General information

• OS Platform and Distribution (e.g., Linux Ubuntu 16.04): CentOS Linux release 7.8.2003 (Core)
• ElasticHQ Version: elastichq/elasticsearch-hq:latest
• Elasticsearch Version: opendistro-for-elasticsearch:1.9.0
• Python version (ignore is using docker image):
• Browser Vendor and Version (if applicable): FireFox, Chrome, Edge

The system is running in docker. User access is via https. for this purpose, elastic-hq is located behind nginx.
Elasticsearch used LDAP authentication and authorization

Issue Description

There was a problem with access to the Elasticsearch cluster: if one user was authorized in ES via Elastic-HQ, then other users (from different work station) who selected the desired cluster in the dialog get access to Elasticsearch without authorization.

Source Code / Logs

docker-compose
nginx:
image: nginx
container_name: nginx
env_file:
- .env
restart: always
ports:
- 443:443
environment:
- NGINX_HOST=${NGINX_HOST}
volumes:
- ./nginx/templates:/etc/nginx/templates
- ./ssl/cert.pem:/etc/nginx/certs/nginx-selfsigned.pem:ro
- ./ssl/client.key:/etc/nginx/certs/nginx-selfsigned.key:ro
networks:
- odfe-net
elastic-hq:
image: elastichq/elasticsearch-hq
container_name: elastic-hq
restart: always
environment:
- HQ_CA_CERTS=/src/ca.pem
- CLIENT_KEY=/src/client.key
- CLIENT_CERT=/src/client.pem
- HQ_ENABLE_SSL=True
- HQ_VERIFY_CERTS=False
- HQ_DEFAULT_URL=https://odfe-node1:9200
volumes:
- ./ssl/MyRootCA.pem:/src/ca.pem:ro
- ./ssl/crert.pem:/src/client.pem:ro
- ./ssl/client.key:/src/client.key:ro
networks:
- odfe-net
depends_on:
- nginx

nginx.conf.template
server {
listen 443 ssl;
server_name ${NGINX_HOST};
client_max_body_size 100M;
ssl_certificate /etc/nginx/certs/nginx-selfsigned.pem;
ssl_certificate_key /etc/nginx/certs/nginx-selfsigned.key;

location / {
proxy_pass http://elastic-hq:5000;
# proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}