Read only mode is not working here

Search Guard
1

Search Guard version: searchguard@6.4.2-15

Elasticsearch version: 6.4.2

No Enterprise Modules

openjdk version “1.8.0_181”
Ubuntu 18.04

I tried to configure the searchguard read only mode defining

searchguard.readonly_mode.roles: [“sg_kibana_user”]

in kibana.yml.

When logging in as kibanaro I can access Everythin in kibana, including management, monitoring, dev tools. …

I read this Kibana Read Only mode | Security for Elasticsearch | Search Guard

and this https://github.com/floragunncom/search-guard-kibana-plugin/issues/48

and tried the sg_kibana_user.

But it has no effect.

Thanks for your help.

2

Hi,

I can’t reproduce this behavior. Just did a vanilla install, added

searchguard.readonly_mode.roles: [“sg_kibana_user”]

to kibana.yml and logged in as kibanaro. Only the dashboard and multi tenancy links are displayed. Can you attach your Kibana / ES / SG configuration?

···

On Friday, October 19, 2018 at 9:10:00 AM UTC+2, Harald Zahn wrote:

Search Guard version: searchguard@6.4.2-15

Elasticsearch version: 6.4.2

No Enterprise Modules

openjdk version “1.8.0_181”
Ubuntu 18.04

I tried to configure the searchguard read only mode defining

searchguard.readonly_mode.roles: [“sg_kibana_user”]

in kibana.yml.

When logging in as kibanaro I can access Everythin in kibana, including management, monitoring, dev tools. …

I read this https://docs.search-guard.com/latest/kibana-read-only

and this https://github.com/floragunncom/search-guard-kibana-plugin/issues/48

and tried the sg_kibana_user.

But it has no effect.

Thanks for your help.

3

Hi,

my configs (just played around a bit, so they are a bit different now):

kibana.yml:

server.port: 5601
server.host: “scanlog”
elasticsearch.url: “https://scanlog.klinikum.de:9200
kibana.index: “.kibana-6”
kibana.defaultAppId: “discover/2bd32c50-c2e1-11e8-8acc-e57942dc4ef5”
logging.dest: /var/log/elasticsearch/kibana.log
xpack.security.enabled: false
elasticsearch.username: “kibanaserver”
elasticsearch.password: “XXX”
elasticsearch.ssl.verificationMode: none
elasticsearch.ssl.certificateAuthorities: “/etc/kibana/root-ca.pem”
searchguard.readonly_mode.roles: [“sg_readonly”]
searchguard.auth.type: “basicauth”
xpack.apm.enabled: false
xpack.graph.enabled: false
xpack.grokdebugger.enabled: false
xpack.ml.enabled: false
xpack.security.enabled: false

elasticsearch.yml:

cluster.name: LOGSTASH
node.name: node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: [“xxxxx”]
http.cors.enabled: true
http.cors.allow-origin: “*”
discovery.zen.ping.unicast.hosts: [“xxxxx”, “yyyyyy”]
discovery.zen.minimum_master_nodes: 2
xpack.security.enabled: false
xpack.monitoring.enabled: true
xpack.graph.enabled: false
xpack.watcher.enabled: false
searchguard.ssl.transport.pemcert_filepath: node1.pem
searchguard.ssl.transport.pemkey_filepath: node1.key
searchguard.ssl.transport.pemkey_password: XXXXXXX
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: node1_http.pem
searchguard.ssl.http.pemkey_filepath: node1_http.key
searchguard.ssl.http.pemkey_password: XXXXXXXXX
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.nodes_dn:

  • CN=XXXX
  • CN=XXXX
    searchguard.authcz.admin_dn:
  • CN=XXXX
  • CN=XXXX
    searchguard.allow_unsafe_democertificates: true
    searchguard.enterprise_modules_enabled: false

Searchguard:

sg_action_groups.yml

UNLIMITED:
readonly: true
permissions:
- “*”

INDEX LEVEL

INDICES_ALL:
readonly: true
permissions:
- “indices:*”

for backward compatibility

ALL:
readonly: true
permissions:
- INDICES_ALL

MANAGE:
readonly: true
permissions:
- “indices:monitor/"
- "indices:admin/

CREATE_INDEX:
readonly: true
permissions:
- “indices:admin/create”
- “indices:admin/mapping/put”

MANAGE_ALIASES:
readonly: true
permissions:
- “indices:admin/aliases*”

for backward compatibility

MONITOR:
readonly: true
permissions:
- INDICES_MONITOR

INDICES_MONITOR:
readonly: true
permissions:
- “indices:monitor/*”

DATA_ACCESS:
readonly: true
permissions:
- “indices:data/*”
- CRUD

WRITE:
readonly: true
permissions:
- “indices:data/write*”
- “indices:admin/mapping/put”

READ:
readonly: true
permissions:
- “indices:data/read*”
- “indices:admin/mappings/fields/get*”

DELETE:
readonly: true
permissions:
- “indices:data/write/delete*”

CRUD:
readonly: true
permissions:
- READ
- WRITE

SEARCH:
readonly: true
permissions:
- “indices:data/read/search*”
- “indices:data/read/msearch*”
- SUGGEST

SUGGEST:
readonly: true
permissions:
- “indices:data/read/suggest*”

INDEX:
readonly: true
permissions:
- “indices:data/write/index*”
- “indices:data/write/update*”
- “indices:admin/mapping/put”
- “indices:data/write/bulk*”

GET:
readonly: true
permissions:
- “indices:data/read/get*”
- “indices:data/read/mget*”

CLUSTER LEVEL

CLUSTER_ALL:
readonly: true
permissions:
- “cluster:*”

CLUSTER_MONITOR:
readonly: true
permissions:
- “cluster:monitor/*”

CLUSTER_COMPOSITE_OPS_RO:
readonly: true
permissions:
- “indices:data/read/mget”
- “indices:data/read/msearch”
- “indices:data/read/mtv”
- “indices:data/read/coordinate-msearch*”
- “indices:admin/aliases/exists*”
- “indices:admin/aliases/get*”
- “indices:data/read/scroll”

CLUSTER_COMPOSITE_OPS:
readonly: true
permissions:
- “indices:data/write/bulk”
- “indices:admin/aliases*”
- “indices:data/write/reindex”
- CLUSTER_COMPOSITE_OPS_RO

MANAGE_SNAPSHOTS:
readonly: true
permissions:
- “cluster:admin/snapshot/"
- "cluster:admin/repository/

sg_internal_users.yml

This is the internal user database

The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh

admin:
readonly: true
hash: XXX
roles:
- admin
attributes:
#no dots allowed in attribute names
attribute1: value1
attribute2: value2
attribute3: value3

logstash:
hash: xxx
roles:
- logstash

kibanaserver:
readonly: true
hash: xxx

kibanaro:
hash: xxx
roles:
- kibanauser
- readall
- gast

sg_roles.yml:

sg_logstash:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- indices:admin/template/get
- indices:admin/template/put
indices:
‘logstash-':
'’:
- CRUD
- CREATE_INDEX
beat’:
':
- CRUD
- CREATE_INDEX
'’ :
‘*’:
- CRUD
- CREATE_INDEX

For the kibana server

sg_kibana_server:
readonly: true
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- cluster:admin/xpack/monitoring*
- indices:admin/template*
indices:
‘?kibana’:
':
- INDICES_ALL
‘?kibana-6’:
'’:
- INDICES_ALL
‘?reporting*’:
':
- INDICES_ALL
'?monitoring’:
‘*’:
- INDICES_ALL

X-Pack COMPATIBILITY

sg_xp_monitoring:
readonly: true
cluster:
- cluster:monitor/xpack/info
- cluster:monitor/main
- cluster:admin/xpack/monitoring/bulk
indices:
‘?monitor*’:
‘*’:
- INDICES_ALL

sg_readonly:
readonly: true
indices:
‘logstash-':
'’:
- READ

sg_admin:
readonly: true
cluster:
- UNLIMITED
indices:
':
'’:
- UNLIMITED
# tenants:
# admin_tenant: RW

sg_roles_mapping.yml:

In this file users, backendroles and hosts can be mapped to Search Guard roles.

Permissions for Search Guard roles are configured in sg_roles.yml

sg_all_access:
readonly: true
backendroles:
- admin
users:
- admin

sg_admin:
readonly: true
backendroles:
- admin
users:
- admin

sg_logstash:
backendroles:
- logstash
users:
- logstash

sg_kibana_server:
readonly: true
users:
- kibanaserver

sg_xp_monitoring:
users:
- logstash
- admin

sg_readonly:
readonly: true
backendroles:
- readonly
- gast

sg_config.yml:

searchguard:
dynamic:
# Set filtered_alias_mode to ‘disallow’ to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to ‘warn’ to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to ‘nowarn’ to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
kibana:
# Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
# see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md
# To make this work you need to install Home · floragunncom/search-guard-module-kibana-multitenancy Wiki · GitHub
multitenancy_enabled: false
#server_username: kibanaserver
#index: ‘.kibana’
#do_not_fail_on_forbidden: false
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
#internalProxies: ‘.’ # trust all internal proxies, regex pattern
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
#trustedProxies: '.’ # trust all external proxies, regex pattern
###### see Pattern (Java Platform SE 7 ) for regex help
###### more information about XFF X-Forwarded-For - Wikipedia
###### and here RFC 7239: Forwarded HTTP Extension
###### and Apache Tomcat 8 Configuration Reference (8.0.53) - The Valve Component
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern

ldap:
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(sAMAccountName={0})’
# Use this attribute from the user as username (if not set then DN is used)

username_attribute: null

authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: ‘ou=groups,dc=example,dc=com’
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(member={0})’
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is “name”.
# Can also be “dn” to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(uid={0})’
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - ‘cn=Michael Jackson,oupeople,o=TEST’
# - '/\S/’
roles_from_another_ldap:
enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here …

The now made changes I made because of an problem with the permissions (described in another post), but had no effect to the problem.

Thanks for lookingafter it.

4

Solved…

I deleted all cookies and the browser-cache, restarted the browser (firefox 2) and it works.

Don’t know what happend.