A user can't create his first index pattern. The user can create index patterns after admin created the first one

If you think it is a bug report or you have a technical issue, please answer the following questions. For general questions, you can delete these questions.

Elasticsearch version:

xtermi2/ elasticsearch-searchguard 7.6.2-oss

Kibana version (if relevant):

xtermi2/ kibana-searchguard 7.6.2-oss

Describe the issue:

With configuration (described later) customer user can’t create index pattern in kibana until admin user creates index pattern first (any) after that point customer can create index patterns.

Elastics complains that indices:admin/mapping/put are not allowed althoug they are in the roles.

Steps to reproduce:

Run sg_admin to update elastic config.
Login as user petr try to create any index pattern => fail
Login as user voiceverifyto create any index pattern => succes
Login as user petr try to create any index pattern => succes

Expected behavior:

sucess on first time

Provide configuration:
elasticsearch/config/elasticsearch.yml

cluster.name: my-elasticsearch-cluster
network.host: 0.0.0.0
discovery.zen.minimum_master_nodes: 1
searchguard.ssl.transport.enabled: "true"
searchguard.ssl.transport.enable_openssl_if_available: "true"
searchguard.ssl.transport.pemcert_filepath: "certificates/node.pem"
searchguard.ssl.transport.pemkey_filepath: "certificates/node.key"
searchguard.ssl.transport.pemkey_password: "default-secret"
searchguard.ssl.transport.pemtrustedcas_filepath: "certificates/root-ca.pem"
searchguard.ssl.transport.enforce_hostname_verification: "false"
searchguard.ssl.transport.resolve_hostname: "false"
searchguard.ssl.http.enabled: "true"
searchguard.ssl.http.pemcert_filepath: "certificates/node.pem"
searchguard.ssl.http.pemkey_filepath: "certificates/node.key"
searchguard.ssl.http.pemkey_password: "default-secret"
searchguard.ssl.http.pemtrustedcas_filepath: "certificates/root-ca.pem"
searchguard.enterprise_modules_enabled: "false"
searchguard.roles_mapping_resolution: "BACKENDROLES_ONLY"
searchguard:
  # lists can't be set via environment variables. so this is the only reason why we have a custom elasticsearch.yml here
  nodes_dn:
  - CN=node.es.local,OU=Ops,O=test,DC=es,DC=local
  authcz.admin_dn:
  - CN=admin.es.local,OU=Ops,O=test,DC=es,DC=local

elasticsearch/plugins/search-guard-7/sgconfig/sg_config.yml

---
_sg_meta:
  type: "config"
  config_version: 2
sg_config:
  dynamic:
    authc:
      basic_internal_auth:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          challenge: true
          type: "basic"
        authentication_backend:
          type: "internal"

sg_internal_users.yml

_sg_meta:
  type: "internalusers"
  config_version: 2
elastic:
  hash: '$2y$12$SYQPOeLNiGgjIi63V4FTjuNZY0grO6bnTCbyMbnTX8YUy9ZKuBRHq'
  backend_roles:
    - admin
kibana:
  hash: '$2y$12$DiPUVi5u/T2zYTHMhvlkh.OBPkYJSP03uTOkRAf5iXJTFTqbxgR5y'
  backend_roles:
    - admin
logstash:
  hash: '$2y$12$YETEnrTM.w4bKqSc/m2vceQ9qk0yN/pXStTLDygi5//okz4ZhkhRu'
  backend_roles:
    - admin
voiceverify:
  hash: '$2y$12$kV741JTxJ0CVY362h0GbPuJ7IWtuK1kNy6ko4PJcY1cvIU0o87V1C'
  backend_roles:
    - admin
curator:
  hash: '$2y$12$omZuQa7L8lPytk9FZoRqDOEPzpLemXB.pLtzkKbbgMn8PplHu0ILq'
  backend_roles:
    - admin
petr:
  hash: '$2b$12$75JByOoOklqcx7lrdN5xp.r0PPrcl.rQBC8ulV6iwV8knVACa/aIa'
    backend_roles:
      - customer

sg_roles.yml

---
_sg_meta:
  type: "roles"
  config_version: 2

read_only:
  cluster_permissions: []
  index_permissions:
  - index_patterns:
    - "*"
    allowed_actions:
    - "READ"

read_only_BFU:
  cluster_permissions: []
  index_permissions:
  - index_patterns:
    - "django*"
    allowed_actions:
    - "READ"

read_only_OPS:
  cluster_permissions: []
  index_permissions:
  - index_patterns:
    - "docker*"
    allowed_actions:
    - "READ"

admin:
  cluster_permissions:
  - "ALL"
  index_permissions:
  - index_patterns:
    - "*"
    allowed_actions:
    - "ALL"

customer:
  cluster_permissions:
  - "indices:data/read/search*"
  - "indices:data/read/mget*"
  - "indices:data/write/bulk"
  - "indices:admin/mapping/put"
  index_permissions:
  - index_patterns:
    - "*"
    allowed_actions:
    - "READ"
    - "WRITE"

Provide logs:
Elasticsearch

elasticsearch_1          | 2020-09-04T08:51:43.499298017Z {"type": "server", "timestamp": "2020-09-04T08:51:43,498Z", "level": "INFO", "component": "c.f.s.p.PrivilegesEvaluator", "cluster.name": "my-elasticsearch-cluster", "node.name": "fc9c1836e183", "message": "No index-level perm match for User [name=petr, backend_roles=[customer], requestedTenant=null] Resolved [aliases=[], indices=[.kibana_1], allIndices=[.kibana_1], types=[*], originalRequested=[.kibana_1], remoteIndices=[]] [Action [indices:admin/mapping/put]] [RolesChecked [customer]]", "cluster.uuid": "7JhQwfAxR_2zEYt7BEP9og", "node.id": "6Bu6-2dETr28XajFY4cN2g"  }
elasticsearch_1          | 2020-09-04T08:51:43.499347640Z {"type": "server", "timestamp": "2020-09-04T08:51:43,499Z", "level": "INFO", "component": "c.f.s.p.PrivilegesEvaluator", "cluster.name": "my-elasticsearch-cluster", "node.name": "fc9c1836e183", "message": "No permissions for [indices:admin/mapping/put]", "cluster.uuid": "7JhQwfAxR_2zEYt7BEP9og", "node.id": "6Bu6-2dETr28XajFY4cN2g"  }
elasticsearch_1          | 2020-09-04T08:51:43.500209827Z {"type": "server", "timestamp": "2020-09-04T08:51:43,499Z", "level": "DEBUG", "component": "o.e.a.b.TransportShardBulkAction", "cluster.name": "my-elasticsearch-cluster", "node.name": "fc9c1836e183", "message": "[.kibana_1][0] failed to execute bulk item (index) index {[.kibana][_doc][index-pattern:db46b350-ee8b-11ea-b104-e97e6ba8d7aa], source[{\"index-pattern\":{\"title\":\"d*\",\"timeFieldName\":\"@timestamp\",\"fields\":\"[]\"},\"type\":\"index-pattern\",\"references\":[],\"migrationVersion\":{\"index-pattern\":\"7.6.0\"},\"updated_at\":\"2020-09-04T08:51:43.493Z\"}]}", "cluster.uuid": "7JhQwfAxR_2zEYt7BEP9og", "node.id": "6Bu6-2dETr28XajFY4cN2g" , 
elasticsearch_1          | 2020-09-04T08:51:43.500238561Z "stacktrace": ["org.elasticsearch.ElasticsearchSecurityException: no permissions for [indices:admin/mapping/put] and User [name=petr, backend_roles=[customer], requestedTenant=null]",

Hi. Thanks for reporting this. I’ll try to reproduce and ping you back.

hi, I managed to fix it doing the following changes in sg_roles.yml:

customer:
cluster_permissions:
- "indices:data/read/search*"
- "indices:data/read/mget*"
- "indices:data/write/index"
- "indices:data/write/bulk"
- "indices:admin/mapping/put"
index_permissions:
- index_patterns:
  - "*"
allowed_actions:
- SGS_READ
- SGS_SEARCH
- SGS_CREATE_INDEX
- SGS_WRITE

@srgbnd do you think that it is a right thing to do?

The change that seems to make the actual difference should be the addition of the SGS_CREATE_INDEX action group.

Regarding the cluster permissions: It is generally advisable to use the action groups provided by Search Guard. When new Elastichsearch releases come out, these might require additional privileges; the action groups provided by Search Guard will be maintained and automatically give you the correct privileges. See here for details:

The action group SGS_CLUSTER_COMPOSITE_OPSseems to provide most privileges you need.

The specification of indices:data/read/search, indices:data/write/index, indices:admin/mapping/put as cluster permissions seem to be unnecessary, as these are actually index permissions and already contained in the action groups listed there.

1 Like