Unable to load elasticsearch.yml


#1

Hi,

I am currently trying to amend the rule, and I encountered a problem on fail to load the configuration.

Elasticsearch version: 5.6.1
kibana version : 5.6.1
ROR Pro version : 1.16.11

Both my es & kibana run as service in centos

I am still in the testing stage and use auth key directly on the access_control rule.
My steps are as follow

  1. amend the elasticsearh.yml
  2. restart elasticsearch as a service
  3. try to enter kibana with the saved credentials / try to enter curl elasticsearch with saved credentials
    -> both failed

``

- name: "::GROUPA::"
  auth_key: delete:changeme
  kibana_access: rw
  actions: ["indices:data/read/*", "indices:data/write/*"]
  indices: [".kibana", ".kibana-devnull", "logstash-*"] 
  kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]

``

The reason what I would like to create this admin because I want to perform deletion on the dashboard and also execute the curl in dev_tools. becuse even i use admin account, i cannot perform delete action on kibana objects.

Thanks


(Simone Scarduzio) #2

Hi @vannesa,

Rarely setting up “actions” and “kibana_access” together in the same block makes sense. That’s because kibana_access is already a macro that carefully allows a list of permitted actions. If you further limit the sets of actions using the “actions” rule, you basically cripple the macro down to your smaller allowed actions list.

Also, I’d lose the indices rule as well, because the kibana_access macro allows a set of actions to the “.kibana” index alone (and denies non-readonly actions to the rest of the indices). So there’s no real danger of accidentally updating/deleting data indices (others than the .kibana index) for the user.


#3

Want to ask, if the rules set up in access_control_rules fail, is that mean the users who in that"groups" also fail to access elasticsearch?


(Simone Scarduzio) #4
  1. If any rule in a block fail to match, the block is discarded and the next is analysed.

  2. In a block that has “groups” in it, If all the other rules match, the first group is evaluated, then the second, etc. If no groups match, the whole “groups” rule won’t match. GOTO 1