Authorization Exception - Kibana connecting to Ngnix
[error][status][plugin:elasticsearch@6.2.4] Status changed from yellow to red - Authorization Exception
Nginx is configured to proxy the requests to elasticsearch with basic auth and access control list using lua.. here is the nginx config looks like:
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
access_by_lua_file '/etc/nginx/authorize.lua';
location / {
proxy_pass http://elasticsearch;
proxy_http_version 1.1;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
Kibana configured to connect to nginx host, here is the config looks like
elasticsearch.url: "https://*****:443" #elasticsearch.ssl.verificationMode: none
elasticsearch.username: "user"
elasticsearch.password: "****"
have identified the problem only when using lua, Kibna can authenticate fine if I remove "access_by_lua_file" config in nginx config..
Can some one enlight what could be the problem, I would need to use the lua for access based on roles..
this my my authorize.lua.. I am also using cerebro to connect using the same nginx host url and auth credentials which works fine..
-- authorization rules
local restrictions = {
all = {
["^/$"] = { "HEAD" }
},
user = {
["^/$"] = { "GET" },
["^/?[^/]/?anywherehelp/contacts/"] = { "GET", "POST", "PUT", "HEAD" },
["/_aliases"] = { "GET" },
["/_cluster."] = { "GET" }
},
admin = {
["^/?[^/]/?[^/]/_bulk"] = { "GET", "POST" },
["^/?[^/]/?[^/]/_refresh"] = { "GET", "POST" },
["^/?[^/]/?[^/]/?[^/]/_create"] = { "GET", "POST" },
["^/?[^/]/?[^/]/?[^/]/_update"] = { "GET", "POST" },
["^/?[^/]/?[^/]/?."] = { "GET", "POST", "PUT", "DELETE" },
["^/?[^/]/?[^/]$"] = { "GET", "POST", "PUT", "DELETE" },
["/_aliases"] = { "GET", "POST" }
}
}
-- get authenticated user as role
local role = ngx.var.remote_user
ngx.log(ngx.DEBUG, role)
-- exit 403 when no matching role has been found
if restrictions[role] == nil then
ngx.header.content_type = 'text/plain'
ngx.log(ngx.WARN, "Unknown role ["..role.."]")
ngx.status = 403
ngx.say("403 Forbidden: You don't have access to this resource.")
return ngx.exit(403)
end
-- get URL
local uri = ngx.var.uri
ngx.log(ngx.DEBUG, uri)
-- get method
local method = ngx.req.get_method()
ngx.log(ngx.DEBUG, method)
local allowed = false
for path, methods in pairs(restrictions[role]) do
-- path matched rules?
local p = string.match(uri, path)
local m = nil
-- method matched rules?
for _, _method in pairs(methods) do
m = m and m or string.match(method, _method)
end
if p and m then
allowed = true
ngx.log(ngx.NOTICE, method.." "..uri.." matched: "..tostring(m).." "..tostring(path).." for "..role)
break
end
end
if not allowed then
ngx.header.content_type = 'text/plain'
ngx.log(ngx.WARN, "Role ["..role.."] not allowed to access the resource ["..method.." "..uri.."]")
ngx.status = 403
ngx.say("403 Forbidden: You don't have access to this resource.")
return ngx.exit(403)
end
got the kibana working after modifying the authorize.lua file.. had to allow some additional access for the user to be able to authenticate.. here are the lines
user = {
["^/$"] = { "GET", "HEAD" }, --allowed the HEAD requests
now this works for me, but I wanted to make sure I am not exposing any additional previlages to this users to read / modify the data other then the allowed index (which is testindex/contacts/)..
can you enlight me, if there could be any possible security issues with this setup..
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.