Readonlyrest and Kibana Permission Configuration - security

I'm trying to setup a basic readonlyrest example with Kibana. My config is as follows:
readonlyrest:
enable: true
response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
access_control_rules:
- name: Accept requests from users in group team1 on index1
type: allow
hosts: [localhost,127.0.0.1,10.0.0.0/24]
groups: ["team1"]
actions: ["indices:data/read","indices:data/read/mge/*","indices:data/read/mget","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create", "cluster:monitor/*"]
indices: ["<no-index>", ".kibana*", "logstash*", "default" ,"sha*" ,"ba*"]
users:
- username: alice
auth_key: alice:p455phrase
groups: ["team1"]
Unfortunately this does not work. I keep getting Authorization exception with the following error message in elasticsearch logs:
no block has matched, forbidding by default: { action: indices:data/read/mget,
OA:127.0.0.1, indices:[.kibana], M:POST, P:/_mget, C:{"docs":[{"_index":".kibana",
"_type":"config","_id":"4.6.1"}]}, Headers:[]}
What is missing in my config?
In kibana.yml the configuration is:
elasticsearch.username: "alice"
elasticsearch.password: "p455phrase"

If you use case is a basic kibana authentication, you should follow the example in the documentation.
Once you get that working, you could modify the example to assign the required rules to groups, and groups to your hard-coded users.
Keep in mind that this will not be a production ready solution, due to the crappy security level offered by HTTP basic auth between browser and Kibana:
The browser will pass the credentials unencrypted at every request
No way for the user to "logout" from Kibana
Nowadays ReadonlyREST Offers two Kibana plugins (PRO and Enterprise), which fixes the above limitations using encrypted cookies, and injecting a logout button into the Kibana UI.
The 30 days trial is available for download

Related

Google Search Console API: How do I Solve "User does not have sufficient permission for site"? (When User Has Permissions)

I'm trying to use Google's Search Console API via their Node package, and my code looks like the following:
const auth = new GoogleAuth({
scopes: 'https://www.googleapis.com/auth/webmasters.readonly',
});
const webmasters = google.webmasters('v3');
const params = {
auth,
siteUrl: 'example.com',
resource: {
startDate: '2015-08-25',
endDate: '2015-08-25',
dimensions: ['query', 'page'],
rowLimit: 10,
},
aggregationType: 'byPage',
};
const res = await webmasters.searchanalytics.query(params);
console.log(res.data);
... except that in my version example.com has been replaced with my actual domain.
I'm invoking it at the command line with:
GOOGLE_APPLICATION_CREDENTIALS="/path/to/service_key.json" node index.js
I have a service account created, and the service key JSON file is from it. That service account has access to my Search Console account. When I look at https://search.google.com/search-console/users I see the service user there, and in the Permission column it has "Full".
Can anyone help me understand why I'm getting the following error when I run my code?
{
message: "User does not have sufficient permission for site 'http://example.com'. See also: https://support.google.com/webmasters/answer/2451999.",
domain: 'global',
reason: 'forbidden'
}
The URL mentioned, https://support.google.com/webmasters/answer/2451999, simply links me to the search console users page ... which (again) says the service user has full permissions.
After rooting in google forums and rest of internet I have figured out why it happen.
Need to copy Service account email, long weird format(example: whiskey-tango-foxtrot#certain-something-0123456.iam.gserviceaccount.com) from Google Cloud: https://console.cloud.google.com/apis/credentials to Search Console https://search.google.com/u/1/search-console/users, as a "Full site" user.
Make sure you have added that site(as from on Search Console) via your API or with this tool: https://developers.google.com/webmaster-tools/v1/sites/add
Then, when you perform "list_sites" request, your site should be listed ere and permission_level is "siteFullUser"(according to step 1)
When you add_site or perform query API requests, make sure to set siteUrl according to steps above, eg: http://www.example.com/ (for a URL-prefix property) or sc-domain:example.com (for a Domain property)
Happy coding

OpenAM and CDSSO - how to configure

I'm trying to set up OpenAM with CDSSO, but I cann't find the right setup.
My environment looks like this:
OpenAM:
version: 10.0.0
few tomcat
behind loadbalancer 10.10.10.10:8000
availble by http://abc.xxx.com which redirects to http://sso.yyy.com or by http://sso.yyy.com
Apache with web agent
apache version: Apache/2.2.15
web agent version: Version: 3.0-04, Revision: 9150
host have access to 10.10.10.10:8000, but not to http://abc.xxx.com or http://sso.yyy.com
accessed via http://efg.xxx.com
End user / browser
have access to http://sso.yyy.com, but not to 10.10.10.10:8000
Tested configurations
Try 1
In web agent configuration I setup
com.sun.identity.agents.config.cdsso.cdcservlet.url[0]=http://10.10.10.10:8000/opensso/cdcservlet
in browser I have redirect to 10.10.10.10:8000/opensso/cdcservlet
Location: http://10.10.10.10:8000/opensso/cdcservlet?goto=http%3A%2F%2Fefg.xxx.com%3A80%2F&
in web agent log is
am_web_do_cookie_domain_set(): setting cookie iPlanetDirectoryPro=;Path=/.
is_server_alive(): Connection timeout set to 2
am_web_get_url_to_redirect: The goto_url and url before appending cdsso elements: [http://efg.xxx.com:80/] [http://10.10.10.10:8000/opensso/cdcservlet?goto=http%3A%2F%2Fefg.xxx.com%3A80%2F]
process_access_redirect(): get redirect url returned AM_SUCCESS, redirect url [http://10.10.10.10:8000/opensso/cdcservlet?goto=http%3A%2F%2Fhttp://efg.xxx.com%3A80%2F&].
process_access_redirect(): returning web result AM_WEB_RESULT_REDIRECT.
process_request(): returning web result AM_WEB_RESULT_REDIRECT, data [http://10.10.10.10:8000/opensso/cdcservlet?goto=http%3A%2F%2Fhttp://efg.xxx.com%3A80%2F&]
am_web_process_request(): Rendering web result AM_WEB_RESULT_REDIRECT
am_web_process_request(): render result function returned AM_SUCCESS.
Try 2
In web agent configuration I setup
com.sun.identity.agents.config.cdsso.cdcservlet.url[0]=http://sso.yyy.com/opensso/cdcservlet
in browser I have
403, You don't have permission to access /
in web agent logs is
am_web_do_cookie_domain_set(): setting cookie iPlanetDirectoryPro=;Path=/.
am_web_get_url_to_redirect: unable to find active Access Manager Auth server.
process_access_redirect(): get redirect url returned AM_FAILURE, redirect url [NULL].
process_access_redirect(): returning web result AM_WEB_RESULT_FORBIDDEN.
process_request(): returning web result AM_WEB_RESULT_FORBIDDEN, data []
am_web_process_request(): Rendering web result AM_WEB_RESULT_FORBIDDEN
am_web_process_request(): render result function returned AM_SUCCESS.
Questions
Is it possible to perform such a configuration?
In newer version of OpenAM (12.0.0 › OpenAM Administration Guide) I find
OpenAM Conditional Login URL (Not yet in OpenAM console)
CDSSO examples: com.forgerock.agents.conditional.login.url[0]= login.example.com|http://openam1.example.com/openam/cdcservlet, http://openam2.example.com/openam/cdcservlet, com.forgerock.agents.conditional.login.url[1]= signin.example.com|http://openam3.example.com/openam/cdcservlet, http://openam4.example.com/openam/cdcservlet
what does it mean "Not yet in OpenAM console". Can I set this directry in OpenDJ?
Is this configuration will work on older versions of OpenAM?
Is for web agent work failover similat to https://docs.oracle.com/cd/E19636-01/819-6101/auto20/index.html?
Thanks in advance
kawu
Answer to 1) Yes that's possible. I don't see why you would need conditional login URL feature, 3.0-04 agent might not even support this feature (question 3) If agents can not access CDCServlet or LoginURL feature you need to disable the probing for it ... see OPENAM-3294 You are using LB for OpenAM, so no need for Agent failover.

Solr 5.3 & Zookeeper Security Authentication & Authorization

There are a few topics and articles on Solr authentication & authorization, but I cannot get it to work (the way I like).
I followed these tutorials / information sources:
https://cwiki.apache.org/confluence/display/solr/Authentication+and+Authorization+Plugins
and
https://lucidworks.com/blog/2015/08/17/securing-solr-basic-auth-permission-rules/
Then I created this security.json and I confirmed it is active in Zookeeper:
{
"authentication":{
"class":"solr.BasicAuthPlugin",
"credentials":{
"solr":"...",
"admin":"...",
"monitor":"...",
"data_import":"..."},
"":{"v":8}},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[
{
"name":"security-edit",
"role":"adminRole"},
{
"name":"security-read",
"role":"adminRole"},
{
"name":"schema-edit",
"role":"adminRole"},
{
"name":"schema-read",
"role":"collectionRole"},
{
"name":"config-edit",
"role":"adminRole"},
{
"name":"config-read",
"role":"collectionRole"},
{
"name":"collection-admin-edit",
"role":"adminRole"},
{
"name":"collection-admin-read",
"role":"collectionRole"},
{
"name":"update",
"role":"dataImportRole"},
{
"name":"read",
"role":"dataImportRole"}],
"user-role":{
"solr":[
"adminRole",
"collectionRole",
"dataImportRole"],
"admin":[
"adminRole",
"collectionRole",
"dataImportRole"],
"monitor":[
"collectionRole",
"dataImportRole"],
"data_import":["dataImportRole"]}}}
I now have a security.json that works for curl requests from command line:
curl "http://localhost:8983/solr/admin/authorization"
Unauthorized request, Response code: 401
curl --user solr:<pwd> "http://localhost:8983/solr/admin/authorization"
Normal response with the info
So far so good.
Now I try and select something from a collection, which shouldn't work anonymously according to my security.json, however it still works
curl "http://localhost:8983/solr/outlets_shard1_replica1/select?q=*%3A*&wt=json&indent=true"
"responseHeader":{
"status":0,
"QTime":1,
"params":{
"indent":"true",
"q":"*:*",
"wt":"json"}},
"response":{"numFound":2000,"start":0,"d.. }
This is the first thing that vexes me. I probably can create some custom path permission for /select, but having the read right assigned to a specific role should do the trick right? but [1] How can I disable all anonymous access?
Continuing on, probably related, it bothers me that the Solr Admin UI(http://solrurl:8983/solr/#) is still accessible. In previous Solr installations (with tomcat) I remember that even this interface was secured. It also seems that I still have complete access to the entire core (reload worked) and I can also inspect cloud configuration.[2] How can I restrict access to Solr Admin UI?
The only stuff that actually seems to be secure is all the /solr/admin related commands
Which brings me to the 3rd thing I can't seem to figure out: How do I configure solr.in.sh so that solr authentication is passed with /bin/solr commands
I see the SOLR_AUTHENTICATION_CLIENT_CONFIGURER and SOLR_AUTHENTICATION_OPTS options, but I have no clue how to modify those to feed basic realm authentication into solr commandline. So [3] How do I keep all access from commandline to Solr (and Zookeeper) authorized & authenticated?
eg. solr status now returns
Found 1 Solr nodes:
Solr process 15931 running on port 8983
ERROR: Failed to get system information from http://localhost:8983/solr due to: org.apache.http.client.ClientProtocolException: Expected JSON response from server but received: <html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Error 401 Unauthorized request, Response code: 401</title>
</head>
<body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /solr/admin/collections. Reason:
<pre> Unauthorized request, Response code: 401</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/>
</body>
</html>
I've tested with
SOLR_AUTHENTICATION_OPTS="-DinternalAuthCredentialsBasicAuthUsername=solr -DinternalAuthCredentialsBasicAuthPassword=<pass>"
To no avail
I also faced the same issue and then I looked at the source code.
The read permission in RuleBasedAuthorizationPlugin is defined as :
read :{" +
path:['/update/*', '/get']}," +
Which will never work.
I have raised an issue:
https://issues.apache.org/jira/browse/SOLR-8439
Now, to lock down your admin ui completely, you need to define a new permission, with path="/", which will going to solve your issue, something like this:
curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization -H 'Content-type:application/json' -d '{
"set-permission" : {"name":"admin-ui",
"path":"/",
"before":"update",
"role":"admin"}}'
Did you forget setting the blockUnknown to true?
Your authentication block in security.json should be:
"authentication":{
"blockUnknown": true,
"class":"solr.BasicAuthPlugin",
"credentials":{"solr":"..."}
},
If you don't set it, it will allow all anonymous access! It is strange but here is the source:
'blockUknown:true' means that unauthenticated requests are not allowed to pass through [1]
Start by using the default user/Pw given in the Solr tutorials.
The passwords are hashed sha512 with a salt. Solr provides the encryption from the plaintext passwords when you create new authenticated users, but the pw in the Lucidworks instructions is already encrypted for the plaintext value: solrRocks (or similar) - use that account to create others, give them appropriate permissions, then remove the solr:solrRocks account.

simple form symfony2 firewall redirection

Here is my issue.
Situation:
I am trying to add some custom logic during user login. I could find to ways to do so:
hard way (but with a lot of control); building my own authentication provider, following this guidelines of the cookbook or this complementing publication of vandenbrand
easy way (exactly what I need ): use simple_form. simple_form is a key which has the same options as form_login, but for which I can define an "authenticator".
cookbook tuto I used can be found here
Issue
I had an existing and operational app/security.yml configuration with 'form_login' key.
secured_area:
pattern: ^/foo/user/secured/
form_login:
check_path: /foo/user/secured/login_check
login_path: /foo/user/login
I followed steps of the tutorial described above. therefore, my security.yml gets modified to:
secured_area:
pattern: ^/foo/user/secured/
#form_login:
simple_form:
authenticator: foo_authenticator
check_path: /foo/user/secured/login_check
login_path: /foo/user/login
when I try to access a page /foo/user/secured/target of the secured area, the firewall does its job: it catches the query and asks for credentials (via intermediary page /foo/user/login).
However, once right credentials input (and obviously validated), I keep staying on the same page. It does not redirect to the page /foo/user/secured/target I was asking for in the first place. There is no refreshing to trying to go to that page via new request: I remain stuck at login stage.
EDIT 1: here are the steps I identify based on logs and debugging:
1) user tries to access /foo/user/secured/target, for which you need to be identified at least with ROLE_USER to access
2) firewall intercepts this request, as it matches listened routes (app/config/security.yml):
secured_area:
pattern: ^/foo/user/secured/
3) it redirects toward login route
4) user fills in with username and password, and submits post
5) when form is received, a token gets created by createToken method of custom authenticater. It returns an object of class UsernamePasswordToken created with parameter username, password in clear, authenticater key: UsernamePasswordToken($username, $password, $providerKey)
6) token gets passed onto authenticateToken method de of authenticater object. this method compares clear password hash contained in token andd accessed through $token->getCredentials()) with hashed password in database.
7) authentication worked: we get redirected toward /foo/user/secured/target . token and user get serialized in session (ISSUE STARTS HERE: indeed, user clear password is erased so that it doesn't leave tracks in session, and getCredentials() will return empty string now).
8) while loading page, le firewall is activated. It detects user logged in, seems to want to check its token. Therefore, it calls authenticateToken.
9) authenticateToken tries to compare sha1($token->getCredentials()) to hashed password in database. comme $token->getCredentials() is empty, comparison fails. authenticateToken raises an exception.
10) raised exception triggers firewall redirection toward login page. There we are: stuck in infinite loop landing systematically on login page.
STOP EDIT 1.
Solution
Does anyone know why this change of behaviour between 'form_login' and 'simple_form'? Most of all, would you know a good way to fix this ? I guess authenticate method or custom authenticater should be slightly changed, but I am not yet confident enough with security to solve this elegantly.
Many thanks in advance.
Kind regards,
Wisebes
You have to use some string (not the object) from sample. Or implement __toString() for User entity.
NOT
return new UsernamePasswordToken($user, ...
USE
return new UsernamePasswordToken($user->getEmail() or whatever, ...
if you want to access to the page you was requesting, you could use any of the options that Symfony offers to you:
Redirecting after Login:
always_use_default_target_path (type: Boolean, default: false)
default_target_path (type: string, default: /)
target_path_parameter (type: string, default: _target_path)
use_referer (type: Boolean, default: false)
You could see the section of the book 'SecurityBundle Configuration ("security")'
http://symfony.com/doc/current/reference/configuration/security.html
I hope that this be useful for you.
Kind regards.
well, as I was not able to make it work fine, I created my own custom authentication provider. I hope the issue reported above will be fixed asap. If anyone has got an answer, I still am interested!
For other people facing the same issue, I recommend creating a custom authentication provider. You may even inherit from existing authentication provider, and therefore limit modifications to be done. All in all, you are able to add your custom logic with a limited amount of trouble that way.

Symfony2 and Uploadify : security token is not kept

I'm trying to make Symfony2 and Uploadify working together in a secured area.
(Uploadify is a flash/javascript component used to upload multiple files)
My uploadify component is working fine when the back-end script route is out of the secure area, but when in this area, I get a 302 HTTP error.
The log message is :
security.INFO: Authentication exception occurred; redirecting to authentication entry point (A Token was not found in the SecurityContext.)
While searching for an answer, I found that passing the PHPSESSID to the back-end script as a post parameter should work on "non-framework php" but with the Symfony Security Component, it seems that this script is not even reached.
Does anyone know if there is a way to send that token to the back-end script while keeping this script in the secure area ?
After having a read around the Symfony website, it's possible that this solution may work (haven't tested it). In your security.yml file, change your access_contol config option to something like this...
access_control:
- { path: ^/path/to/flash_component, roles: IS_AUTHENTICATED_ANONYMOUSLY }
Where /path/to/flash_component is the URL you are uploading to in Uploadify. Let me know if that works.

Resources