A solid, open source Elasticsearch security solution.

Read the DOCS

🆕 Try ReadonlyREST Enterprise in two commands, with Docker!

sudo sysctl -w vm.max_map_count=300000 # Needed in Linux
docker build -t ror --rm https://readonlyrest.com/docker-demo
docker run -p 9200:9200 -p 5601:5601 -ti --rm ror
Point your browser to http://localhost:5601, credentials: admin:passwd

🛑 important:  in version 6.3.x  (or greater) you need to disable X-Pack's Security Module from both elasticsearch.yml and kibana.yml.
What's new in
  • 🐞Fix (ES) Interpolating config with environment variables in SSL section
  • 🐞Fix (KBN Ent 6.x) Fixed default space creation in
  • 🐞Fix (KBN 6.x) Fixed error toast notification not showing
  • 🐞Fix (KBN Ent) Fixed missing Axios dependency
  • 🐞Fix (KBN Ent) Fixed SAML connector
  • 🐞Fix (KBN) Toast notification overlap with logout bar
  • 🧐Enhancement (KBN) Restyled logout bar
  • 🧐Enhancement (KBN) Configurable periodic session checker

What's new in 1.19.3
  • 🚀New (ES/KBN) 7.6.1 compatibility
  • 🚀New (ES) customizable name of settings index
  • 🧐Enhancement (KBN) configurable ROR cookie name
  • 🧐Enhancement (ES/KBN) handling of encoded ROR headers in Authorization header values
  • 🧐Enhancement (KBN) user feedback on why login failed
  • 🐞Fix (ES) support for multiple header values
  • 🐞Fix (ES) releasing LDAP connection pool on reloading ROR settings
  • 🐞Fix (KBN) multitenancy issue with 7.6.0+
  • 🐞Fix (KBN) creation of default space for new tenant
  • 🐞Fix (KBN 6.x) in RO mode, don't hide add/remove over fields in discovery
  • 🐞Fix (KBN 6.x) index template & in-index session manager issues

What's new in 1.19.2
  • 🚀New (KBN) 7.6.0 support
  • 🧐Enhancement (KBN) less verbose info logging
  • 🧐Enhancement (KBN) start up time semantic check for settings
  • 🐞Fix (KBN Free) missing logout button
  • 🐞Fix (KBN) error message creating internal proxy
  • 🐞Fix (KBN 6.x) add field to filter button invisible in RO mode

What's new in 1.19.1
  • 🎁Product (KBN) Launched ReadonlyREST Free for Kibana!
  • 🚀New (ES) 7.6.0 support, Kibana support coming soon
  • 🚀New (KBN) Audit log dashboard
  • 🚀New (KBN) Template index can now be declared per tenant instead of globally
  • 🚀New (ES) custom trust store file and password options in ROR settings
  • 🧐Enhancement (ES) When "prompt_for_basic_auth" is enabled, ROR is going to return 401 instead of 404 when the index is not found or a user is not allowed to see the index
  • 🧐Enhancement (ES) literal ipv6 with zone Id is acceptable network address
  • 🧐Enhancement (ES) LDAP client cache improvements
  • 🐞Fix (ES) /_all/_settings API issue
  • 🐞Fix (ES) Index stats API & Index shard stores API issue
  • 🐞Fix (ES) readonlyrest.force_load_from_file setting decoding issue
  • 🐞Fix (KBN) allowing user to be logged in in two tabs at the same time
  • 🐞Fix (KBN) logging with JWT parameter issue
  • 🐞Fix (KBN) parsing of sessions fetched from ES index
  • 🐞Fix (KBN) logout issue

What's new in 1.19.0
  • 🚀New (KBN) Configurable option to delete docs from tenant index when not present in template
  • 🧐Enhancement (ES) Less verbose logging of blocks history
  • 🧐Enhancement (ES) Enriched logs and audit with attempted username
  • 🧐Enhancement (ES) Better settings validation - only one authentication rule can be used in given block
  • 🧐Enhancement (ES/KBN) Plugin versions printing in logs on launch
  • 🧐Enhancement (ES) When user doesn't have access to given index, ROR pretends that the index doesn't exist and return 404 instead of 403
  • 🐞Fix (ES) Searching for nonexistent/forbidden index with wildcard mirrors default ES behaviour instead of returning 403
  • 🐞Fix (KBN) Switching groups bug

What's new in 1.18.10
  • 🚀New (ES/KBN) Support v6.8.6, v7.5.0, v7.5.1
  • 🚀New (KBN) Group names can now be mapped to aliases
  • 🚀New (ES) New, more robust and simple method of creating custom audit log serializers
  • 🚀New (ES) Example projects with custom audit log serializers
  • 🐞Fix (KBN) Prevent index migration after kibana startup
  • 🧐Enhancement (KBN) If default space doesn't exist in kibana index then copy from default one
  • 🧐Enhancement (KBN) Crypto improvements - store init vector with encrypted data as base64 encoded json.
  • 🧐Enhancement (ES) Better settings validation - prevent duplicated keys in readonlyrest.yml

What's new in 1.18.9
  • 🚀New (ES/KBN) Support v7.4.1, v7.4.2
  • 🚀New (KBN) Kibana sessions stored in ES index
  • 🐞Fix (ES) issue with in-index settings auto-reloading
  • 🐞Fix (ES) _cat/indices empty response when matched block doesn't contain 'indices' rule

What's new in 1.18.8
  • 🚀New (ES/KBN) Support v7.4.0
  • 🚀New (ES) Elasticsearch SQL Support
  • 🚀New (ES) Internode ssl support for es5x, es60x, es61x and es62x
  • 🚀New (ES) new runtime variable @{acl:current_group}
  • 🚀New (ES) namespace for user variable and support for both versions: @{user} and @{acl:user}
  • 🚀New (ES) support for multiple values in uri_re rule
  • 🧐Enhancement (ES) more reliable in-index settings loading of ES with ROR startup
  • 🧐Enhancement (ES) less verbose logs in JWT rules
  • 🧐Enhancement (ES) Better response from ROR API when plugin is disabled
  • 🧐Enhancement (ES) Splitting verification ssl property to client_authentication and certificate_verification
  • 🐞Fix (ES) issue with backward compatibility of proxy_auth settings
  • 🐞Fix (ES) /_render/template request NPE
  • 🐞Fix (ES) _cat/indices API bug fixes
  • 🐞Fix (ES) _cat/templates API return empty list instead of FORBIDDEN when no indices are found
  • 🐞Fix (ES) updated regex for kibana access rule to support 7.3 ES
  • 🐞Fix (ES) proper resolving of non-string ENV variables in readonlyrest.yml
  • 🐞Fix (ES) lang-mustache search template handling

What's new in 1.18.7
  • 🚀New (ES) Field level security (FLS) supports nested JSON fields
  • 🐞Security Fix (ES) Authorization headers appeared in clear in logs
  • 🧐Enhancement (KBN) Don't logout users when they are not allowed to search a index-pattern
  • 🧐Enhancement (ES) Headers obfuscation is now case insensitive

What's new in 1.18.6
  • 🚀New (ES/KBN) Support v7.3.1, v7.3.2
  • 🚀New (ES) Configurable header names whose value should be obfuscated in logs
  • 🚀New (KBN) Dynamic variables from user identity available in custom_logout_link
  • 🧐Enhancement (ES) Richer logs for JWT errors
  • 🧐Enhancement (ENT) nextUrl works also with SAML now
  • 🧐Enhancement (ENT) SAML assertion object available in ACL dynamic variables
  • 🧐Enhancement (KBN) Validate LDAP server(s) before accepting new YAML settings
  • 🧐Enhancement (KBN) Ensure a read-only UX for 'ro' users in older Kibana
  • 🐞Fix (ES) Fix memory leak from dependency (snakeYAML)

What's new in 1.18.5
  • 🐞Security Fix (ES) indices rule can now properly handle also the templates API
  • 🧐Enhancement (ES) Array dynamic variables are serialized as CSV wrapped in double quotes
  • 🧐Enhancement (ES) Cleaner debug logs (no stacktraces on forbidden requests)
  • 🧐Enhancement (ES) LDAP debug logs fire also when cache is hit
  • 🚀New (ES/KBN) Support v7.2.1, v7.3.0
  • 🐞Fix (PRO) PRO plugin crashing for some Kibana versions
  • 🐞Fix (ENT) SAML library wrote a too large cookie sometimes
  • 🐞Fix (ENT) SAML logout not working
  • 🐞Fix (ENT) JWT fix exception "cannot set requestHeadersWhitelist"
  • 🐞Fix (PRO/ENT) Hide more UI elements for RO users
  • 🐞Fix (PRO/ENT) Sometimes not all the available groups appear in tenancy selector
  • 🐞Fix (PRO/ENT) Feature "nextUrl" broke
  • 🐞Fix (PRO/ENT) prevent user kick-out when APM is not configured and you are not an admin
  • 🚀New (PRO/ENT) Kibana request path/method now sent to ES (good for policing dev-tools)

What's new in 1.18.4
  • 🚀New (ES) User impersonation API
  • 🚀New (ES) Support latest 6.x and 5.x versions
  • 🐞Security Fix (ES) filter/fields rules leak
  • 🐞Fix (KBN/ENT) allow more action for kibana_access, prevent sudden logout
  • 🐞Fix (KBN/ENT) temporarily roll back "support for unlimited tenancies"

What's new in 1.18.3
  • 🚀New Support added for ES/Kibana 6.8.1
  • 🧐Enhancement (ES) Crash ES on invalid settings instead of stalling forever
  • 🧐Enhancement (ES) Better logging on JWT, JSON-paths, LDAP, YAML errors
  • 🧐Enhancement (ES) Block level settings validation to user with precious hints
  • 🧐Enhancement (ES) If force_load_from_file: true, don't poll index settings
  • 🧐Enhancement (ES) Order now counts declaring LDAP Failover HA servers
  • 🐞Fix (ES) "EsIndexJsonContentProvider" had a null pointer exception
  • 🐞Fix (ES) "es.set.netty.runtime.available.processors" exception
  • 🧐Enhancement (KBN) Collapsible logout button
  • 🧐Enhancement (KBN) ROR App now uses a HA http client
  • 🧐Enhancement (KBN) Automatic logout for inactivity
  • 🧐Enhancement (KBN) Support unlimited amount of tenancies
  • 🐞Fix (KBN/ENT) concurrent multitenancy bug
  • 🐞Fix (KBN) Avoid sporadic errors on Save/Load buttons

What's new in 1.18.2
  • 🚀New Support for Elasticsearch & Kibana 7.2.0
  • 🐞Fix (ES) restore indices ("IDX") in audit logging
  • 🧐Enhancement (ES) New algorithm of setting evaluation order
  • 🚀New (ES) JWT claims as dynamic variables. I.e. "@{jwt:claim.json.path}"
  • 🚀New (ES) "explode" dynamic variables. I.e. indices: ["@explode{x-indices}"]
  • 🐞Fix (PRO/Enterprise) preserve comments and formatting in YAML editor
  • 🐞Fix (PRO/Enterprise) Print error message when session is expired
  • 🐞Regression (PRO/Enterprise) Redirect to original link after login
  • 🐞Regression (PRO/Enterprise) Broken CSV reporting
  • 🧐Enhancement (PRO/Enterprise) Prevent navigating away from YAML editor w/ unsaved changes
  • 🐞Fix (Enterprise) Exception when SAML connectors were all disabled
  • 🐞Fix (Enterprise) Concurrent tenants could mix up each other kibana index
  • 🐞Fix (Enterprise) Cannot inject custom JS if no custom CSS was also declared
  • 🐞Fix (Enterprise) Injected JS had no effect on ROR logout button
  • 🐞Fix (Enterprise) On narrow screens, the YAML editor showed buttons twice

What's new in 1.18.1
  • 🐞Fix (Elasticsearch) Reindex requests failed for a regression in indices extraction
  • 🐞Fix (Elasticsearch) Groups rule erratically failed
  • 🐞Fix (Elasticsearch) JWT claims can now contain special characters
  • 🧐Enhancement (Elasticsearch) Better ACL History logging
  • 🧐Enhancement (Elasticsearch) QueryLogSerializer and old custom log serializers work again
  • 🐞Fix (PRO/Enterprise) ReadonlyREST icon in Kibana was white on white
  • 🐞Fix (Enterprise) SAML connectors could not be disabled
  • 🐞Fix (Enterprise) SAML connector "buttonName" didn't work

What's new in 1.18.0
  • 🚀New Support for Elasticsearch & Kibana 7.0.1
  • 🧐Enhancement (Elasticsearch) empty array values in settings are invalid
  • 🐞Security Fix (Elasticsearch) arbitrary x-cluster search referencing local cluster
  • 🐞Fix (Elasticsearch) ArrayOutOfBoundException on snapshot operations
  • 🧐Enhancement (PRO/Enterprise) History cleaning can now be disabled ("clearSessionOnEvents")

What's new in 1.17.7
  • 🚀New Support for Elasticsearch 7.0.0 (Kibana is coming soon)
  • 🧐Enhancement (Elasticsearch) rewritten LDAP connector
  • 🧐Enhancement (Elasticsearch) new core written in Scala is now GA
  • 🐞Fix (Enterprise) devtools requests now honor the currently selected tenancy
  • 🐞Security Fix (Enterprise/PRO) Fix "connectorsService" error in installation

What's new in 1.17.5
  • 🚀New Support for Kibana/Elasticsearch 6.7.1
  • 🧐Enhancement (Enterprise >= Kibana 6.6.0) Multiple SAML identity provider
  • 🐞Security Fix (Enterprise/PRO) Don't pass auth headers back to the browser
  • 🐞Fix (Enterprise/PRO) Missing null check caused error in reporting (CSV)
  • 🐞Fix (Enterprise) Don't reject requests if SAML groups are not configured
  • 🐞Fix filter/fields rules not working in msearch (in 6.7.x)
  • 🧐Enhancement Print whole LDAP search query in debug log

What's new in 1.17.4
  • 🚀New Support for Kibana/Elasticsearch 6.7.0
  • 🧐Enhancement (PRO/Enterprise) JWT query param is the preferred credentials provider
  • 🧐Enhancement (PRO/Enterprise) admin users can use indices management
  • 🧐Enhancement (PRO/Enterprise) ro users can dismiss telemetry form
  • 🐞Fix Audit logging in 5.1.x now works again
  • 🐞Fix unpredictable behaviour of "filter" and "fields" when using external auth
  • 🐞Fix LDAP ConcurrentModificationException
  • 🐞Fix Audit logging in 5.1.x now works again
  • 🐞Fix (PRO/Enterprise) JWT deep-link works again

What's new in 1.17.3
1.17.2 went unreleased, all changes have been merged in 1.17.3 directly
  • 🐞Fix (Enterprise) Tenancy selector showing if user belonged to one group
  • 🐞Fix (PRO/Enterprise) RW buttons not hiding for RO users in React Kibana apps
  • 🐞Fix (Enterprise) Tenancy templating now works much more reliably
  • 🐞Fix (Enterprise) Missing tenancy selector icon after switching tenancy
  • 🐞Fix (PRO/Enterprise) barring static files requests caused sudden logout
  • 🐞Fix Numerous fixes to better support Kibana 6.6.x
  • 🐞Fix Critical fixes in new Scala core
  • 🐞Fix Exception in reindex requests caused tenancy templating to fail
  • 🧐Enhancement Bypass cross-cluster search logic if single cluster

What's new in 1.17.1
  • 🐞Fix (PRO/Enterprise) SAML now works well in 6.6.x
  • 🐞Fix (PRO/Enterprise) "undefined" authentication error before login
  • 🐞Fix (Enterprise) Default space creation failures for new tenants
  • 🐞Fix (Enterprise) Icons/titles CSS misalignment in sidebar (Firefox)
  • 🧐Enhancement(Enterprise) UX: Larger tenancy selector
  • 🐞Security Fix (Enterprise) Privilege escalation when changing tenancies under monitoring
  • 🐞Fix (Elasticsearch) compatibility fixes to support new Kibana features
  • 🧐Enhancements (Elasticsearch) New core and LDAP connector written in Scala is finished, now under QA.

What's new in 1.17.0
  • 🚀New Feature Support for Kibana/Elasticsearch 6.6.0, 6.6.1
  • 🚀New Feature Internode SSL (ES 6.3.x onwards)
  • 🧐Enhancement(PRO/Enterprise) UI appearence
  • 🧐Enhancement Made HTTP Connection configurable (PR #410)
  • 🐞Fix slow boot due to SecureRandom waiting for sufficient entropy
  • 🐞Fix Enable kibana_access:ro to create short urls in es6.3+ (PR #408)

What's new in 1.16.34
  • 🧐Enhancement X-Forwarded-For header in printed es logs ("XFF")
  • 🧐Enhancement kibana_index: "[email protected]{user}" when user is "John Doe" becomes .kibana_john_doe
  • 🐞Fix (Enteprise) parse SAML groups from assertion as array of strings
  • 🐞Fix (Enteprise) SAMLRequest in location header was URLEncoded twice, broke on some IdP
  • 🐞Fix (PRO/Enteprise) "cookiePass" works again, no more need for sticky cookies in load balancers!
  • 🐞Fix (PRO/Enteprise) fix redirect loop with JWT deep linking when JWT token expires
  • 🧐Enhancement (PRO/Enteprise) fix audit demo page CSS
  • 🧐Enhancement (Enteprise) SAML more configuration parameters available
  • 🚀New Feature (PRO/Enteprise) set ROR to debug mode (readonlyrest_kbn.logLevel: "debug")

What's new in 1.16.33
  • 🐞Fix(PRO/Enteprise) compatibility problems with older Kibana versions
  • 🐞Fix(PRO/Enteprise) compatibility problems with OSS Kibana version

What's new in 1.16.32
  • 🚀New Feature "kibanaIndexTemplate": default dashboards and spaces for new tenants
  • 🧐Enhancement Support for ES/Kibana 6.5.4
  • 🧐Enhancement Upgraded LDAP library
  • 🧐Enhancement (Enterprise) Now tenants save their CSV exports in their own reporting index
  • 🐞Fix(PRO/Enteprise) Support passwords that start and/or end with spaces
  • 🐞Fix (PRO/Enterprise) Now reporting works again

What's new in 1.16.31
  • 🧐Enhancement Support for ES/Kibana 6.5.2, 6.5.3
  • 🚧WIP: Laid out the foundation for LDAP HA support

What's new in 1.16.29
  • 🧐Enhancement Support for ES/Kibana 6.4.3
  • 🚀New Feature (PRO/Enterprise) configurable server side session duration
  • 🚀New Feature [LDAP] High Availability: Round Robin or Failover

What's new in 1.16.28
  • 🧐Enhancement Support for ES/Kibana 6.4.2
  • 🐞Fix (Enterprise) Multi tenancy: sometimes changing tenancy would not change kibana index
  • 🐞Security Fix (Enterprise/PRO) Avoid echoing Base64 encoded credentials in login form error message
  • 🧐Enhancement (Enterprise/PRO) Remove latest search/visualization/dashboard history on logout
  • 🧐Enhancement (Enterprise/PRO) Clear transient authentication cookies on login error to avoid authentication deadlocks
  • 🐞Fix: External JWT verification may throw ArrayOutOfBoundException
  • 🚧WIP: Laid out the foundation for internode SSL transport (port 9300)

What's new in 1.16.27
  • 🚀New Feature [JWT] external validator: it's now possible to avoid storing the private key in settings
  • 🧐Enhancement Support for ES/Kibana 6.4.1
  • 🧐Enhancement Rewritten big part of ES plugin documentation
  • 🧐Enhancement SAML Single log out flow
  • 🐞Fix (Enterprise/PRO) cookiePass works again, but only for Kibana 5.x. Newer Kibana needs sticky sessions in LB.
  • 🧐Enhancement (Enterprise/PRO) much faster logout

What's new in 1.16.26
  • 🐞 Fix (PRO/Enterprise) bugs during plugin packaging and installation process

What's new in 1.16.25
  • 🚀New Feature Users rule: easily restrict external authentication to a list of users
  • 🧐Enhancement Support for ES 5.6.11
  • 🐞Hot Fix (Enterprise/PRO) Error 404 when logging in with older versions of Kibana

What's new in 1.16.24
  • 🚀New Feature (Enterprise) SAML Authentication
  • 🚀New Feature Support for Elasticsearch and Kibana 6.4.0
  • 🚀New Feature Headers rule now split in headers_or and headers_and
  • 🧐Enhancement Headers rule now allows wildcards
  • 🚀New Feature (Enterprise) Multi-tenancy now works also with JSON groups provider
  • 🐞 Fix Multi-tenancy (Enterprise) incoherent initial kibana_index and current group

What's new in 1.16.23
  • 🧐Enhancement Support for Elastic Stack 6.3.1 and 5.6.10
  • 🚀New Feature (Enterprise) Custom CSS injection for Kibana
  • 🚀New Feature (Enterprise) Custom Javascript injection for Kibana
  • 🚀New Feature (PRO/Enterprise) access paths without need to login (i.e. /api/status)
  • 🐞Fix (PRO/Enterprise) Navigating to X-Pack APM caused hidden Kibana apps to reappear

What's new in 1.16.22
  • 🚀New Feature:  map LDAP groups to local groups (a.k.a. role mapping)
  • 🐞 Fix (Elasticsearch) wildcard aliases resolution not working in "indices" rule.
  • 🧐Enhancement: it is now possible now to use JDK 9 and 10
  • 🐞 Fix (PRO/Enterprise) wait forever for login request (i.e.  slow LDAP servers)
  • 🐞 Fix (PRO/Enterprise) add spinner and block UI if login request is being sent
  • 🐞 Fix (PRO/Enterprise) if user is logged out because of LDAP cache expiring + slow authentication, redirect to login.
  • 🐞 Fix (PRO/Enterprise) let RO users delete/edit search filters

What's new in 1.16.21
  • 🚀New Feature: Introducing support for Elasticsearch and Kibana v6.3.0
  • 🐞 Fix (Enterprise) multi tenancy - switching tenancy does not always switch kibana index

What's new in 1.16.20

ReadonlyREST PRO/Enterprise for Kibana

  • 🧐 Enhancement: when login, forward "elasticsearch.requestHeadersWhitelist" headers. (useful for "headers" rule  and "proxy_auth" to work well.)

ReadonlyREST for Elasticsearch

  • 🚀New Feature: DLS (with dynamic variables suppoort) Thanks DataSweet!
  • 🚀 New feature: Field level security
  • 🚀 New rules: Snapshot, Repositories, Headers
  • 🧐 Enhancement: custom audit serializers: the request content is available
  • 🐞 Fix readonlyrest.yml path discovery
  • 🐞 Fix: LDAP available groups discovery (tenancy switcher) corner cases
  • 🐞 Fix: auth_key_sha1, auth_key_sha256 hashes in settings should be case insensitive
  • 🐞 Fix: LDAP authentication didn't work with local group
Get it NOW

Questions, comments, or concerns?Contact us

Create A product first!

Create a product first please!