Saved object is missing

usmanniazi85 · May 25, 2020, 11:33am

Hi,

I have implemented LDAP authentication using ROR file. When i try to apply filters to index it starts giving me error. Save object is missing or unable to load dashboard id.
if i donot apply filter it works fine.

Below is my readonlyrest.yml file

readonlyrest:

    access_control_rules:

    #####################################################################################
    # These credentials have no limitations, and shall be used for custom logsatsh config
    #####################################################################################
    - name: "Require HTTP Basic Auth"
      type: allow
      auth_key: kibana:kibana
      verbosity: error 

    # MACHINES ##################
    - name: "::Kafka::"
      auth_key: kafka:kafka123

    - name: "::LOGSTASH::"
      auth_key: logstash:logstash
      actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
      indices: ["logstash-*"]

#    - name: "::KIBANA-SRV::"
#      auth_key: kibana:kibana
#      verbosity: error


    # GROUPS ####################

    - name: "::PERSONAL_GRP::"
      groups: ["Personal"]
      kibana_access: rw
      kibana_hide_apps: ["readonlyrest_kbn", "timelion"]
      kibana_index: ".kibana_@{user}"

    - name: "::ADMIN_GRP::"
      groups: ["ROR (admin)"]
      kibana_access: admin

    - name: "::Infosec::"
      groups: ["Infosec"]
      kibana_access: rw
      kibana_hide_apps: ["readonlyrest_kbn", "timelion"]
      kibana_index: ".kibana_infosec"



      #####################################################################################
      # start of LDAP USERS BLOCK
      #####################################################################################

    
      

      #####################################################################################
      # END of LDAP USERS BLOCK
      #####################################################################################

    # Early intercept testuser's read requests to sodadocs* and apply the filter
    - name: "LDAP_B2"
      ldap_authentication: ldap1
      users: ["abc@abc.com"]
      filter: '{"query_string":{"fields": ["user_id"],"query":"( "1046" )"}}'
    
    - name: "LDAP_B1"
      ldap_authentication: ldap1
      kibana_access: ro
      indices: [".kibana","account_*"]
      kibana_hide_apps: ["readonlyrest_kbn"] 

    


    - name: "LDAP_B3"
      users: ["abc@abc.com"]
      kibana_access: ro
      ############################################USER 2######################################
    
    
      #####################################################################################
      # END of LDAP USERS BLOCK
      #####################################################################################

    # USERS TO GROUPS ############
    users:
    - username: admin
      auth_key: admin:dev
      groups: ["ROR (admin)", "Infosec"]

    - username: simone
      auth_key: simone:dev
      groups: ["ROR (admin)", "Personal", "Infosec"]
      

     
    ldaps:
    
    - name: ldap1
      #host: "ldap.forumsys.com"
      #port: 389                                                     # optional, default 389
      host: "abc.com"
      port: 389
      ssl_enabled: false                                            # optional, default true
      ssl_trust_all_certs: true                                     # optional, default false
      user_id_attribute: "mail"                                    
      #group_name_attribute: "cn"                        
      search_user_base_DN: "ou=abc,o=abc.com"
      search_groups_base_DN: "ou=memberlist,ou=groups,o=abc.com"
      user_search_filter: "(&(mail=*)(objectclass=person))"
      #group_search_filter: "(&(cn=*)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))"
      unique_member_attribute: "uniqueMember"                       # optional, default "uniqueMember"
      connection_pool_size: 10                                      # optional, default 30
      connection_timeout_in_sec: 10                                 # optional, default 1
      request_timeout_in_sec: 10                                    # optional, default 1
      cache_ttl_in_sec: 60                                          # optional, default 0 - cache disabled

sscarduzio · May 25, 2020, 12:20pm

please take care of formatting your yaml using the </> button in the forum’s editor. Now it’s unreadable.

usmanniazi85 · May 25, 2020, 12:28pm

I want to apply the user_id filter to ldap block but its not working if i change the order of blocks moving filter block first then it will start giving error dashboard missing or saved object not found

usmanniazi85 · May 25, 2020, 12:29pm

I am sucessfully able to login via ldap but DLS is not working for me

usmanniazi85 · May 25, 2020, 12:32pm

I am sucessfully ab le to login via ldap this is the error i am getting in Kibana.

[error][readonlyrest_kbn:onPreResponse] got an error [404] Not Found for path /k/plugins/readonlyrest_kbn/css/armata_montserrat_font.css
log [12:29:32.167] [error][readonlyrest_kbn:onPreResponse] index not found, will return the useful error.
log [12:29:40.021] [info][readonlyrest_kbn:extractIdentity] asked for group undefined
log [12:29:41.510] [info][readonlyrest_kbn:enrichFromEs] received identity payload: {“x-ror-username":"user@abc.com”,“x-ror-kibana-hidden-apps”:[“kibana:dev_tools”,“kibana:management”,“readonlyrest_kbn”,“timelion”],“x-ror-kibana_access”:“ro”}

sscarduzio · May 25, 2020, 3:33pm

@usmanniazi85 look at this fragment:

    - name: "LDAP_B2"
      ldap_authentication: ldap1
      users: ["abc@abc.com"]
      filter: '{"query_string":{"fields": ["user_id"],"query":"( "1046" )"}}'
    
    - name: "LDAP_B1"
      ldap_authentication: ldap1
      kibana_access: ro
      indices: [".kibana","account_*"]
      kibana_hide_apps: ["readonlyrest_kbn"]

Remember the ACL blocks are evaluated from top to bottom, one by one.

LDAP_B2 block has no indices rule, so this block will match and the filter will be applied even when the user “abc@abc.com” reads from “.kibana” index. This is why the savedObjects API - which writes and reads documents from “.kibana” - fails.

Make sure the LDAP_B2 has an indices rule, to limit the filter application to data indices exclusively (i.e. “account_*”), leaving the access to “.kibana” unfiltered.

usmanniazi85 · May 26, 2020, 10:02am

Hi I have added the index to Block B2 asa you suggested but now start getting below error when i click on dashboard.

Saved object is missing

Could not locate that dashboard (id: 70ac8490-4bf0-11ea-a35b-1dc91ca13ca9)

name: “LDAP_B2”
ldap_authentication: ldap1
users: [“abc@abc.com”]
indices: [“account_*”]
filter: ‘{“query_string”:{“fields”: [“user_id”],“query”:“( “1046” )”}}’
- name: “LDAP_B1”
  ldap_authentication: ldap1
  kibana_access: ro
  indices: [“.kibana”,“account_*”]
  kibana_hide_apps: [“readonlyrest_kbn”]
- name: “LDAP_B3”
  users: [“abc@abc.com”]
  kibana_access: ro

usmanniazi85 · May 26, 2020, 10:03am

This is what i am gettig in ES log as info

][t.b.r.b.Ror$ ] [esnode] Loading ReadonlyREST settings from index failed: index content malformed
[2020-05-26T14:58:53,835][INFO ][t.b.r.b.Ror$ ] [esnode] Loading ReadonlyREST settings from file: /Users/usmanniazi/Downloads/elasticsearch-7.7.0/config/readonlyrest.yml

sscarduzio · May 26, 2020, 2:59pm

You clearly have indentation issues LDAP_B2 and LDAP_B1 are on two different indentation levels

usmanniazi85 · May 28, 2020, 6:45am

-  name: "LDAP_B2"
  ldap_authentication: ldap1
  users: ["abc@abc.com"]
  indices: ["ilm_data"]
#  kibana_index: ".kibana_@{user}"
#  actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
  filter: '{"query_string":{"fields": ["user_id"],"query":"( "1046" )"}}'

- name: "LDAP_B1"
  ldap_authentication: ldap1
  kibana_access: rw
#  indices: [".kibana","account_*"]
#  kibana_index: ".kibana_@{user}"
  kibana_hide_apps: ["readonlyrest_kbn"] 




- name: "LDAP_B3"
  users: ["abc@abc.com"]
  kibana_access: rw

usmanniazi85 · May 28, 2020, 6:47am

Hi,
There is no identation issue actually when i paste code here it occurs. Only problem which i am facing is when i apply filter to document it wont work in kibana for DLS

sscarduzio · May 28, 2020, 1:54pm

this issue has been fixed in the newest pre release. And we also have a brand new filter rule that does not require you to install ROR in all the Elasticsearch nodes in your cluster, but only the ones you connect Kibana to.

https://readonlyrest-data.s3.eu-west-1.amazonaws.com/build/1.20.0-pre4/readonlyrest-1.20.0-pre4_es7.7.0.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ%2F20200528%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20200528T135421Z&X-Amz-Expires=604800&X-Amz-Signature=a5b868d4f3ee41fbac7737c682394dc855abf491b792f382f23388138e5607f1&X-Amz-SignedHeaders=host

usmanniazi85 · May 28, 2020, 6:58pm

Hi,
Getting this error when i try to loin with LDAP authenticated user.

[error][readonlyrest_kbn:onPreResponse] index not found, will return the useful error.

usmanniazi85 · May 28, 2020, 6:59pm

If i remove filter from block in shared in thread it works fine when i apply filter to index it is not working for DLS

sscarduzio · May 28, 2020, 7:28pm

Is this happening while using the latest plugin that I linked to you?
Also, please have a look at elasticsearch logs, try to find any errors, and the “ALLOWED” log line with the same timestamp corresponding to when you see “index not found, will return the useful error”.

Also, can you please attach the full sanitized YAML file? I mean as an attachment.

usmanniazi85 · May 28, 2020, 8:00pm

readonlyrest.yml.zip (1.8 KB)

Hi this is my YML file. Yes i have used the latest plugin i shared. Not working for me.

What i have done i have downloaded older version of ELK plus ROR plugin it stared working with the same YML i shared with you.
Might be i am missing some settings with new versions.

sscarduzio · May 28, 2020, 9:11pm

OK See this fragment:

    - name: "LDAP_credentials_V1_for_soda_user11"
      ldap_authentication: ldap1
      kibana_access: ro
      indices: [".kibana"]
      kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"] 

    - name: "LDAP_credentials_V2_for_soda_user11"
      ldap_authentication: ldap1
      users: ["user1@.com"]
      filter: '{"query_string":{"fields": ["user_id"],"query":"( 102 )"}}'

The extra block that contains the filter rule needs to be BEFORE the regular one. As I said, the ACL is evaluated top to bottom, so the incoming search requests find first the filtered block, and all other requests will be matched by the regular block, right after the filter one.

I found the same mistake also in the other user’s block…

    - name: "LDAP_B1"
      ldap_authentication: ldap1
      kibana_access: ro
      indices: [".kibana"]
      kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"] 

    - name: "LDAP_B2"
      ldap_authentication: ldap1
      users: ["user2@.com"]
      filter: '{"query_string":{"fields": ["user_id"],"query":"( 1046 )"}}'

In both cases, the two blocks need to be inverted. First the filtered one, then the regular.