ACL configuration with indices is not working.

I have configured search guard with elasticsearch.

In ACL Configuration, if I dont specify any role with the specific access against any indices…it works.

However I want a role where it should be allowed only for a particular index.

Below is my configuration changes. With this configuration I am not able to start kibana itself.

If I remove indices from ACL configuration for role admin, It is working.

Here is my elasticsearch.yml configuration:

searchguard.enabled: true

searchguard.rewrite_get_as_search: true

searchguard.key_path: C:/Test/searchguard_node.key

searchguard.config_index_name: searchguard

searchguard.http.enable_sessions: false

searchguard.auditlog.enabled: true

searchguard.allow_all_from_loopback: true

searchguard.check_for_root: false

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend

searchguard.authentication.authentication_backend.cache.enable: false

searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator

searchguard.authentication.authorizer.cache.enable: false

searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator

searchguard.authentication.settingsdb.user.admin: password

searchguard.authentication.settingsdb.user.manager: password

searchguard.authentication.authorization.settingsdb.roles.admin: [“admin”]

searchguard.authentication.authorization.settingsdb.roles.manager: [“manager”]

searchguard.actionrequestfilter.names: [“readonly”]

searchguard.actionrequestfilter.readonly.allowed_actions: [“indices:data/read/*”, “monitor”]

searchguard.actionrequestfilter.readonly.forbidden_actions: [“cluster:admin*”, “indices:admin*”, “indices:data/write*”]

Here is my ACL configuration:

{

“acl”: [

{

Comment”: “By default no filters are executed and no filters are by-passed. In such a case a exception is thrown and access will be denied.”,

“filters_bypass”: ,

“filters_execute”:

},

{

Comment”: “For role ‘admin’ all filters are bypassed (so none will be executed). This means unrestricted access.”,

“roles”: [

“admin”

],

“indices”: [

“logstash-2014.10.05”

],

“filters_bypass”: [“dlsfilter.","dlsfilter.”],

“filters_execute”: ["*"]

},

{

Comment”: “For role ‘operations’ all filters will be executed.”,

“roles”: [

“manager”

],

“filters_bypass”: ,

“filters_execute”: ["*"]

}

]

}

Please do the needfull.

Thanks,

Lakshmi.

acl seems strange, you have no filter "dlsfilter.*" configured?
What are you trying to do?

···

Am 30.06.2015 um 11:51 schrieb prasanna.yelisetti@gmail.com:

I have configured search guard with elasticsearch.

In ACL Configuration, if I dont specify any role with the specific access against any indices..it works.
However I want a role where it should be allowed only for a particular index.

Below is my configuration changes. With this configuration I am not able to start kibana itself.
If I remove indices from ACL configuration for role admin, It is working.

Here is my elasticsearch.yml configuration:

searchguard.enabled: true
searchguard.rewrite_get_as_search: true
searchguard.key_path: C:/Test/searchguard_node.key
searchguard.config_index_name: searchguard
searchguard.http.enable_sessions: false
searchguard.auditlog.enabled: true
searchguard.allow_all_from_loopback: true
searchguard.check_for_root: false

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend
searchguard.authentication.authentication_backend.cache.enable: false

searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator
searchguard.authentication.authorizer.cache.enable: false

searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator

searchguard.authentication.settingsdb.user.admin: password
searchguard.authentication.settingsdb.user.manager: password

searchguard.authentication.authorization.settingsdb.roles.admin: ["admin"]
searchguard.authentication.authorization.settingsdb.roles.manager: ["manager"]

searchguard.actionrequestfilter.names: ["readonly"]
searchguard.actionrequestfilter.readonly.allowed_actions: ["indices:data/read/*", "*monitor*"]
searchguard.actionrequestfilter.readonly.forbidden_actions: ["cluster:admin*", "indices:admin*", "indices:data/write*"]

Here is my ACL configuration:

{
    "acl": [
    {
        "__Comment__": "By default no filters are executed and no filters are by-passed. In such a case a exception is thrown and access will be denied.",
        "filters_bypass": ,
        "filters_execute":
     },
     {
           "__Comment__": "For role 'admin' all filters are bypassed (so none will be executed). This means unrestricted access.",
           "roles": [
               "admin"
           ],
"indices": [
               "logstash-2014.10.05"
           ],
           "filters_bypass": ["dlsfilter.*","dlsfilter.*"],
           "filters_execute": ["*"]
     },
     {
           "__Comment__": "For role 'operations' all filters will be executed.",
           "roles": [
               "manager"
           ],
           "filters_bypass": ,
           "filters_execute": ["*"]
     }
     ]
}

Please do the needfull.

Thanks,
Lakshmi.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f8ef96d0-0adc-4902-a427-c920e5909c24%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

you can update

“filters_bypass”: [“dlsfilter.","dlsfilter.”],

like this:

“filters_bypass”: ["*"],

在 2015年6月30日星期二 UTC+8下午5:51:33,prasanna…@gmail.com写道:

···

I have configured search guard with elasticsearch.

In ACL Configuration, if I dont specify any role with the specific access against any indices…it works.

However I want a role where it should be allowed only for a particular index.

Below is my configuration changes. With this configuration I am not able to start kibana itself.

If I remove indices from ACL configuration for role admin, It is working.

Here is my elasticsearch.yml configuration:

searchguard.enabled: true

searchguard.rewrite_get_as_search: true

searchguard.key_path: C:/Test/searchguard_node.key

searchguard.config_index_name: searchguard

searchguard.http.enable_sessions: false

searchguard.auditlog.enabled: true

searchguard.allow_all_from_loopback: true

searchguard.check_for_root: false

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend

searchguard.authentication.authentication_backend.cache.enable: false

searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator

searchguard.authentication.authorizer.cache.enable: false

searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator

searchguard.authentication.settingsdb.user.admin: password

searchguard.authentication.settingsdb.user.manager: password

searchguard.authentication.authorization.settingsdb.roles.admin: [“admin”]

searchguard.authentication.authorization.settingsdb.roles.manager: [“manager”]

searchguard.actionrequestfilter.names: [“readonly”]

searchguard.actionrequestfilter.readonly.allowed_actions: [“indices:data/read/*”, “monitor”]

searchguard.actionrequestfilter.readonly.forbidden_actions: [“cluster:admin*”, “indices:admin*”, “indices:data/write*”]

Here is my ACL configuration:

{

“acl”: [

{

Comment”: “By default no filters are executed and no filters are by-passed. In such a case a exception is thrown and access will be denied.”,

“filters_bypass”: ,

“filters_execute”:

},

{

Comment”: “For role ‘admin’ all filters are bypassed (so none will be executed). This means unrestricted access.”,

“roles”: [

“admin”

],

“indices”: [

“logstash-2014.10.05”

],

“filters_bypass”: [“dlsfilter.","dlsfilter.”],

“filters_execute”: ["*"]

},

{

Comment”: “For role ‘operations’ all filters will be executed.”,

“roles”: [

“manager”

],

“filters_bypass”: ,

“filters_execute”: ["*"]

}

]

}

Please do the needfull.

Thanks,

Lakshmi.