diff --git a/ror-demo-cluster/conf/es/log4j2.properties b/ror-demo-cluster/conf/es/log4j2.properties index 1865d8e..9962a38 100644 --- a/ror-demo-cluster/conf/es/log4j2.properties +++ b/ror-demo-cluster/conf/es/log4j2.properties @@ -81,5 +81,5 @@ logger.index_indexing_slowlog.level=trace logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling.ref=index_indexing_slowlog_rolling logger.index_indexing_slowlog.additivity=false -logger.ror.name=tech.beshu.ror.accesscontrol.blocks.rules.elasticsearch.indices +logger.ror.name=tech.beshu.ror.accesscontrol logger.ror.level=info \ No newline at end of file diff --git a/ror-demo-cluster/conf/es/readonlyrest.yml b/ror-demo-cluster/conf/es/readonlyrest.yml index f52599b..0cfeee6 100644 --- a/ror-demo-cluster/conf/es/readonlyrest.yml +++ b/ror-demo-cluster/conf/es/readonlyrest.yml @@ -16,60 +16,34 @@ readonlyrest: kibana: access: admin - - name: "End users" - groups: ["EndUsers"] - indices: ["frontend_logs", "kibana_sample_data_*"] - kibana: - index: .kibana_end_@{user} - access: rw - hide_apps: ["Security", "Observability"] - - - name: "Business users" - groups: ["BusinessUsers"] - indices: ["business_logs", "kibana_sample_data_*"] - kibana: - index: .kibana_business_@{user} - access: rw - hide_apps: ["Security", "Observability"] - - users: - - username: admin - auth_key: admin:admin - groups: - - id: "Administrators" - name: "Administrators" - - id: "EndUsers" - name: "End Users" - - id: "BusinessUsers" - name: "Business Users" - - - username: user1 - auth_key: user1:test - groups: - - id: "EndUsers" - name: "End Users" - - id: "BusinessUsers" - name: "Business Users" - - - username: user2 - auth_key: user2:test - groups: - - id: "EndUsers" - name: "End Users" - - - username: "*" - ror_kbn_auth: - name: "kbn1" - groups: ["*"] - groups: - - local_group: - id: "EndUsers" - name: "End Users" - external_group_ids: [ "extEndUsers" ] - - local_group: - id: "BusinessUsers" - name: "Business Users" - external_group_ids: [ "extBusinessUsers" ] - ror_kbn: - - name: kbn1 - signature_key: "9yzBfnLaTYLfGPzyKW9es76RKYhUVgmuv6ZtehaScj5msGpBpa5FWpwk295uJYaaffTFnQC5tsknh2AguVDaTrqCLfM5zCTqdE4UGNL73h28Bg4dPrvTAFQyygQqv4xfgnevBED6VZYdfjXAQLc8J8ywaHQQSmprZqYCWGE6sM3vzNUEWWB3kmGrEKa4sGbXhmXZCvL6NDnEJhXPDJAzu9BMQxn8CzVLqrx6BxDgPYF8gZCxtyxMckXwCaYXrxAGbjkYH69F4wYhuAdHSWgRAQCuWwYmWCA6g39j4VPge5pv962XYvxwJpvn23Y5KvNZ5S5c6crdG4f4gTCXnU36x92fKMQzsQV9K4phcuNvMWkpqVB6xMA5aPzUeHcGytD93dG8D52P5BxsgaJJE6QqDrk3Y2vyLw9ZEbJhPRJxbuBKVCBtVx26Ldd46dq5eyyzmNEyQGLrjQ4qd978VtG8TNT5rkn4ETJQEju5HfCBbjm3urGLFVqxhGVawecT4YM9Rry4EqXWkRJGTFQWQRnweUFbKNbVTC9NxcXEp6K5rSPEy9trb5UYLYhhMJ9fWSBMuenGRjNSJxeurMRCaxPpNppBLFnp8qW5ezfHgCBpEjkSNNzP4uXMZFAXmdUfJ8XQdPTWuYfdHYc5TZWnzrdq9wcfFQRDpDB2zX5Myu96krDt9vA7wNKfYwkSczA6qUQV66jA8nV4Cs38cDAKVBXnxz22ddAVrPv8ajpu7hgBtULMURjvLt94Nc5FDKw79CTTQxffWEj9BJCDCpQnTufmT8xenywwVJvtj49yv2MP2mGECrVDRmcGUAYBKR8G6ZnFAYDVC9UhY46FGWDcyVX3HKwgtHeb45Ww7dsW8JdMnZYctaEU585GZmqTJp2LcAWRcQPH25JewnPX8pjzVpJNcy7avfA2bcU86bfASvQBDUCrhjgRmK2ECR6vzPwTsYKRgFrDqb62FeMdrKgJ9vKs435T5ACN7MNtdRXHQ4fj5pNpUMDW26Wd7tt9bkBTqEGf" + - name: "Test 1" + ldap_authentication: ldap1 + ldap_authorization: + name: ldap1 + groups_or: ["Group1"] + indices: ["frontend_logs"] + + - name: "Test 2" + ldap_authentication: ldap1 + indices: ["frontend_logs"] + + ldaps: + + - name: ldap1 + host: ldap + port: 389 + ssl_enabled: false + ssl_trust_all_certs: true + bind_dn: "cn=admin,dc=example,dc=com" + bind_password: "password" + connection_pool_size: 10 + connection_timeout: 10s + request_timeout: 10s + cache_ttl: 60s + search_user_base_DN: "dc=example,dc=com" + search_groups_base_DN: "dc=example,dc=com" + user_id_attribute: "uid" + unique_member_attribute: "uniqueMember" + group_search_filter: "(cn=*)" + group_name_attribute: "cn" + nested_groups_depth: 3 \ No newline at end of file diff --git a/ror-demo-cluster/conf/ldap/example-com.ldif b/ror-demo-cluster/conf/ldap/example-com.ldif new file mode 100644 index 0000000..15a7f91 --- /dev/null +++ b/ror-demo-cluster/conf/ldap/example-com.ldif @@ -0,0 +1,85 @@ +version: 1 + +dn: ou=People,dc=example,dc=com +objectClass: top +objectClass: organizationalUnit +ou: People + +dn: cn=User1,ou=People,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: User1 +sn: User1 +uid: user1 +userPassword: test + +dn: cn=User2,ou=People,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: User2 +sn: User2 +uid: user2 +userPassword: test + +dn: cn=User3,ou=People,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +cn: User3 +sn: User3 +uid: user3 +userPassword: test + +dn: ou=Groups,dc=example,dc=com +objectClass: top +objectClass: organizationalUnit +ou: Groups + +dn: cn=Group1,ou=Groups,dc=example,dc=com +objectClass: top +objectClass: groupOfUniqueNames +cn: Group1 +o: Group1 +uniqueMember: cn=User1,ou=People,dc=example,dc=com + +dn: cn=Group2,ou=Groups,dc=example,dc=com +objectClass: top +objectClass: groupOfUniqueNames +cn: Group2 +o: Group2 +uniqueMember: cn=User2,ou=People,dc=example,dc=com + +dn: cn=Group3,ou=Groups,dc=example,dc=com +objectClass: top +objectClass: groupOfUniqueNames +cn: Group3 +o: Group3 +uniqueMember: cn=User3,ou=People,dc=example,dc=com + +dn: cn=Group4,ou=Groups,dc=example,dc=com +objectClass: top +objectClass: groupOfUniqueNames +cn: Group4 +o: Group4 +uniqueMember: cn=User3,ou=People,dc=example,dc=com +uniqueMember: cn=User2,ou=People,dc=example,dc=com +uniqueMember: cn=User1,ou=People,dc=example,dc=com + +dn: cn=Group5,ou=Groups,dc=example,dc=com +objectClass: top +objectClass: groupOfUniqueNames +cn: Group5 +o: Group5 +uniqueMember: cn=User3,ou=People,dc=example,dc=com + +dn: cn=Group6,ou=Groups,dc=example,dc=com +objectClass: top +objectClass: groupOfUniqueNames +cn: Group6 +o: Group6 +uniqueMember: cn=User3,ou=People,dc=example,dc=com diff --git a/ror-demo-cluster/docker-compose.yml b/ror-demo-cluster/docker-compose.yml index 4da7e38..4084e7e 100644 --- a/ror-demo-cluster/docker-compose.yml +++ b/ror-demo-cluster/docker-compose.yml @@ -99,6 +99,7 @@ services: condition: service_healthy environment: ELASTICSEARCH_ADDRESS: https://es-ror:9200 + KIBANA_ADDRESS: https://kbn-ror:5601 ELASTICSEARCH_USER: kibana ELASTICSEARCH_PASSWORD: kibana healthcheck: @@ -112,6 +113,20 @@ services: networks: - es-ror-network + ldap: + image: osixia/openldap:1.3.0 + command: [--copy-service] + volumes: + - ./conf/ldap/example-com.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/example-com.ldif + ports: + - "389:389" + - "636:636" + environment: + - LDAP_ADMIN_PASSWORD=password + - LDAP_DOMAIN=example.com + networks: + - es-ror-network + networks: es-ror-network: driver: bridge diff --git a/ror-demo-cluster/images/es/install-ror-es-using-file.sh b/ror-demo-cluster/images/es/install-ror-es-using-file.sh index 5b45b1e..5f4943b 100755 --- a/ror-demo-cluster/images/es/install-ror-es-using-file.sh +++ b/ror-demo-cluster/images/es/install-ror-es-using-file.sh @@ -1,4 +1,4 @@ -#!/bin/bash -e +#!/bin/bash -ex function greater_than_or_equal() { # Strip the -pre part (or any suffix starting with -) from both versions @@ -14,7 +14,7 @@ fi echo "Installing ES ROR from file..." /usr/share/elasticsearch/bin/elasticsearch-plugin install --batch file:///tmp/ror.zip -ROR_VERSION=$(unzip -p /tmp/ror.zip plugin-descriptor.properties | grep -oP '^version=\K.*') +ROR_VERSION=$(unzip -p /tmp/ror.zip '*/plugin-descriptor.properties' | grep -oP '^version=\K.*') if [[ ! -v ROR_VERSION || -z "$ROR_VERSION" ]]; then echo "No ROR_VERSION variable is set" diff --git a/shared/init-scripts/utils/lib.sh b/shared/init-scripts/utils/lib.sh index fd0e7b8..e65a0b5 100755 --- a/shared/init-scripts/utils/lib.sh +++ b/shared/init-scripts/utils/lib.sh @@ -9,23 +9,23 @@ function pick_randomly() { function putDocument() { if [ "$#" -ne 2 ]; then - echo "ERROR: Three parameters required: 1) index name, 2) document JSON string" + echo "ERROR: Two parameters required: 1) index name, 2) document JSON string" return 1 fi if ! [ -v ELASTICSEARCH_ADDRESS ] || [ -z "$ELASTICSEARCH_ADDRESS" ]; then echo "ERROR: required variable ELASTICSEARCH_ADDRESS not set or empty" - exit 2 + return 2 fi if ! [ -v ELASTICSEARCH_USER ] || [ -z "$ELASTICSEARCH_USER" ]; then echo "ERROR: required variable ELASTICSEARCH_USER not set or empty" - exit 3 + return 3 fi if ! [ -v ELASTICSEARCH_PASSWORD ] || [ -z "$ELASTICSEARCH_PASSWORD" ]; then echo "ERROR: required variable ELASTICSEARCH_PASSWORD not set or empty" - exit 4 + return 4 fi INDEX_NAME=$1 @@ -48,3 +48,43 @@ set -x return 0 } + +function importSavedObjects() { + if [ "$#" -ne 1 ]; then + echo "ERROR: One parameter required: 1) saved objects file" + return 1 + fi + + SAVED_OBJECTS_FILE=$1 + + if ! [ -v KIBANA_ADDRESS ] || [ -z "$KIBANA_ADDRESS" ]; then + echo "ERROR: required variable KIBANA_ADDRESS not set or empty" + return 2 + fi + + if ! [ -v ELASTICSEARCH_USER ] || [ -z "$ELASTICSEARCH_USER" ]; then + echo "ERROR: required variable ELASTICSEARCH_USER not set or empty" + return 3 + fi + + if ! [ -v ELASTICSEARCH_PASSWORD ] || [ -z "$ELASTICSEARCH_PASSWORD" ]; then + echo "ERROR: required variable ELASTICSEARCH_PASSWORD not set or empty" + return 4 + fi + + RESPONSE=$(curl -k -s -L -w "\n%{http_code}" -u "$ELASTICSEARCH_USER:$ELASTICSEARCH_PASSWORD" \ + -X POST "$KIBANA_ADDRESS/api/saved_objects/_import?overwrite=true" \ + -H "kbn-xsrf: true" \ + -F "file=@${SAVED_OBJECTS_FILE}" + ) + + HTTP_STATUS=$(echo "$RESPONSE" | tail -n 1) + RESPONSE_BODY=$(echo "$RESPONSE" | sed \$d) + + if [[ "$HTTP_STATUS" != 2* ]] ; then + echo "ERROR: Cannot import saved objects from file [$SAVED_OBJECTS_FILE].\nHTTP status: $HTTP_STATUS, response body: $RESPONSE_BODY" + return 5 + fi + + return 0 +} \ No newline at end of file