If you think it is a bug report or you have a technical issue, please answer the following questions. For general questions, you can delete these questions.
Elasticsearch version:
xtermi2/ elasticsearch-searchguard 7.6.2-oss
Kibana version (if relevant):
xtermi2/ kibana-searchguard 7.6.2-oss
Describe the issue:
With configuration (described later) customer user can’t create index pattern in kibana until admin user creates index pattern first (any) after that point customer can create index patterns.
Elastics complains that indices:admin/mapping/put are not allowed althoug they are in the roles.
Steps to reproduce:
Run sg_admin to update elastic config.
Login as user petr try to create any index pattern => fail
Login as user voiceverifyto create any index pattern => succes
Login as user petr try to create any index pattern => succes
Expected behavior:
sucess on first time
Provide configuration:
elasticsearch/config/elasticsearch.yml
cluster.name: my-elasticsearch-cluster
network.host: 0.0.0.0
discovery.zen.minimum_master_nodes: 1
searchguard.ssl.transport.enabled: "true"
searchguard.ssl.transport.enable_openssl_if_available: "true"
searchguard.ssl.transport.pemcert_filepath: "certificates/node.pem"
searchguard.ssl.transport.pemkey_filepath: "certificates/node.key"
searchguard.ssl.transport.pemkey_password: "default-secret"
searchguard.ssl.transport.pemtrustedcas_filepath: "certificates/root-ca.pem"
searchguard.ssl.transport.enforce_hostname_verification: "false"
searchguard.ssl.transport.resolve_hostname: "false"
searchguard.ssl.http.enabled: "true"
searchguard.ssl.http.pemcert_filepath: "certificates/node.pem"
searchguard.ssl.http.pemkey_filepath: "certificates/node.key"
searchguard.ssl.http.pemkey_password: "default-secret"
searchguard.ssl.http.pemtrustedcas_filepath: "certificates/root-ca.pem"
searchguard.enterprise_modules_enabled: "false"
searchguard.roles_mapping_resolution: "BACKENDROLES_ONLY"
searchguard:
# lists can't be set via environment variables. so this is the only reason why we have a custom elasticsearch.yml here
nodes_dn:
- CN=node.es.local,OU=Ops,O=test,DC=es,DC=local
authcz.admin_dn:
- CN=admin.es.local,OU=Ops,O=test,DC=es,DC=local
elasticsearch/plugins/search-guard-7/sgconfig/sg_config.yml
---
_sg_meta:
type: "config"
config_version: 2
sg_config:
dynamic:
authc:
basic_internal_auth:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
challenge: true
type: "basic"
authentication_backend:
type: "internal"
sg_internal_users.yml
_sg_meta:
type: "internalusers"
config_version: 2
elastic:
hash: '$2y$12$SYQPOeLNiGgjIi63V4FTjuNZY0grO6bnTCbyMbnTX8YUy9ZKuBRHq'
backend_roles:
- admin
kibana:
hash: '$2y$12$DiPUVi5u/T2zYTHMhvlkh.OBPkYJSP03uTOkRAf5iXJTFTqbxgR5y'
backend_roles:
- admin
logstash:
hash: '$2y$12$YETEnrTM.w4bKqSc/m2vceQ9qk0yN/pXStTLDygi5//okz4ZhkhRu'
backend_roles:
- admin
voiceverify:
hash: '$2y$12$kV741JTxJ0CVY362h0GbPuJ7IWtuK1kNy6ko4PJcY1cvIU0o87V1C'
backend_roles:
- admin
curator:
hash: '$2y$12$omZuQa7L8lPytk9FZoRqDOEPzpLemXB.pLtzkKbbgMn8PplHu0ILq'
backend_roles:
- admin
petr:
hash: '$2b$12$75JByOoOklqcx7lrdN5xp.r0PPrcl.rQBC8ulV6iwV8knVACa/aIa'
backend_roles:
- customer
sg_roles.yml
---
_sg_meta:
type: "roles"
config_version: 2
read_only:
cluster_permissions: []
index_permissions:
- index_patterns:
- "*"
allowed_actions:
- "READ"
read_only_BFU:
cluster_permissions: []
index_permissions:
- index_patterns:
- "django*"
allowed_actions:
- "READ"
read_only_OPS:
cluster_permissions: []
index_permissions:
- index_patterns:
- "docker*"
allowed_actions:
- "READ"
admin:
cluster_permissions:
- "ALL"
index_permissions:
- index_patterns:
- "*"
allowed_actions:
- "ALL"
customer:
cluster_permissions:
- "indices:data/read/search*"
- "indices:data/read/mget*"
- "indices:data/write/bulk"
- "indices:admin/mapping/put"
index_permissions:
- index_patterns:
- "*"
allowed_actions:
- "READ"
- "WRITE"
Provide logs:
Elasticsearch
elasticsearch_1 | 2020-09-04T08:51:43.499298017Z {"type": "server", "timestamp": "2020-09-04T08:51:43,498Z", "level": "INFO", "component": "c.f.s.p.PrivilegesEvaluator", "cluster.name": "my-elasticsearch-cluster", "node.name": "fc9c1836e183", "message": "No index-level perm match for User [name=petr, backend_roles=[customer], requestedTenant=null] Resolved [aliases=[], indices=[.kibana_1], allIndices=[.kibana_1], types=[*], originalRequested=[.kibana_1], remoteIndices=[]] [Action [indices:admin/mapping/put]] [RolesChecked [customer]]", "cluster.uuid": "7JhQwfAxR_2zEYt7BEP9og", "node.id": "6Bu6-2dETr28XajFY4cN2g" }
elasticsearch_1 | 2020-09-04T08:51:43.499347640Z {"type": "server", "timestamp": "2020-09-04T08:51:43,499Z", "level": "INFO", "component": "c.f.s.p.PrivilegesEvaluator", "cluster.name": "my-elasticsearch-cluster", "node.name": "fc9c1836e183", "message": "No permissions for [indices:admin/mapping/put]", "cluster.uuid": "7JhQwfAxR_2zEYt7BEP9og", "node.id": "6Bu6-2dETr28XajFY4cN2g" }
elasticsearch_1 | 2020-09-04T08:51:43.500209827Z {"type": "server", "timestamp": "2020-09-04T08:51:43,499Z", "level": "DEBUG", "component": "o.e.a.b.TransportShardBulkAction", "cluster.name": "my-elasticsearch-cluster", "node.name": "fc9c1836e183", "message": "[.kibana_1][0] failed to execute bulk item (index) index {[.kibana][_doc][index-pattern:db46b350-ee8b-11ea-b104-e97e6ba8d7aa], source[{\"index-pattern\":{\"title\":\"d*\",\"timeFieldName\":\"@timestamp\",\"fields\":\"[]\"},\"type\":\"index-pattern\",\"references\":[],\"migrationVersion\":{\"index-pattern\":\"7.6.0\"},\"updated_at\":\"2020-09-04T08:51:43.493Z\"}]}", "cluster.uuid": "7JhQwfAxR_2zEYt7BEP9og", "node.id": "6Bu6-2dETr28XajFY4cN2g" ,
elasticsearch_1 | 2020-09-04T08:51:43.500238561Z "stacktrace": ["org.elasticsearch.ElasticsearchSecurityException: no permissions for [indices:admin/mapping/put] and User [name=petr, backend_roles=[customer], requestedTenant=null]",