[SUPPORT|kbn_ent] Managing forbidden messages

We have a large number of groups and users.
Many people do not understand why they cannot access the indexes and write to support.

I want to add the ability to add the response_if_req_forbidden function to each ACL.

To get a message when accessing the index “support”,
error:

you need the “support” role in ldap

To get a message when accessing the index “prod”,
error:

you need the “prod” role in ldap

Now the person gets an error, the password is incorrect and does not understand what to do to gain access to the role.

Or maybe you already have a solution to my problem?

{“customer_id”: “6c4a385b-2ae8-4f02-a9cd-ef24addfb5b3”, “subscription_id”: “32d4073f-dc2f-4056-a868-842727c637cd”}

Hi @driveirk

Where do you want to see this message? Somewhere in Kibana UI or do you refer to response from ES API only?

Hi
In both cases.
But most often the problem occurs in Kibana, because people visit there more often.

The API case is simple. Assuming that we are talking about the custom forbidden message in the “forbid” type blocks only.

But I don’t think I understand how you would like to see it in Kibana. Could you please show me some example? (ROR ACL + Kibana screenshot of how it looks now)

1. the password is incorrect.
   
   

   image998×630 34.3 KB
   
   This is good.

2)the password is correct, But access is denied.
I want to replace “Wrong credentials” with my own text

    - name: "check pass"
      type: allow
      ldap_authentication:
        name: "ldap"
      ldap_authorization:
        name: "ldap"
 #Maybe use "not_groups"? and type: forbid
        groups: ["basic", "admin", "support"] 
     response_if_req_forbidden: "You must be in one of the groups basic, admin, support"

3)1) the password is correct, but there are restrictions on access to the index:

image1990×660 90.2 KB

    - name: "group a access"
      indices: ["*kibana*" ]
      kibana_access: rw
      ldap_authentication:
        name: "ldap"
      ldap_authorization:
        name: "ldap"
        groups: ["a"]

    - name: "group a"
      type: forbid
      ldap_authentication:
        name: "ldap"
      ldap_authorization:
        name: "ldap"
 #Maybe use "not_groups"? and  groups: ["b"]
        groups: ["a"]
      response_if_req_forbidden: "You must be in one of the groups b"

Adding not_groups would help too.
not_groups - The user does not have any of the listed groups.

A user won’t be allowed to enter Kibana when no block is matched. All blocks mismatched, means: FORBIDDEN.

So, analyzing the 2nd point, I’d say that the block won’t be matched (assuming that the user has none of the listed groups), and the next block will be evaluated. Because the “check pass” block was not matched, the “response_if_req_forbidden” message won’t be chosen anyway.

When there is a possibility to change the block type to “forbid” and use “not_groups”, the “response_if_req_forbidden” might make sense. The block will be matched, ACL result is defined by this block and we can get the message and return to Kibana.

So, as you see - the “response_if_req_forbidden”:

1. makes sense at the root level
2. makes sense with block with type: forbid
3. makes no sense with block with type: allow

BTW: high in our backlog, we have a task to improve the error messages shown by Kibana when user’s request is rejected by ROR ES ACL.

What if we use this option? Continuation of point 2

- name: "group a"
      type: forbid
      ldap_authentication:
        name: "ldap"
      ldap_authorization:
        name: "ldap"
        not_groups: ["a"]
      response_if_req_forbidden: "You must be in one of the groups a"

user is not a member of any of the groups “a”
So that when authorizing with the correct user password, instead of
“Wrong credentials”
there will be
“You must be in one of the groups a”

Can this be added?

“not_groups” in “ldap_authorization” won’t be so simple to add (e.g. I’m not sure if it’s going to work with server_side_groups_filtering enabled).

But it seems we can try to implement this.

Can I ask why?
not_groups and groups search for groups in the same way.
Differences:

                            groups => skip
                         /
search group => if false 
                         \
                           not_groups => use

                            groups => use
                         /
search group => if true 
                         \
                           not_groups => skip

The only difference is the behavior after the search is completed.

LDAP connector has two modes:

1. Server side groups filtering is disabled (default) - ROR asks for all ldap groups for a given user and then on the ROR side there is a check if user belongs to the configured groups. The new subrule is going to check if the user DOESNT belong to the configured groups. This is simple
2. Server side groups filtering is enabled - ROR asks LDAP to return only the groups that matches a given query (the ldap query is created using the configured groups). I’m not sure if this will be possible with the new subrule. This requires some deeper analysis.

The first of the improvements discussed in this topic is added in ROR 1.61.0 - the forbidden response message defined at the block level.

Sorry, I was on a long vacation and couldn’t answer you.

Can you tell me what was added?
I checked authorization with the wrong password and with the user banned. The error is the same.
I tried using not_groups and response_if_req_forbidden in blocks. But ROR doesn’t know these parameters.

P.S.
My bosses are asking me to clarify the ETA of this problem. Because they often encounter these errors.
Do you have any timeframe for solving this problem?

the topic was split into two separate parts:

1. allowing the definition of the forbidden response message at the block level
2. groups_not_any_of, groups_not_all_of rules/subrules

The second one is being reviewed. It means I will be able to provide you a pre-build with this change this week. And it will be released with ROR 1.63.0

Works great in Elasticsearch. Thanks.

There are 2 things in kibana:

1. Is it possible to somehow remove the top 2 errors and leave only the bottom error?
   
   

   image375×673 44.7 KB
   
   If you request aliases there will be millions of errors.

My configs:

    - name: "A2222"
      users: ["elk"]
      ldap_authentication:
        name: "ldap"
      type: 
        policy: allow
      indices: ["*kibana*"]

    - name: "A111"
      users: ["elk"]
      ldap_authentication:
        name: "ldap"
      type: 
        policy: forbid
        response_message: "You lose"

2)What needs to be done to display an error on the authorization window?

It should be “You lose”.
But I get the error “Wrong credentials”

My configs:

    - name: "A111"
      users: ["elk"]
      ldap_authentication:
        name: "ldap"
      type: 
        policy: forbid
        response_message: "You lose"

@Dzuming could you please refer to the 1st point?

ad 2) we’re planning to improve the error message under the login form, so we will take this into consideration. At the moment, the message set in the ROR ACL hasn’t been propagated to this place.

Sure, I will analyze it and come back with an answer

@driveirk Are you interested in testing the new group rules? If so, please let me know what ES version you want me to provide.

Yes, I’m just waiting for you to do it.
elasticsearch 7.17.25
kibana 7.17.25
Thanks

Here is the build:
ROR 1.63.0-pre2 for ES 7.17.25
You can use it with the latest KBN plugin.

We’ve added groups_not_any_of and groups_not_all_of subrules. Anywhere you use groups_and' or groups_or’, you can use them instead.

In case of any problems, @michalg will help you with it.

Yes, everything is fine.
Could you please let me know if you will be able to fix in kibana the “Wrong credentials” display issue by version 1.63?

example ^
It should be “You lose”.
But I get the error “Wrong credentials”