Kibana freezes on Document level security on shield

Elastic Stack Kibana
1

Hi,

I am setting up LDAP auth using shield. I want to establish document level security , so that the Kibana users will not be able to view certain data on the reports. I am using Trail version of Shield. Both ES and shield are version 2.4.1
Below is my LDAP configuration for Shield and Roels & Role Mapping

I need to mention that i have tried even putting a query string like query: '{"match":{"_type":"blog"}}' for Docuement level filtering

Roles yml

All cluster rights

All operations on all indices

admin:
cluster:
- all
indices:
- names: ''
privileges:
- all
isp:
indices:
'isp':
privileges:
- all
query:
term:
isp_name: xxxxxxx
'.kibana*':
privileges: indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/read/msearch, indices:data/write/delete, indices:data/write/index, indices:data/write/update, indices:admin/create

The required permissions for the kibana 4 server

kibana4_server:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
- cluster:monitor/state
indices:
'.kibana*':
privileges: indices:admin/create, indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/read/msearch, indices:data/write/delete, indices:data/write/index, indices:data/write/update
'.reporting-*':
privileges:
- all

Role_mapping yml
admin:

  • "cn=admins,ou=groups,dc=xxxxxx,dc=com"
    isp:
  • "cn=isp,ou=groups,dc=xxxxxx,dc=com"
    ott:
  • "cn=ott,ou=groups,dc=xxxxxx,dc=com"
    kibana4server:
  • "cn=kibana,ou=groups,dc=xxxxxx,dc=com"

Kibana screen shot

frozen kibana.PNG1359×449 6.8 KB

2

Here is the log from Elasticsearch
[2016-10-06 11:21:28,564][DEBUG][shield.authc.ldap ] [node-1] authenticated user [kserver], with roles [[kibana4_server]]
[2016-10-06 11:21:28,865][DEBUG][shield.authc.ldap ] [node-1] user not found in cache, proceeding with normal authentication
[2016-10-06 11:21:28,871][DEBUG][shield.authc.support ] [node-1] the roles [[isp]], are mapped from these [ldap] groups [[cn=isp,ou=groups,dc=alefmobitech,dc=com]] for realm [ldap/ldap1]
[2016-10-06 11:21:28,871][DEBUG][shield.authc.support ] [node-1] the roles [[]], are mapped from the user [ldap] for realm [cn=uday kona,ou=users,dc=alefmobitech,dc=com/ldap]
[2016-10-06 11:21:28,871][DEBUG][shield.authc.ldap ] [node-1] authenticated user [ukona], with roles [[isp]]
[2016-10-06 11:21:29,088][DEBUG][shield.authc.ldap ] [node-1] authenticated user [ukona], with roles [[isp]]
[2016-10-06 11:21:29,340][DEBUG][shield.authc.ldap ] [node-1] authenticated user [ukona], with roles [[isp]]
[2016-10-06 11:21:30,831][TRACE][shield.authc.esnative ] [node-1] starting polling of user index to check for changes
[2016-10-06 11:21:31,068][DEBUG][shield.authc.ldap ] [node-1] authenticated user [kserver], with roles [[kibana4_server]]
[2016-10-06 11:21:31,075][DEBUG][shield.authc.ldap ] [node-1] authenticated user [kserver], with roles [[kibana4_server]]
[2016-10-06 11:21:31,471][DEBUG][shield.authc.ldap ] [node-1] authenticated user [ukona], with roles [[isp]]
[2016-10-06 11:21:31,474][DEBUG][shield.authc.ldap ] [node-1] authenticated user [ukona], with roles [[isp]]

this log is no stop appearing on the log file, i have set up Shield TRACE
here is the log from Kibana

{"type":"response","@timestamp":"2016-10-06T05:51:50Z","tags":[],"pid":17815,"method":"get","statusCode":200,"req":{"url":"/login","method":"get","headers":{"host":"192.168.3.104:5601","connection":"keep-alive","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8","referer":"https://192.168.3.104:5601/logout","accept-encoding":"gzip, deflate, sdch, br","accept-language":"en-GB,en-US;q=0.8,en;q=0.6"},"remoteAddress":"192.168.4.198","userAgent":"192.168.4.198","referer":"https://192.168.3.104:5601/logout"},"res":{"statusCode":200,"responseTime":2,"contentLength":9},"message":"GET /login 200 2ms - 9.0B"}
{"type":"response","@timestamp":"2016-10-06T05:51:50Z","tags":[],"pid":17815,"method":"get","statusCode":200,"req":{"url":"/bundles/commons.style.css?v=10146","method":"get","headers":{"host":"192.168.3.104:5601","connection":"keep-alive","user-agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36","accept":"text/css,/;q=0.1","referer":"https://192.168.3.104:5601/login","accept-encoding":"gzip, deflate, sdch, br","accept-language":"en-GB,en-US;q=0.8,en;q=0.6"},"remoteAddress":"192.168.4.198","userAgent":"192.168.4.198","referer":"https://192.168.3.104:5601/login"},"res":{"statusCode":200,"responseTime":10,"contentLength":9},"message":"GET /bundles/commons.style.css?v=10146 200 10ms - 9.0B"}
{"type":"response","@timestamp":"2016-10-06T05:51:50Z","tags":[],"pid":17815,"method":"get","statusCode":200,"req":{"url":"/bundles/login.style.css?v=10146","method":"get","headers":{"host":"192.168.3.104:5601","connection":"keep-alive","user-agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36","accept":"text/css,/;q=0.1","referer":"https://192.168.3.104:5601/login","accept-encoding":"gzip, deflate, sdch, br","accept-language":"en-GB,en-US;q=0.8,en;q=0.6"},"remoteAddress":"192.168.4.198","userAgent":"192.168.4.198","referer":"https://192.168.3.104:5601/login"},"res":{"statusCode":200,"responseTime":8,"contentLength":9},"message":"GET /bundles/login.style.css?v=10146 200 8ms - 9.0B"}

as long as the screen is logged in this keeps appearing on the log file.
Here is my Elasticsearch shield yml

shield.dls_fls.enabled: true
shield.authc.ldap.files.role_mapping: "/etc/elasticsearch"
shield:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldap://192.168.3.104:389"
bind_dn: "cn=admin,dc=xxxxxx,dc=com"
bind_password: xxxxxx
user_search:
base_dn: "dc=xxxxxx,dc=com"
group_search:
base_dn: "dc=xxxxxx,dc=com"
filter: "(&(objectClass=posixGroup)(memberUid={0}))"
user_attribute: "uid"
files:
role_mapping: "/etc/elasticsearch/shield/role_mapping.yml"
unmapped_groups_as_roles: false

3

cc @jaymode

4

Do you see any errors at the beginning of the log file (well when elasticsearch starts) about the role not being valid?

What happens if you log in as a user with the isp role and execute a search request directly against elasticsearch?

5

Yes I did see an error, Thanks for pointing it out just a typo

[2016-10-06 17:49:24,738][INFO ][node ] [node-1] initialized
[2016-10-06 17:49:24,738][INFO ][node ] [node-1] starting ...
[2016-10-06 17:49:25,331][ERROR][shield.authz.store ] [node-1] invalid role definition [kibana] in roles file [/etc/elasticsearch/shield/roles.yml]. could not resolve indices privileges [indicesata/write/update,indicesata/read/get,indicesata/write/index,indices:admin/mapping/put,indicesata/write/delete,indicesata/read/search,indicesata/read/mget,indices:admin/refresh,indices:admin/validate/query,indices:admin/mappings/fields/get,indices:admin/exists,indices:admin/create]. skipping role...
[2016-10-06 17:49:25,677][TRACE][shield.authc.support ] [node-1] reading realm [ldap/ldap1] role mappings file [/etc/elasticsearch/shield/role_mapping.yml]...
[2016-10-06 17:49:25,778][INFO ][shield.transport ] [node-1] publish_address {192.168.3.104:9300}, bound_addresses {192.168.3.104:9300}
[2016-10-06 17:49:25,782][INFO ][discovery ] [node-1] elasticsearch/QOUiYwu-Qc-APJZ4YwsGzQ
[2016-10-06 17:49:28,850][INFO ][cluster.service ] [node-1] new_master {node-1}{QOUiYwu-Qc-APJZ4YwsGzQ}{192.168.3.104}{192.168.3.104:9300}, reason: zen-disco-join(elected_as_master, [0] joins received)
[2016-10-06 17:49:28,852][DEBUG][shield.authc.esnative ] [node-1] native users store waiting until gateway has recovered from disk
[2016-10-06 17:49:28,933][INFO ][http ] [node-1] publish_address {192.168.3.104:9200}, bound_addresses {192.168.3.104:9200}
[2016-10-06 17:49:28,933][INFO ][node ] [node-1] started
[2016-10-06 17:49:28,975][INFO ][license.plugin.core ] [node-1] license [896297ab-7d95-4a8d-8419-854083fd8c3f] - valid

Also I did a modification to the role_mapping file from before

admin:

  • "cn=admins,ou=groups,dc=xxxxx,dc=com"
    isp:
  • "cn=isp,ou=groups,dc=xxxxxx,dc=com"
    ott:
  • "cn=ott,ou=groups,dc=xxxxxxx,dc=com"
    kibana:
  • "cn=kibana4grp,ou=groups,dc=xxxxxxx,dc=com"
  • "cn=isp,ou=groups,dc=xxxxxxxx,dc=com"
  • "cn=ott,ou=groups,dc=xxxxxxx,dc=com"
  • "cn=admins,ou=groups,dc=xxxxxxx,dc=com"

This solved the issue.

Thanks

1 Like