"Additional permissions required" though permissions are set to "INDICES_ALL"

Hello,

I cannot create index pattern or Dashboards in Kibana for an own index user, because he does not seem to have the permissions to write on his .kibana index, although the role has “INDICES_ALL” permissions.

This is the log snippet:

[2018-08-17T14:27:08,168][DEBUG][c.f.s.r.IndexResolverReplacer] Resolve aliases, indices and types from BulkShardRequest
[2018-08-17T14:27:08,168][DEBUG][c.f.s.r.IndexResolverReplacer] Resolved pattern [.kibana_useracc1] to [.kibana_useracc1]
[2018-08-17T14:27:08,168][DEBUG][c.f.s.c.PrivilegesEvaluator] requestedResolved : Resolved [aliases=, indices=[.kibana_useracc1], allIndices=[.kibana_useracc1], types=[doc], isAll()=false, isEmpty()=false]
[2018-08-17T14:27:08,168][DEBUG][c.f.s.c.PrivilegesEvaluator] Additional permissions required: [indices:data/write/index, indices:data/write/bulk[s]]
[2018-08-17T14:27:08,168][DEBUG][c.f.s.c.PrivilegesEvaluator] requested [indices:data/write/index, indices:data/write/bulk[s]] from 176.9.xx.xx:33076
[2018-08-17T14:27:08,168][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: Resolved [aliases=, indices=[.kibana_useracc1], allIndices=[.kibana_useracc1], types=[doc], isAll()=false, isEmpty()=false]

This is my sg_roles.yml

sg_own_index:
cluster:

• CLUSTER_COMPOSITE_OPS
  indices:
  ‘?kibana_${user_name}’:
  ‘*’:
• INDICES_ALL
• “indices:data/write/index”
  ‘smgw_log_${user_name}_mod’:
  ‘*’:
• INDICES_ALL
  ‘?kibana’:
  ‘*’:
• INDICES_ALL

As you can see I also added permissions for “indices:data/write/index” manually. No problems when creating Index patterns with admin account. I left sg_action_groups.yml as is.

I am using ELK-Stack 6.2.4 with Searchguard Kibana Plugin. Searchguard version 23.0

Thanks for help

I get the same message with admin now. Need to look further in this.

So what I also discovered is and could also have to do with my problem is that when I login with admin account, then login with an restricted rights account, the restricted rights account can still see everything from admin perspective. When I login with a different browser, access is restricted.
Looking at the logs I see that still after I login with restricted user every request is made with admin user which would indicate that the browser session which SearchGuard opens is not properly killed after Logout. Is this a known problem?

You write “to write on his .kibana index”, I guess you are referring to this:

indices:
‘?kibana_${user_name}’:
‘*’:
- INDICES_ALL
- “indices:data/write/index”

``

If you are using the Search Guard multi-tenancy feature, you do not need to grant any permission to any tenant index directly, include the private one. The multi-tenancy module takes care of that.

What I don’t understand is where the BulkShardReuest to the index “.kibana_useracc1” is coming from. The index name “.kibana_useracc1” is not an SG tenant index, they have the format .kibana__tenantname. So what exactly is your setup here that causes the problem? It does not seem like a standard multi-tenancy setup.