Saved object is missing

Hi,

I have implemented LDAP authentication using ROR file. When i try to apply filters to index it starts giving me error. Save object is missing or unable to load dashboard id.
if i donot apply filter it works fine.

Below is my readonlyrest.yml file

readonlyrest:

    access_control_rules:

    #####################################################################################
    # These credentials have no limitations, and shall be used for custom logsatsh config
    #####################################################################################
    - name: "Require HTTP Basic Auth"
      type: allow
      auth_key: kibana:kibana
      verbosity: error 

    # MACHINES ##################
    - name: "::Kafka::"
      auth_key: kafka:kafka123

    - name: "::LOGSTASH::"
      auth_key: logstash:logstash
      actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
      indices: ["logstash-*"]

#    - name: "::KIBANA-SRV::"
#      auth_key: kibana:kibana
#      verbosity: error


    # GROUPS ####################

    - name: "::PERSONAL_GRP::"
      groups: ["Personal"]
      kibana_access: rw
      kibana_hide_apps: ["readonlyrest_kbn", "timelion"]
      kibana_index: "[email protected]{user}"

    - name: "::ADMIN_GRP::"
      groups: ["ROR (admin)"]
      kibana_access: admin

    - name: "::Infosec::"
      groups: ["Infosec"]
      kibana_access: rw
      kibana_hide_apps: ["readonlyrest_kbn", "timelion"]
      kibana_index: ".kibana_infosec"



      #####################################################################################
      # start of LDAP USERS BLOCK
      #####################################################################################

    
      

      #####################################################################################
      # END of LDAP USERS BLOCK
      #####################################################################################

    # Early intercept testuser's read requests to sodadocs* and apply the filter
    - name: "LDAP_B2"
      ldap_authentication: ldap1
      users: ["[email protected]"]
      filter: '{"query_string":{"fields": ["user_id"],"query":"( "1046" )"}}'
    
    - name: "LDAP_B1"
      ldap_authentication: ldap1
      kibana_access: ro
      indices: [".kibana","account_*"]
      kibana_hide_apps: ["readonlyrest_kbn"] 

    


    - name: "LDAP_B3"
      users: ["[email protected]"]
      kibana_access: ro
      ############################################USER 2######################################
    
    
      #####################################################################################
      # END of LDAP USERS BLOCK
      #####################################################################################

    # USERS TO GROUPS ############
    users:
    - username: admin
      auth_key: admin:dev
      groups: ["ROR (admin)", "Infosec"]

    - username: simone
      auth_key: simone:dev
      groups: ["ROR (admin)", "Personal", "Infosec"]
      

     
    ldaps:
    
    - name: ldap1
      #host: "ldap.forumsys.com"
      #port: 389                                                     # optional, default 389
      host: "abc.com"
      port: 389
      ssl_enabled: false                                            # optional, default true
      ssl_trust_all_certs: true                                     # optional, default false
      user_id_attribute: "mail"                                    
      #group_name_attribute: "cn"                        
      search_user_base_DN: "ou=abc,o=abc.com"
      search_groups_base_DN: "ou=memberlist,ou=groups,o=abc.com"
      user_search_filter: "(&(mail=*)(objectclass=person))"
      #group_search_filter: "(&(cn=*)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))"
      unique_member_attribute: "uniqueMember"                       # optional, default "uniqueMember"
      connection_pool_size: 10                                      # optional, default 30
      connection_timeout_in_sec: 10                                 # optional, default 1
      request_timeout_in_sec: 10                                    # optional, default 1
      cache_ttl_in_sec: 60                                          # optional, default 0 - cache disabled

please take care of formatting your yaml using the </> button in the forum’s editor. Now it’s unreadable.

I want to apply the user_id filter to ldap block but its not working if i change the order of blocks moving filter block first then it will start giving error dashboard missing or saved object not found

I am sucessfully able to login via ldap but DLS is not working for me

I am sucessfully ab le to login via ldap this is the error i am getting in Kibana.

[error][readonlyrest_kbn:onPreResponse] got an error [404] Not Found for path /k/plugins/readonlyrest_kbn/css/armata_montserrat_font.css
log [12:29:32.167] [error][readonlyrest_kbn:onPreResponse] index not found, will return the useful error.
log [12:29:40.021] [info][readonlyrest_kbn:extractIdentity] asked for group undefined
log [12:29:41.510] [info][readonlyrest_kbn:enrichFromEs] received identity payload: {“x-ror-username":"[email protected]”,“x-ror-kibana-hidden-apps”:[“kibana:dev_tools”,“kibana:management”,“readonlyrest_kbn”,“timelion”],“x-ror-kibana_access”:“ro”}

@usmanniazi85 look at this fragment:

    - name: "LDAP_B2"
      ldap_authentication: ldap1
      users: ["[email protected]"]
      filter: '{"query_string":{"fields": ["user_id"],"query":"( "1046" )"}}'
    
    - name: "LDAP_B1"
      ldap_authentication: ldap1
      kibana_access: ro
      indices: [".kibana","account_*"]
      kibana_hide_apps: ["readonlyrest_kbn"] 

Remember the ACL blocks are evaluated from top to bottom, one by one.

LDAP_B2 block has no indices rule, so this block will match and the filter will be applied even when the user “[email protected]” reads from “.kibana” index. This is why the savedObjects API - which writes and reads documents from “.kibana” - fails.

Make sure the LDAP_B2 has an indices rule, to limit the filter application to data indices exclusively (i.e. “account_*”), leaving the access to “.kibana” unfiltered.

Hi I have added the index to Block B2 asa you suggested but now start getting below error when i click on dashboard.

Saved object is missing

Could not locate that dashboard (id: 70ac8490-4bf0-11ea-a35b-1dc91ca13ca9)

  • name: “LDAP_B2”
    ldap_authentication: ldap1
    users: [“[email protected]”]
    indices: [“account_*”]
    filter: ‘{“query_string”:{“fields”: [“user_id”],“query”:"( “1046” )"}}’

    • name: “LDAP_B1”
      ldap_authentication: ldap1
      kibana_access: ro
      indices: [".kibana",“account_*”]
      kibana_hide_apps: [“readonlyrest_kbn”]

    • name: “LDAP_B3”
      users: [“[email protected]”]
      kibana_access: ro

This is what i am gettig in ES log as info

][t.b.r.b.Ror$ ] [esnode] Loading ReadonlyREST settings from index failed: index content malformed
[2020-05-26T14:58:53,835][INFO ][t.b.r.b.Ror$ ] [esnode] Loading ReadonlyREST settings from file: /Users/usmanniazi/Downloads/elasticsearch-7.7.0/config/readonlyrest.yml

You clearly have indentation issues LDAP_B2 and LDAP_B1 are on two different indentation levels

-  name: "LDAP_B2"
  ldap_authentication: ldap1
  users: ["[email protected]"]
  indices: ["ilm_data"]
#  kibana_index: "[email protected]{user}"
#  actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
  filter: '{"query_string":{"fields": ["user_id"],"query":"( "1046" )"}}'

- name: "LDAP_B1"
  ldap_authentication: ldap1
  kibana_access: rw
#  indices: [".kibana","account_*"]
#  kibana_index: "[email protected]{user}"
  kibana_hide_apps: ["readonlyrest_kbn"] 




- name: "LDAP_B3"
  users: ["[email protected]"]
  kibana_access: rw

Hi,
There is no identation issue actually when i paste code here it occurs. Only problem which i am facing is when i apply filter to document it wont work in kibana for DLS

this issue has been fixed in the newest pre release. And we also have a brand new filter rule that does not require you to install ROR in all the Elasticsearch nodes in your cluster, but only the ones you connect Kibana to.

https://readonlyrest-data.s3.eu-west-1.amazonaws.com/build/1.20.0-pre4/readonlyrest-1.20.0-pre4_es7.7.0.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ%2F20200528%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20200528T135421Z&X-Amz-Expires=604800&X-Amz-Signature=a5b868d4f3ee41fbac7737c682394dc855abf491b792f382f23388138e5607f1&X-Amz-SignedHeaders=host

Hi,
Getting this error when i try to loin with LDAP authenticated user.

[error][readonlyrest_kbn:onPreResponse] index not found, will return the useful error.

If i remove filter from block in shared in thread it works fine when i apply filter to index it is not working for DLS

Is this happening while using the latest plugin that I linked to you?
Also, please have a look at elasticsearch logs, try to find any errors, and the “ALLOWED” log line with the same timestamp corresponding to when you see “index not found, will return the useful error”.

Also, can you please attach the full sanitized YAML file? I mean as an attachment.

readonlyrest.yml.zip (1.8 KB)

Hi this is my YML file. Yes i have used the latest plugin i shared. Not working for me.

What i have done i have downloaded older version of ELK plus ROR plugin it stared working with the same YML i shared with you.
Might be i am missing some settings with new versions.

OK See this fragment:

    - name: "LDAP_credentials_V1_for_soda_user11"
      ldap_authentication: ldap1
      kibana_access: ro
      indices: [".kibana"]
      kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"] 

    - name: "LDAP_credentials_V2_for_soda_user11"
      ldap_authentication: ldap1
      users: ["[email protected]"]
      filter: '{"query_string":{"fields": ["user_id"],"query":"( 102 )"}}'
 

The extra block that contains the filter rule needs to be BEFORE the regular one. As I said, the ACL is evaluated top to bottom, so the incoming search requests find first the filtered block, and all other requests will be matched by the regular block, right after the filter one.

I found the same mistake also in the other user’s block…

    - name: "LDAP_B1"
      ldap_authentication: ldap1
      kibana_access: ro
      indices: [".kibana"]
      kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"] 

    - name: "LDAP_B2"
      ldap_authentication: ldap1
      users: ["[email protected]"]
      filter: '{"query_string":{"fields": ["user_id"],"query":"( 1046 )"}}'

In both cases, the two blocks need to be inverted. First the filtered one, then the regular.