Elastic-HQ grant access to Elasticsearch other users without authorization if one user was authorized #530
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
General information
The system is running in docker. User access is via https. for this purpose, elastic-hq is located behind nginx.
Elasticsearch used LDAP authentication and authorization
Issue Description
There was a problem with access to the Elasticsearch cluster: if one user was authorized in ES via Elastic-HQ, then other users (from different work station) who selected the desired cluster in the dialog get access to Elasticsearch without authorization.
Source Code / Logs
docker-compose
nginx:
image: nginx
container_name: nginx
env_file:
- .env
restart: always
ports:
- 443:443
environment:
- NGINX_HOST=${NGINX_HOST}
volumes:
- ./nginx/templates:/etc/nginx/templates
- ./ssl/cert.pem:/etc/nginx/certs/nginx-selfsigned.pem:ro
- ./ssl/client.key:/etc/nginx/certs/nginx-selfsigned.key:ro
networks:
- odfe-net
elastic-hq:
image: elastichq/elasticsearch-hq
container_name: elastic-hq
restart: always
environment:
- HQ_CA_CERTS=/src/ca.pem
- CLIENT_KEY=/src/client.key
- CLIENT_CERT=/src/client.pem
- HQ_ENABLE_SSL=True
- HQ_VERIFY_CERTS=False
- HQ_DEFAULT_URL=https://odfe-node1:9200
volumes:
- ./ssl/MyRootCA.pem:/src/ca.pem:ro
- ./ssl/crert.pem:/src/client.pem:ro
- ./ssl/client.key:/src/client.key:ro
networks:
- odfe-net
depends_on:
- nginx
nginx.conf.template
server {
listen 443 ssl;
server_name ${NGINX_HOST};
client_max_body_size 100M;
ssl_certificate /etc/nginx/certs/nginx-selfsigned.pem;
ssl_certificate_key /etc/nginx/certs/nginx-selfsigned.key;
location / {
proxy_pass http://elastic-hq:5000;
# proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
The text was updated successfully, but these errors were encountered: