RoR Enterprise: URL shortening forbidden

ronald.vanboven · August 9, 2021, 1:30pm

Hi,
RoR 1.31.0
Elasticsearch 7.12.1
Kibana 7.12.1
Also tried with RoR 1.32.0 on Kibana (with 1.31.0 on Elasticsearch (more difficult to temp upgrade), also gives forbidden.

User with RW permissions on Kibana is not allowed to shorten URL’s.
I would asume even user with only RO permission on Kibana is allowed to shorten URL.

Dummy config:

  access_control_rules:
  - name: "Allow team X read access to all indices"
    kibana_access: rw
    kibana_hide_apps: ["Analytics|Maps", "Analytics|Overview", "Observability", "Security", "readonlyrest_kbn", "Management", "Enterprise Search"]
    groups: ["X"]

  users:
  - username: theusersusersname
    auth_key_sha256: his-sha-hash
    groups: ["X"]

Results in:

[Allow team X read access to all indices-> RULES:[groups->true
 kibana_hide_apps->true
 kibana_access->false] RESOLVED:[user=theusersusersname;group=X;av_groups=X;indices=.kibana_7.12.1]]

The audit event shows it as:

PUT indices:data/write/index IndexRequest /.kibana_7.12.1/_create/url:462a9265e68b04ce59dfb0cc4b428c1b

A user with level unrestricted is allowed to shorten URL’s.

Could you please check?
Is my assumption that even a RO Kibana user should be able to shorten URL’s correct?

sscarduzio · August 10, 2021, 2:57pm

@ronald.vanboven I’d suggest you try 1.33.0 (released yesterday) as we reworked this part of code.
It’ ok to experiment this new Kibana plugin while keeping the older Elasticsearch plugin in this occasion, having looked at the changelog, it should be safe to do so.

ronald.vanboven · August 12, 2021, 3:59pm

Oke, I will try and let you know.

ronald.vanboven · August 16, 2021, 10:56am

I tested this on 7.14.0 in combination with 1.33.1 and there it works.
For me this case can be closed.

sscarduzio · August 16, 2021, 8:14pm

Glad to hear, thanks for bringing this up!