Kibana access RO users

[sirdrug]

Hi! We use ELK 8.4.3 and enterprise version of plugin! When users from RO group try to do anything, for example go to discover tab after login, they logout!!! :(
In audit events i se that user try to /write/_bulk, update, and some _get actions, for example indices:data/write/bulk in index readonlyrest_audit-2022-11-01, but get FORBIDDEN

[sscarduzio]

Hello @sirdrug we'd need to see your YAML to inspect the ACL in order to reproduce the issue. Please send us your sanitised YAML, or even better, the minimal form of ACL that reproduces the bug.

If you are not confident with sharing in public, please email support at readonlyrest dot com.

Actually, the best way would be to log in the cusotmer portal and open a ticket from there (it's managed via the forum). So we keep track this as a priority support case on the name of your company.

[sirdrug]

From customer portal i get redirect to forum, but with our email we take message like in the picture

[sirdrug]

Config in screenshot work perfect before update

[sirdrug]

Plugin try to write and update under user RO

[sscarduzio]

Yes our support tickets are an automation over the forum private messages API. Just login in the forum as the same email (or create a new forum account with that email) and describe the issue.

@Dzuming do you require any extra information to investigate on this?

[Dzuming]

Hello, @sirdrug I'm trying to reproduce this issue, Could you provide kibana and es logs with the debug level?

[sirdrug]

Cluster in production for debug mode i need to reboot, this is impossible. When user go to discover tab then logout!
In audit logs it the same time write & update action on index, but kibana access: RO users take FORBIDDEN

[sscarduzio]

@sirdrug we are getting the forbidden, but in our experience with the latest version or ROR, we can't reproduce the logout effect. 🤔 Can you share what version of ROR are you using? Also, please send us kibana.yml and readonlyrest.yml (full ACL). You can use support at readonlyrest dot com Email if you prefer.

EDIT: please have a look at the browser developer tools: see "Console", click "preserve logs", and repeat the test. Can you see any interesting logs? Or stack traces?

[sirdrug]

{
"_index": "readonlyrest_audit-2022-11-10",
"_id": "1437276912-1270873560#4672461",
"_version": 1,
"_score": 0,
"_ignored": [
"acl_history.keyword"
],
"_source": {
"headers": [
"tracestate",
"x-ror-correlation-id",
"accept",
"x-elastic-product-origin",
"user-agent",
"x-opaque-id",
"content-length",
"traceparent",
"elastic-apm-traceparent",
"x-ror-kibana-request-method",
"x-elastic-client-meta",
"content-type",
"Accept-Charset",
"connection",
"x-ror-kibana-request-path",
"x-ror-current-group",
"Authorization",
"Host",
"x-forwarded-for"
],
"acl_history": "[Kibana-> RULES:[auth_key_sha256->false] RESOLVED:[group=_G Kibana_Test_RO;indices=.kibana]], [Admin-> RULES:[auth_key_sha256->false] RESOLVED:[group=_G Kibana_Test_RO;indices=.kibana]], [Test users RO-> RULES:[ldap_authentication->true, ldap_authorization->true, kibana_hide_apps->true, kibana_access->false] RESOLVED:[user=testuser;group=_G Kibana_Test_RO;av_groups=_G Kibana_Test_RO;indices=.kibana]], [Test users RW-> RULES:[ldap_authentication->true, ldap_authorization->false] RESOLVED:[user=testuser;group=_G Kibana_Test_RO;indices=.kibana]]",
"origin": "192.168.1.1/32",
"match": false,
"final_state": "FORBIDDEN",
"destination": "192.168.1.1/32",
"task_id": 4672461,
"type": "BulkRequest",
"req_method": "POST",
"path": "/_bulk",
"indices": [],
"@timestamp": "2022-11-10T09:33:37Z",
"content_len_kb": 0,
"correlation_id": "67c2a3fa-fdd1-4175-a3cc-a346779e6ba9",
"processingMillis": 2,
"xff": "1.1.1.1",
"action": "indices:data/write/bulk",
"block": "default",
"id": "1437276912-1270873560#4672461",
"content_len": 706,
"user": "testuser"
}

[sirdrug]

and this
Request URL: https://testurl/s/default/api/saved_objects/_bulk_resolve
Request Method: POST
Status Code: 401

[sscarduzio]

Thank you @sirdrug for the extra data, it will be useful.

In the meantime, @Dzuming spent some time on this and found quite a few extra edge cases. In the new release. Soon we can give you a new build to test for sure.

[sirdrug]

erver.port: 5601
server.host: 192.168.1.1
server.name: test
elasticsearch.hosts: [ "https://192.168.1.1:9200/"]
elasticsearch.username: ""
elasticsearch.password: ""
elasticsearch.requestTimeout: 9000000
xpack.reporting.enabled: false
elasticsearch.ssl.verificationMode: none
logging:
appenders:
file:
type: file
fileName: /var/log/kibana/kibana.log
layout:
type: json
root:
appenders:
- default
- file
pid.file: /run/kibana/kibana.pid
readonlyrest_kbn.whitelistedPaths: ["./api/status$"]
readonlyrest_kbn.sessions_refresh_after: 9000
readonlyrest_kbn.sessions_probe_interval_seconds: 300
readonlyrest_kbn.sessions_index_name: ".new_sessions"
readonlyrest_kbn.session_timeout_minutes: 9000 # defaults to 4320 (3 days)
readonlyrest_kbn.clearSessionOnEvents: ["never"]
readonlyrest_kbn.cookiePass: "**"
readonlyrest_kbn.store_sessions_in_index: true

plugin version
readonlyrest_kbn_universal-1.44.0_es8.4.3