[ES 6.7.0][RoR 1.18.0-pre1] REFLECTION: Failed to set indices for type SqlQueryRequest
parosio opened this issue · comments
Hello,
when using a canvas we find the indices are not properly filtered by RoR.
Canvas elements are based on queries like select count(*) from some-events-subs-*
and actual indices (or aliases) are like: some-events-subs-vietnam, some-events-subs-congo, some-events-subs-hq, ...
When people who is only assigned a country access the canvas they see all the data, not only that of their country.
Here the person configuration:
- name: VIET DATA
type: allow
kibana_access: ro
proxy_auth:
users: ["VT_ONLY""]
indices: [ "*vietnam", ".kibana*", ".kibana-devnull"]
verbosity: info
We have seen some issue like this here in github.
Is there already a fix for it?
Regards,
Paolo
This was already filed as RORDEV-14, added to current sprint.
cc/ @coutoPL
HI @sscarduzio @coutoPL ,
i can't find tags with "RORDEV-14" to try to understand if this bug is fixed and in which version.
Can you help us to understand that ?
Many thanks,
Filippo
Hi Filippo, @coutoPL is currently actively working on this issue.
yes, of course. I'm about to merge it.
@parosio you can test the implemented feature using this build:
@parosio did you have time to verify all is good?
Hi @sscarduzio,
sorry for the delay of this answer.
I cannot download from the link above. I've tested readonlyrest-1.18.8_es6.7.0.zip
downloaded by @TRISAF.
The new version solve the issue on Sql queries:
curl -XPOST "http://localhost:9202/_xpack/sql?format=csv" -H 'Content-Type: application/json' -d'
> {
> "query": "SELECT company, count(*) FROM \"idx-*\" group by 1 order by 2 desc"
> }' -H 'x-forwarded-user: MYAN_VIET'
company,count(*)
Vietnam,2632
Myanmar,2623
but I experience a strange side effect: using a _cat/indices?v
with a "superuser" I get only the header:
### ROR Config:
- name: HQ Admins
type: allow
proxy_auth:
users: ["PAROSIO"]
### QUERY:
~/elk/elasticsearch-6.7.0/bin> curl -XGET "http://localhost:9202/_cat/indices?v" -H 'x-forwarded-user: PAROSIO'
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
### ROR log:
[2019-11-08T10:00:22,622][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [mCMhoMa] ALLOWED by { name: 'HQ Admins', policy: ALLOW, rules: [proxy_auth] req={ ID:1590220440-1272762317#5233, TYP:ClusterStateRequest, CGR:N/A, USR:PAROSIO, BRS:true, KDX:null, ACT:cluster:monitor/state, OA:127.0.0.1/32, XFF:null, DA:127.0.0.1/32, IDX:<N/A>, MET:GET, PTH:/_cat/indices, CNT:<N/A>, HDR:Accept=*/*, Host=localhost:9202, User-Agent=curl/7.19.7 (x86_64-suse-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8j zlib/1.2.3 libidn/1.10, content-length=0, x-forwarded-user=PAROSIO, HIS:[::LOGSTASH::-> RULES:[auth_key->false], RESOLVED:[]], [::KIBANA-SRV::-> RULES:[auth_key->false], RESOLVED:[]], [::PHP::-> RULES:[auth_key->false], RESOLVED:[]], [::NAGIOS::-> RULES:[auth_key->false], RESOLVED:[]], [HQ Admins-> RULES:[proxy_auth->true], RESOLVED:[user=PAROSIO]] }
On limited user I get the expected result:
- name: myanmar_vietnam
kibana_access: ro
proxy_auth:
users: [ "MYAN_VIET" ]
indices: ["*myanmar*","*vietnam*", ".kibana*", ".kibana-devnull"]
~/elk/elasticsearch-6.7.0/bin> curl -XGET "http://localhost:9202/_cat/indices?v" -H 'x-forwarded-user: MYAN_VIET'
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open idx-vuln-ass-score-vietnam ZlnwefckSA2-raJ8Uc_g2Q 1 2 2 0 7.4kb 7.4kb
yellow open idx-ib-bc-sub-vietnam szknLMNpRKq-AHV_a9EShg 1 2 1945 0 276.1kb 276.1kb
green open .kibana-6.6.1_4 _vG-dfj3TrOo4yo-X6kWJA 1 0 867 8 2.5mb 2.5mb
yellow open idx-vuln-ass-all-myanmar ApBPa9R4RnmkjSvNyiRStQ 1 2 672 0 110.7kb 110.7kb
yellow open .kibana btdgx5EXRkOd5SsBBAJUCQ 1 1 768 1 1.1mb 1.1mb
yellow open idx-sec-incidents-myanmar KmsVNyrAQtWyXG9Ou2wuAw 1 2 4 0 29kb 29kb
green open .kibana_task_manager klnMBPmXR1ioO_u1_uGhtw 1 0 2 0 14.8kb 14.8kb
green open idx-ib-bc-sub-myanmar -EgWDfBXTqipJGJZpchYfw 1 0 1945 0 266.2kb 266.2kb
yellow open idx-vuln-ass-all-vietnam 2NDgNltpReiT2Dbz4MJ_yQ 1 2 682 0 102.3kb 102.3kb
green open .kibana-6.6.1_3 wzQi1XvZS0-a93Z0S7iaJw 1 0 863 5 2.7mb 2.7mb
yellow open idx-vuln-ass-score-myanmar 9R2AqlBtSXSWEkMhOvTPHw 1 2 2 0 7.3kb 7.3kb
green open .kibana-6.6.1_2 Q58EZV2URAqVkiocQPbteA 1 0 768 0 843.3kb 843.3kb
yellow open idx-sec-incidents-vietnam HpRQfOCOQIGd3cv6f9UxrQ 1 2 3 0 30.9kb 30.9kb
[2019-11-08T11:29:19,921][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [mCMhoMa] ALLOWED by { name: 'myanmar_vietnam', policy: ALLOW, rules: [proxy_auth,kibana_access,indices] req={ ID:301481679-1418583536#29466, TYP:ClusterStateRequest, CGR:N/A, USR:MYAN_VIET, BRS:true, KDX:null, ACT:cluster:monitor/state, OA:127.0.0.1/32, XFF:null, DA:127.0.0.1/32, IDX:<N/A>, MET:GET, PTH:/_cat/indices, CNT:<N/A>, HDR:Accept=*/*, Host=localhost:9202, User-Agent=curl/7.19.7 (x86_64-suse-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8j zlib/1.2.3 libidn/1.10, content-length=0, x-forwarded-user=MYAN_VIET, HIS:[::LOGSTASH::-> RULES:[auth_key->false], RESOLVED:[]], [::KIBANA-SRV::-> RULES:[auth_key->false], RESOLVED:[]], [::PHP::-> RULES:[auth_key->false], RESOLVED:[]], [::NAGIOS::-> RULES:[auth_key->false], RESOLVED:[]], [HQ Admins-> RULES:[proxy_auth->false], RESOLVED:[]], [HQ ReadOnly-> RULES:[proxy_auth->false], RESOLVED:[]], [Norge-> RULES:[proxy_auth->false], RESOLVED:[]], [eastafrica-> RULES:[proxy_auth->false], RESOLVED:[]], [versalis_int_bruxelles-> RULES:[proxy_auth->false], RESOLVED:[]], [myanmar_vietnam-> RULES:[proxy_auth->true, kibana_access->true, indices->true], RESOLVED:[user=MYAN_VIET;indices=idx-vuln-ass-all-vietnam-alias,idx-sec-incidents-myanmar,.kibana_task_manager,idx-va-latest-score-vietnam,idx-ib-blue-coat-sub-vietnam-alias,idx-sec-incidents-vietnam-alias,idx-vuln-ass-all-myanmar,idx-ib-blue-coat-sub-myanmar,.kibana-6.6.1_3,idx-va-latest-score-myanmar,idx-vuln-ass-score-vietnam,idx-va-latest-all-myanmar,.kibana-6.6.1_2,idx-ib-blue-coat-sub-myanmar-alias,idx-sec-incidents-myanmar-alias,idx-vuln-ass-score-vietnam-alias,idx-ib-blue-coat-sub-vietnam,idx-vuln-ass-score-myanmar,idx-sec-incidents-vietnam,idx-va-latest-all-vietnam,idx-vuln-ass-score-myanmar-alias,idx-vuln-ass-all-myanmar-alias,.kibana.5.4.0.bkp,idx-vuln-ass-all-vietnam,.kibana-6.6.1_4,.kibana-6.6.1,.kibana]] }
It seems that somehow the query has been translated to a TYP:ClusterStateRequest
and ACT:cluster:monitor/state
.
Could you please take a look at this?
@parosio please check out this build:
Hi @coutoPL, and thank you;
this build works as expected either for sql queries and _cat queries, and for different kind of users.
Do you know if there is a date for official 1.18.9?
Thank you again,
Paolo
@parosio I think this week there will be official release of 1.18.9. Stay tuned :)
I'm closing the issue, so the main topic is solved.