Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DLS/FLS broken? (kibana 4) #7

Closed
pdepaepe opened this issue Nov 13, 2015 · 10 comments
Closed

DLS/FLS broken? (kibana 4) #7

pdepaepe opened this issue Nov 13, 2015 · 10 comments

Comments

@pdepaepe
Copy link

Hello,

Kibana: 4.1.1
Elasticsearch: 1.7.3

Thanks for the fork. Configuration given by SergeyBear on this page works.

floragunncom/search-guard#3

Now i'm trying to activate this FLS configuration:

armor.rewrite_get_as_search: true
armor.flsfilter.names: ["stripsensitive"]
armor.flsfilter.stripsensitive.source_includes: []
armor.flsfilter.stripsensitive.source_excludes: ["41281f0f7948"]

and "filters_bypass": ["flsfilter.stripsensitive"] on kibana part, it breaks, even for root user with a

TypeError: Cannot read property 'timed_out' of undefined
    at http://localhost:5601/index.js?_b=7489:43071:17
    at Function.Promise.try (http://localhost:5601/index.js?_b=7489:46434:26)
    at http://localhost:5601/index.js?_b=7489:46412:27
    at Array.map (native)
    at Function.Promise.map (http://localhost:5601/index.js?_b=7489:46411:30)
    at callResponseHandlers (http://localhost:5601/index.js?_b=7489:43064:22)
    at http://localhost:5601/index.js?_b=7489:43182:16
    at wrappedCallback (http://localhost:5601/index.js?_b=7489:20893:81)
    at wrappedCallback (http://localhost:5601/index.js?_b=7489:20893:81)
    at http://localhost:5601/index.js?_b=7489:20979:26

Same for DLS, with this configuration

armor.rewrite_get_as_search: true
armor.dlsfilter.names: ["a"]
armor.dlsfilter.a: ["exists","source", "false"]

This time, filter is not given to anyone and kibana still breaks on this.

When i remove dls/fls rules from yaml, it works again.

Did i missed something ?

Thanks for your help
@etfeet
Copy link

etfeet commented Nov 13, 2015

have you tried removing the includes lime from your fls filter?

If I'm not mistaken the include line will return no results if its empty.

If you only have an exclude line it will return all fields except the one's specified by the exclude parameter.

ie

armor.flsfilter.names: ["stripsensitive"]
armor.flsfilter.stripsensitive.source_excludes: ["41281f0f7948"]
...

Rory

@pdepaepe
Copy link
Author

Tried, without success. Same behavior, all accounts are broken (even root).

@etfeet
Copy link

etfeet commented Nov 16, 2015

could you post your full elasticsearch config and an example elasticsearch document and what field you're trying to filter on.

@pdepaepe
Copy link
Author

To be clear, i don't have problems with Armor, ES, DLS or FLS activated.
Results from curl queries are ok.

Problem comes from kibana, it's very similar to bugs previously reports on guard:

https://github.com/floragunncom/search-guard/issues/12
https://groups.google.com/forum/#!topic/search-guard/hQuh6u_xe-0

@etfeet
Copy link

etfeet commented Nov 17, 2015

you might be better off restricting a user/group to an elasticsearch alias and then using armor to restrict that user to the elasticsearch alias.

alias allows you to give them a filtered view of the index.

https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-aliases.html

@pdepaepe
Copy link
Author

I know alias, i don't see how it will helps Kibana to works on Armor with DLS/FLS ON.

@etfeet
Copy link

etfeet commented Nov 17, 2015

Alias gives you the same functionality as dls so you dont need armor to do
dls. You just have armor do fls to hide the field that lets you map to your
users for multi-tenancy.

Lets say you have an index with shared user data. You want to restrict each
user to only their data and hide the field that identifies which user the
elastic doc belongs to.

You could do something like this

User: fred

Es doc:

Account: fred

Elastic Alias:
Name: fred-yyyy.mm.dd
Index: myapp-yyyy.mm.dd
Terms: account: fred

Armor:
Alias: fred-yyyy.mm.dd
User: fred
Execute: flsfilter.stripaccount
On Nov 17, 2015 11:13 AM, "pdepaepe" notifications@github.com wrote:

I know alias, i don't see how it will helps Kibana to works on Armor with
DLS/FLS ON.


Reply to this email directly or view it on GitHub
#7 (comment)
.

@askoi
Copy link

askoi commented Nov 18, 2015

Hello,

I'm facing same issue.
I think it's caused by response format of rewrited mget.

With armor.rewrite_get_as_search: true (Kibana doesn't work):

$ curl -XPOST -i -u user01 localhost:9200/_mget -d '{"docs":[{"_index":".kibana","_type":"config","_id":"4.1.2"}]}'
Enter host password for user 'user01':
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 115

{"_index":".kibana","_type":"config","_id":"4.1.2","found":true,"_source":{"buildNum":7562,"defaultIndex":"armor"}}

With armor.rewrite_get_as_search: false (Kibana works well):

$ curl -XPOST -i -u user01 localhost:9200/_mget -d '{"docs":[{"_index":".kibana","_type":"config","_id":"4.1.2"}]}'
Enter host password for user 'user01':
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 139

{"docs":[{"_index":".kibana","_type":"config","_id":"4.1.2","_version":2,"found":true,"_source":{"buildNum":7562,"defaultIndex":"armor"}}]}

The latter has "docs" key at beginning.
The former is correct format?

@pdepaepe
Copy link
Author

Both solutions

armor.rewrite_get_as_search: false
ES alias

works great!

Thanks a lot for your help.

@jmaitrehenry
Copy link
Contributor

Nice, we should add that to the documentation!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jmaitrehenry @pdepaepe @etfeet @askoi