Readonlyrest and Kibana Permission Configuration

Question

I'm trying to setup a basic readonlyrest example with Kibana. My config is as follows:

readonlyrest:
enable: true
response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin

access_control_rules:

- name: Accept requests from users in group team1 on index1
  type: allow
  hosts: [localhost,127.0.0.1,10.0.0.0/24]
  groups: ["team1"]
  actions: ["indices:data/read","indices:data/read/mge/*","indices:data/read/mget","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create", "cluster:monitor/*"]
  indices: ["<no-index>", ".kibana*", "logstash*", "default" ,"sha*" ,"ba*"]

users:

- username: alice
  auth_key: alice:p455phrase
  groups: ["team1"]

Unfortunately this does not work. I keep getting Authorization exception with the following error message in elasticsearch logs:

no block has matched, forbidding by default: { action: indices:data/read/mget, 
OA:127.0.0.1, indices:[.kibana], M:POST, P:/_mget, C:{"docs":[{"_index":".kibana",
"_type":"config","_id":"4.6.1"}]}, Headers:[]}

What is missing in my config?

In kibana.yml the configuration is:

elasticsearch.username: "alice"
elasticsearch.password: "p455phrase"

Answer 1

If you use case is a basic kibana authentication, you should follow the example in the documentation.

Once you get that working, you could modify the example to assign the required rules to groups, and groups to your hard-coded users.

Keep in mind that this will not be a production ready solution, due to the crappy security level offered by HTTP basic auth between browser and Kibana:

1. The browser will pass the credentials unencrypted at every request
2. No way for the user to "logout" from Kibana

Nowadays ReadonlyREST Offers two Kibana plugins (PRO and Enterprise), which fixes the above limitations using encrypted cookies, and injecting a logout button into the Kibana UI.

The 30 days trial is available for download