb
response 403:
{“statusCode”:403,“error”:“Forbidden”,“message”:“Forbidden”}
In kibana logs:
Access to uri [/internal/lens/visualizations/84b53bbe-a079-48ca-ac21-b36acf9b46eb] with method [get] is deprecated
And a request for:
GET /internal/lens/visualizations/84b53bbe-a079-48ca-ac21-b36acf9b46eb
Not much interesting in that GET log.
Checking Elasticsearch logs I didn’t find anything.
In the ROR audit logs I see forbiddens for the user to the /_bulk endpoint:
Allow Kibana main RO access: NOT_MATCHED (AUTHZ_FAIL) -> RULES:[groups_any_of->true
kibana_hide_apps->true
kibana_access->false
Based on block:
- name: "Allow Kibana main RO access"
kibana_access: "ro"
kibana_hide_apps: ["Analytics|Overview", "Observability", "Security", "readonlyrest_kbn", "Management", "Enterprise Search", "ROR Manage Kibana"]
groups: ["kibana_main_ro"]
indices: [".kibana", ".reporting.kibana-*", "aaa_dummy_index"]
If I take the URL and force it in the browser and refresh refresh refresh I keep seeing this entry being blocked.
I tried with the ROR 1.71.0 pre-build, same issue.
Users with rw or admin permissions it does work.
Work around found:
Unlink visualization from Library.
Then it works.
No urgent fix needed for this as workaround is available.