[RORDEV-1242] ReadonlyREST JWT POC

readme.md

@@ -66,3 +66,10 @@ Here's description of how to connect remote debugger to running Elasticsearch se
 1. You should now see name of created configuration in upper right corner of IntelliJ IDEA. ![remote debug](images/run_debugging.png)
 1. Click on a bug icon next to it to start debugger.
 1. After successful connection, window like that should pop up from the bottom![successful debug connection](images/connected_debugger.png)
+
+## Running POC
+1. Get a ReadonlyREST trial PRO license from [customer portal](https://readonlyrest.com/customer)
+3. `cd ror-demo-cluster`
+4. Run `bash -c "export ROR_ACTIVATION_KEY=<YOUR_KEY_HERE> && ./run.sh"` and select Kibana/es 7.17.21 (or 8.14.3 if you want to verify Kibana 8.x)
+5. When everything is running add initial data by the `/bin/bash ./initData-7.x.sh` for Kibana 7.x or `/bin/bash ./initData-8.x.sh` for Kibana 8.x 
+6. You can access POC HTML with a simple Discover and Dashboard page for user1 here:  http://localhost:18000

ror-cluster-elastic-cloud-demo/docker-compose.yml

@@ -25,7 +25,7 @@ services:
       - ES_CLOUD_PROXY_ADDRESS=$ES_CLOUD_PROXY_ADDRESS
       - ES_CLOUD_SERVER_NAME=$ES_CLOUD_SERVER_NAME
     healthcheck:
-      test: [ "CMD", "curl", "-fk", "-u", "admin:admin", "http://localhost:9200/_cluster/health" ]
+      test: [ "CMD", "curl", "-fk", "-u", "admin:admin", "https://localhost:9200/_cluster/health" ]
       interval: 10s
       timeout: 10s
       retries: 30
@@ -53,7 +53,7 @@ services:
       - "15601:5601"
     environment:
       ELASTIC_USER_PASSWORD: elastic
-      ES_API_URL: http://es-ror:9200
+      ES_API_URL: https://es-ror:9200
     networks:
       - es-ror-network
     ulimits:

ror-demo-cluster/clean.sh

@@ -1,3 +1,3 @@
 #!/bin/bash -e
 
-docker-compose rm --stop --force
+docker compose rm --stop --force

ror-demo-cluster/conf/ror-cluster/elasticsearch.yml

@@ -0,0 +1,19 @@
+cluster.name: ror-es-cluster
+network.host: 0.0.0.0
+
+cluster.remote.my-xpack-cluster.mode: sniff
+cluster.remote.my-xpack-cluster.seeds: [ "es-xpack:9300" ]
+
+xpack.security.enabled: true
+
+xpack.security.http.ssl.enabled: true
+xpack.security.http.ssl.verification_mode: none
+xpack.security.http.ssl.client_authentication: none
+xpack.security.http.ssl.keystore.path: elastic-certificates.p12
+xpack.security.http.ssl.truststore.path: elastic-certificates.p12
+
+xpack.security.transport.ssl.enabled: true
+xpack.security.transport.ssl.verification_mode: none
+xpack.security.transport.ssl.client_authentication: none
+xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
+xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

ror-demo-cluster/conf/kibana.yml → ror-demo-cluster/conf/ror-cluster/kibana.yml

@@ -4,8 +4,11 @@ server.host: 0.0.0.0
 elasticsearch.hosts: [ "${ES_API_URL}" ]
 elasticsearch.username: kibana
 elasticsearch.password: kibana
+elasticsearch.ssl.verificationMode: none
 
 monitoring.ui.container.elasticsearch.enabled: true
 
 readonlyrest_kbn.logLevel: info
 readonlyrest_kbn.cookiePass: '12312313123213123213123abcdefghijklm'
+readonlyrest_kbn.cookies.secure: true
+readonlyrest_kbn.cookies.sameSite: 'none'

ror-demo-cluster/conf/ror-cluster/log4j2.properties

@@ -0,0 +1,88 @@
+#
+# This file is part of ReadonlyREST.
+#
+#     ReadonlyREST is free software: you can redistribute it and/or modify
+#     it under the terms of the GNU General Public License as published by
+#     the Free Software Foundation, either version 3 of the License, or
+#     (at your option) any later version.
+#
+#     ReadonlyREST is distributed in the hope that it will be useful,
+#     but WITHOUT ANY WARRANTY; without even the implied warranty of
+#     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#     GNU General Public License for more details.
+#
+#     You should have received a copy of the GNU General Public License
+#     along with ReadonlyREST.  If not, see http://www.gnu.org/licenses/
+#
+#
+status=error
+# log actionPost execution errors for easier debugging
+logger.action.name=org.elasticsearch.action
+logger.action.level=info
+appender.console.type=Console
+appender.console.name=console
+appender.console.layout.type=PatternLayout
+appender.console.layout.pattern=[%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n
+appender.rolling.type=RollingFile
+appender.rolling.name=rolling
+appender.rolling.fileName=${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.log
+appender.rolling.layout.type=PatternLayout
+appender.rolling.layout.pattern=[%d{ISO8601}][%-5p][%-25c{1.}] %marker%.10000m%n
+appender.rolling.filePattern=${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}.log
+appender.rolling.policies.type=Policies
+appender.rolling.policies.time.type=TimeBasedTriggeringPolicy
+appender.rolling.policies.time.interval=1
+appender.rolling.policies.time.modulate=true
+rootLogger.level=info
+rootLogger.appenderRef.console.ref=console
+rootLogger.appenderRef.rolling.ref=rolling
+appender.deprecation_rolling.type=RollingFile
+appender.deprecation_rolling.name=deprecation_rolling
+appender.deprecation_rolling.fileName=${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation.log
+appender.deprecation_rolling.layout.type=PatternLayout
+appender.deprecation_rolling.layout.pattern=[%d{ISO8601}][%-5p][%-25c{1.}] %marker%.10000m%n
+appender.deprecation_rolling.filePattern=${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation-%i.log.gz
+appender.deprecation_rolling.policies.type=Policies
+appender.deprecation_rolling.policies.size.type=SizeBasedTriggeringPolicy
+appender.deprecation_rolling.policies.size.size=1GB
+appender.deprecation_rolling.strategy.type=DefaultRolloverStrategy
+appender.deprecation_rolling.strategy.max=4
+logger.deprecation.name = org.elasticsearch.deprecation
+logger.deprecation.level = deprecation
+logger.deprecation.appenderRef.header_warning.ref = header_warning
+logger.deprecation.appenderRef.deprecation_rolling.ref=deprecation_rolling
+logger.deprecation.additivity=false
+appender.index_search_slowlog_rolling.type=RollingFile
+appender.index_search_slowlog_rolling.name=index_search_slowlog_rolling
+appender.index_search_slowlog_rolling.fileName=${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_search_slowlog.log
+appender.index_search_slowlog_rolling.layout.type=PatternLayout
+appender.index_search_slowlog_rolling.layout.pattern=[%d{ISO8601}][%-5p][%-25c] %marker%.10000m%n
+appender.index_search_slowlog_rolling.filePattern=${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_search_slowlog-%d{yyyy-MM-dd}.log
+appender.index_search_slowlog_rolling.policies.type=Policies
+appender.index_search_slowlog_rolling.policies.time.type=TimeBasedTriggeringPolicy
+appender.index_search_slowlog_rolling.policies.time.interval=1
+appender.index_search_slowlog_rolling.policies.time.modulate=true
+logger.index_search_slowlog_rolling.name=index.search.slowlog
+logger.index_search_slowlog_rolling.level=trace
+logger.index_search_slowlog_rolling.appenderRef.index_search_slowlog_rolling.ref=index_search_slowlog_rolling
+logger.index_search_slowlog_rolling.additivity=false
+appender.index_indexing_slowlog_rolling.type=RollingFile
+appender.index_indexing_slowlog_rolling.name=index_indexing_slowlog_rolling
+appender.index_indexing_slowlog_rolling.fileName=${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_indexing_slowlog.log
+appender.index_indexing_slowlog_rolling.layout.type=PatternLayout
+appender.index_indexing_slowlog_rolling.layout.pattern=[%d{ISO8601}][%-5p][%-25c] %marker%.10000m%n
+appender.index_indexing_slowlog_rolling.filePattern=${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_indexing_slowlog-%d{yyyy-MM-dd}.log
+appender.index_indexing_slowlog_rolling.policies.type=Policies
+appender.index_indexing_slowlog_rolling.policies.time.type=TimeBasedTriggeringPolicy
+appender.index_indexing_slowlog_rolling.policies.time.interval=1
+appender.index_indexing_slowlog_rolling.policies.time.modulate=true
+logger.index_indexing_slowlog.name=index.indexing.slowlog.index
+logger.index_indexing_slowlog.level=trace
+logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling.ref=index_indexing_slowlog_rolling
+logger.index_indexing_slowlog.additivity=false
+
+appender.header_warning.type = HeaderWarningAppender
+appender.header_warning.name = header_warning
+
+logger.ror.name=tech.beshu.ror
+logger.ror.level=info

ror-demo-cluster/conf/ror-cluster/readonlyrest.yml

@@ -0,0 +1,37 @@
+readonlyrest:
+
+  access_control_rules:
+
+    - name: "::KIBANA::"
+      verbosity: error
+      type: allow
+      auth_key: kibana:kibana
+
+    - name: "::ADMIN::"
+      verbosity: error
+      type: allow
+      auth_key: admin:admin
+      kibana:
+        access: admin
+
+    # Allow JWT users to read all system Kibana indices without DLS, otherwise Kibana breaks
+    - name: "::UNFILTERED SYSTEM INDICES FOR USR*::"
+      indices: [ ".kibana*" ] # All kibana-related indices will be added implicitly (because of the presence of the kibana rule in the same block)
+      kibana:
+        access: rw
+      jwt_auth:
+        name: "jwt_provider_1"
+
+    # Allow ANY jwt user to read his own data
+    - name: "::USER SEGMENTATION::"
+      users: [ "user*" ] # Optional, if you want to restrict users by name prefix, suffix, etc.
+      # Can filter also by group name, any string within the JWT claims! Here I am using the username
+      filter: '{"bool": { "must": { "match": { "username": "@{acl:user}" }}}}'
+      jwt_auth:
+        name: "jwt_provider_1"
+
+  jwt:
+    - name: jwt_provider_1
+      signature_algo: HMAC # can be NONE, RSA, HMAC (default), and EC
+      signature_key: "608c76e4bf65bb25c33369119594bad57273cefa13d463d788d487af89f183f8"
+      user_claim: name

ror-demo-cluster/conf/xpack-cluster/elasticsearch.yml

@@ -0,0 +1,16 @@
+cluster.name: xpack-es-cluster
+network.host: 0.0.0.0
+
+xpack.security.enabled: true
+
+xpack.security.http.ssl.enabled: true
+xpack.security.http.ssl.verification_mode: none
+xpack.security.http.ssl.client_authentication: none
+xpack.security.http.ssl.keystore.path: elastic-certificates.p12
+xpack.security.http.ssl.truststore.path: elastic-certificates.p12
+
+xpack.security.transport.ssl.enabled: true
+xpack.security.transport.ssl.verification_mode: none
+xpack.security.transport.ssl.client_authentication: none
+xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
+xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

ror-demo-cluster/conf/xpack-cluster/kibana.yml

@@ -0,0 +1,9 @@
+server.name: kibana-xpack
+server.host: 0.0.0.0
+
+elasticsearch.hosts: [ "${ES_API_URL}" ]
+elasticsearch.username: kibana_system
+elasticsearch.password: elastic
+elasticsearch.ssl.verificationMode: none
+
+monitoring.ui.container.elasticsearch.enabled: true

ror-demo-cluster/conf/log4j2.properties → ror-demo-cluster/conf/xpack-cluster/log4j2.properties

@@ -18,7 +18,7 @@
 status=error
 # log actionPost execution errors for easier debugging
 logger.action.name=org.elasticsearch.action
-logger.action.level=info
+logger.action.level=debug
 appender.console.type=Console
 appender.console.name=console
 appender.console.layout.type=PatternLayout
@@ -33,7 +33,7 @@ appender.rolling.policies.type=Policies
 appender.rolling.policies.time.type=TimeBasedTriggeringPolicy
 appender.rolling.policies.time.interval=1
 appender.rolling.policies.time.modulate=true
-rootLogger.level=info
+rootLogger.level=debug
 rootLogger.appenderRef.console.ref=console
 rootLogger.appenderRef.rolling.ref=rolling
 appender.deprecation_rolling.type=RollingFile