User can access index not allowed in role (security is not working)

Petr.Simik · October 5, 2020, 12:47pm

Hi community,
I am asking for advice, if you could help with this security problem:

ES version 7.92 (in docker )
created role with access the index bs_hdm_tr69_*
created user this role
but user can access all indices
i.e: this index should not be accessed but query provides results
curl -s -XGET -u test_simik:test_simik "http://oscar1:9200/bs_config_00001/search"
I supposed the user can access only bs_hdm_tr69* index

Please do you have any advice how to troubleshoot this?.
I have also 2 clusters non-docker - installed on centos and the security there works normally.

role:

{
  "elastic-ntw-hdm_tr69" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "bs_hdm_tr69_*"
        ],
        "privileges" : [
          "read"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "all"
        ],
        "resources" : [
          "*"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

and user spec

{
  "test_simik" : {
    "username" : "test_simik",
    "roles" : [
      "elastic-ntw-hdm_tr69"
    ],
    "full_name" : "test_simik",
    "email" : "petr.simik@xxx.cz",
    "metadata" : { },
    "enabled" : true
  }
}

Wolfram_Haussig · October 5, 2020, 1:01pm

Hello Petr,

Have you already tried to use the authenticate API? When used, it returns all roles the current user has - maybe the privilege is coming from another role?

Best regards
Wolfram

Petr.Simik · October 5, 2020, 1:10pm

Thank you (very fast response I was very surprised)
I tried the API it provides this result.
Do you see anything interesting there?

$ curl -s -XGET -u test_simik:test_simik "http://oscar1:9200/_security/_authenticate?pretty"
{
  "username" : "test_simik",
  "roles" : [
     "elastic-ntw-hdm_tr69"
  ],
  "full_name" : "test_simik",
  "email" : "petr.simik@xxx.cz",
  "metadata" : { },
  "enabled" : true,
  "authentication_realm" : {
    "name" : "default_native",
    "type" : "native"
  },
  "lookup_realm" : {
    "name" : "default_native",
    "type" : "native"
  }
}

Wolfram_Haussig · October 5, 2020, 1:47pm

Unfortunately, I cannot see anything wrong with this. Have you tried accessing the index anonymously? Maybe this index is accessible by everyone?

Petr.Simik · October 5, 2020, 3:13pm

Yes this is the case !!!
Thank you, you guided me to a point of the problem.

I will explain:
working scenario kibana->[elastic_node_loadbalancer_only]{anonymous disabled}
notworking scenario kibana->[elastic_node_universal_node]{anonymous enabled}

I forgot that in docker version I have kibana configured against all datanodes with enabled anonymous mode, but the problematic cluster is VM based implementation where I have kibana configured against loadbalancer node running on the same VM with disabled anonymous mode. The reason of having anonymous mode are user clients from old past when elastic did not support security and i am waiting for developers to reconfigure all the client before I disable this anonymous mode.

So thank you for very fast responses
I did not checked this hypothesis yet but I am sure it is is.

so the solution will be to implement docker elastic loadbalancer node with disabled security and configure the kibana against this node..

#-------enable anonymous mode user: anonymous_user -------
xpack.security.authc:
  anonymous:
    username: anonymous_user
    roles: anonymous_full
    authz_exception: true

system · November 2, 2020, 3:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.