yes indeed, can you share the content of that field? It basically shows a trace of how the request was evaluated by the ACL, that is, what rules and what blocks matched and in what chronological order.
“acl_history”:
"
[::KIBANA-SRV::->[auth_key->false]],
[::RO::->[auth_key->false]],
[::RW::->[auth_key->false]],
[::ADMIN::->[auth_key->false]],
[WEBSITE SEARCH BOX::->[indices->true, actions->false]],
[allow all for admin->[ldap_authentication->false]],
[for ROR cleanup->[ldap_authentication->false]],
[for monitoring->[ldap_authentication->false]],
[requests from user for indices d*->[ldap_authentication->false]],
[requests from user for indices a*->[ldap_authentication->false]],
[requests from user for indices m1*->[ldap_authentication->false]],
[requests from user for indices p*->[ldap_authentication->false]],
[requests from user for indices m2*->[ldap_authentication->false]],
[requests from user for indices i*->[ldap_authentication->false]]
"
Great, thank you @sdba2!
And what block should normally (in 1.16.21) this request by “user1” match?
Is this a valid LDAP user that ldap_authentication should match?
Ok mystery solved.
You are not using kibana_access macro rule, and you are using raw actions. I highly recommend that you remove the actions rule in favour of a kibana_access: rw/ro/ro_strict/admin.
Please read the explanation in the docs about what kibana_access does and why it’s preferable to simple actions when the objective is to allow a Kibana session to a user.
it works. the user can logon to kiban, create visualize/dashboards and create indices.
is this the correct way (2 blocks) ?
if not, how the acl block should look like ?
the user need to read, write, admin, monitor it’s own indeices (starts with d*)
and also connect to kibana to work with the “dev tools” and create some visualize + dashboard
Hi @sdba2, glad it work, I have some questions though:
Why the backslash?
Why is it important for you to allow this user to write inside the “d*” indices? Under normal circumstances, we want to prevent Kibana sessions from modifying the data indices.
In fact, normally it’s preferable to create two separated identities for data writers and Kibana users to keep Kibana users from accidentally modifying the data (i.e. going wild with dev tools, etc.).
Finally, last comment is that yes, it’s quite common to split two blocks to express boolean OR logic. Remember: ACL blocks are like OR statements, as either of them can match; instead rules inside an ACL block are evaluated in AND logic, that is: all of them must match in order for the whole block to match.
OK about the forum not displaying the star symbol, that’s because you have to mark things as code! Use the editor, there is a “</>” button.
x*single line code*
multi*
*line
*code*
About the user indexing via dev tools, fine for me. In that case having the two blocks in OR logic is perfectly fine.
The previous version of ROR was working because in the new version the login attempts from Kibana go to a dedicated endpoint ( /_readonlyrest/metadata/current_user ), while previously we used a simple get to a generic /_nodes/_local. The new endpoint correspond to a different ‘action’ that was not permitted by your custom list of allowed actions. If you had used kibana_access macro, you would have not even realised, as such a request would have been allowed from within the macro
Your ACL blocks look fine, be always mindful of the order you write them, because that would be also the order they are evaluated as. And also, never mix action and kibana_access rules as the former nullifies the latter.