Skip to content

Latest commit

 

History

History
40 lines (30 loc) · 1.45 KB

reject-machine-to-machine-traffic-using-custom-metadata-ACL-rules.md

File metadata and controls

40 lines (30 loc) · 1.45 KB
description
Reject machine-to-machine traffic using custom metadata ACL rules

Reject machine-to-machine traffic using custom metadata ACL rules

We can also reject the specific request for example based on the custom metadata

  1. Define ACL in your readonlyrest.yml file
  - name: ADMIN_GRP
    groups: [ administrators ]
    kibana:
       access: admin
       index: '.kibana_@{acl:current_group}'
       metadata:
          rejectBasicAuth: true
  1. Declare custom Kibana JS file readonlyrest_kbn.kibana_custom_js_inject_file: '/path/to/custom_kibana.js'. it's injected at the end of the HTML Body tag of the Kibana UI frontend code.
async function customMiddleware(req, res, next) {
   const metadata =
           req.rorRequest && req.rorRequest.getIdentitySession() && req.rorRequest.getIdentitySession().metadata;

   const headerAuth = req.rorRequest && req.rorRequest.getAuthorizationHeaders && req.rorRequest.getHeaders().getAuthorizationHeaders().get('authorization');
   const isBasicAuth = headerAuth && headerAuth.includes('Basic')
   
  if (metadata.customMetadata && metadata.customMetadata.rejectBasicAuth && isBasicAuth) {
     return res.status(401).json({ message: 'Machine to machine communication is not allowed' });
  }

  return next()
}

You can pass any custom metadata and based on it accepts or reject the specific request

⚠️IMPORTANT Custom middleware must return next() function, to not block the request