ReadonlyREST
Portal
current
current
  • README
  • For Elasticsearch
    • Audit configuration
    • External to local groups mapping
    • FIPS mode
    • FLS engine
    • indices rule - Index not found scenario
    • indices rule - ES Templates handling
  • For Kibana
    • Impersonation (Enterprise)
    • Kibana 7.8.x and older
    • ReadonlyREST API
  • For ECK
  • Universal Builds
  • Examples
    • Multi-tenancy Elastic Stack (Enterprise)
    • Multi-user Elastic Stack (PRO)
    • SAML SSO (Enterprise)
      • Keycloak
      • Microsoft Azure AD
      • Microsoft ADFS
      • Duo Security MFA
    • OpenID Connect (OIDC) (Enterprise)
      • Keycloak
    • Impersonation (Enterprise)
      • Creating Test Settings
      • Defining external services mock configurations
      • Impersonating users
    • ROR cluster with Elastic Cloud integration
      • Docker-based playground
      • Configuration details
    • Custom middleware (Enterprise)
      • Enriching the metadata
      • Reject machine-to-machine traffic using custom metadata ACL rules
      • Reordering available tenancies
      • Available rorRequest API
      • Secure Logstash
      • Secure Metricbeat
  • Contribution License Agreement
  • Commercial Licenses
  • Changelog
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Examples
  2. Custom middleware (Enterprise)

Reject machine-to-machine traffic using custom metadata ACL rules

Reject machine-to-machine traffic using custom metadata ACL rules

We can also reject the specific request for example based on the custom metadata

  1. Define ACL in your readonlyrest.yml file

  - name: ADMIN_GRP
    groups_any_of: [ administrators ]
    kibana:
       access: admin
       index: '.kibana_@{acl:current_group}'
       metadata:
          rejectBasicAuth: true
  1. Declare custom Kibana JS file readonlyrest_kbn.kibana_custom_js_inject_file: '/path/to/custom_kibana.js'. it's injected at the end of the HTML Body tag of the Kibana UI frontend code.

async function customMiddleware(req, res, next) {
   const metadata =
           req.rorRequest && req.rorRequest.getIdentitySession() && req.rorRequest.getIdentitySession().metadata;

   const headerAuth = req.rorRequest && req.rorRequest.getAuthorizationHeaders && req.rorRequest.getHeaders().getAuthorizationHeaders().get('authorization');
   const isBasicAuth = headerAuth && headerAuth.includes('Basic')
   
  if (metadata.customMetadata && metadata.customMetadata.rejectBasicAuth && isBasicAuth) {
     return res.status(401).json({ message: 'Machine to machine communication is not allowed' });
  }

  return next()
}

You can pass any custom metadata and based on it accepts or reject the specific request

⚠️IMPORTANT Custom middleware must return next() function, to not block the request

PreviousEnriching the metadataNextReordering available tenancies

Last updated 1 month ago

Was this helpful?