Creating index patterns within tenants

On my development Elasticsearch cluster, I am trying to add the multitenancy feature. However, after setting up everything (and flushing cache), I don’t seem to
be able to create index patterns in Kibana. The error shown in the ES logs is:

es-hot1.c1: [2018-11-28T13:21:03,457][WARN ][c.f.s.c.PrivilegesInterceptorImpl] Tenant dummytenant is not allowed for user dummyuser

[2018-11-28T13:21:03,458][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=dummyuser, roles=[dummytag], requestedTenant=dummytenant] [IndexType [index=.kibana6_-143601838_dummytenant, type=*]] [Action [[indices:admin/create]]] [RolesChecked ]

``

Important remarks:

  • Logging into Kibana works
  • The tenants page shows “Active tenant: dummytenant”

Am I doing something wrong? Or is the tenant system only for Dashboards / Visualizations and not index patterns? If that is the case, why can’t I see the index patterns

from other users then?

  • Search Guard and Elasticsearch version

ES: 6.2.3

SG: 6.2.3-31.0
SG-Kibana: 6.2.3-12

  • Installed and used enterprise modules, if any

All

  • JVM version and operating system version
    1.8.0_162, Debian Jessie

_searchguard/api/roles/dummytag

{
“dummytag”: {
“cluster”: [
“indices:data/read/mget”,
“indices:data/read/msearch”,
“indices:data/read/search”
],
“tenants”: {
“dummytenant”: “RW”
},
“indices”: {
“?kibana6”: {
": [
“READ”
]
},
"?kibana6
dummytenant”: {
": [
“UNLIMITED”
]
},
"heartbeat
”: {
“*”: [
“READ”
],
dls”: “{“match”:{“resolve.host”:“dummytag.server”}}”
}
}
}
}

``

_searchguard/api/internalusers/dummyuser

{
“dummyuser”: {
“password”: “”,
“roles”: [
“dummytag”
],
“hash”: “$2y…”
}
}

``

The multi tenancy feature also includes index patterns, yes. The problem here is that the dummyuser is not assigned to any Search Guard role, thus it has no tenants defined:

[2018-11-28T13:21:03,458][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=dummyuser, roles=[dummytag], requestedTenant=dummytenant] [IndexType [index=.kibana6_-143601838_dummytenant, type=*]] [Action [[indices:admin/create]]] [RolesChecked []]

``

The RolesCheck field is empty. My first guess is that you might have forgotten to map the dummyuser to the dummytag role:

Let me know if this helps. You can also use the authinfo endpoint in Search Guard to check the settings for the currenly logged in user:

https://sgssl-0.example.com:9200/_searchguard/authinfo

``

···

On Wednesday, November 28, 2018 at 1:53:40 PM UTC+1, Jeroen van Heugten wrote:

On my development Elasticsearch cluster, I am trying to add the multitenancy feature. However, after setting up everything (and flushing cache), I don’t seem to
be able to create index patterns in Kibana. The error shown in the ES logs is:

es-hot1.c1: [2018-11-28T13:21:03,457][WARN ][c.f.s.c.PrivilegesInterceptorImpl] Tenant dummytenant is not allowed for user dummyuser

[2018-11-28T13:21:03,458][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=dummyuser, roles=[dummytag], requestedTenant=dummytenant] [IndexType [index=.kibana6_-143601838_dummytenant, type=*]] [Action [[indices:admin/create]]] [RolesChecked ]

``

Important remarks:

  • Logging into Kibana works
  • The tenants page shows “Active tenant: dummytenant”

Am I doing something wrong? Or is the tenant system only for Dashboards / Visualizations and not index patterns? If that is the case, why can’t I see the index patterns

from other users then?

  • Search Guard and Elasticsearch version

ES: 6.2.3

SG: 6.2.3-31.0
SG-Kibana: 6.2.3-12

  • Installed and used enterprise modules, if any

All

  • JVM version and operating system version
    1.8.0_162, Debian Jessie

_searchguard/api/roles/dummytag

{
“dummytag”: {
“cluster”: [
“indices:data/read/mget”,
“indices:data/read/msearch”,
“indices:data/read/search”
],
“tenants”: {
“dummytenant”: “RW”
},
“indices”: {
“?kibana6”: {
": [
“READ”
]
},
"?kibana6
dummytenant”: {
": [
“UNLIMITED”
]
},
"heartbeat
”: {
“*”: [
“READ”
],
dls”: “{“match”:{“resolve.host”:“dummytag.server”}}”
}
}
}
}

``

_searchguard/api/internalusers/dummyuser

{
“dummyuser”: {
“password”: “”,
“roles”: [
“dummytag”
],
“hash”: “$2y…”
}
}

``

Ah, I was linking the user to the role with the backendroles instead of rolesmapping, as that would have saved me from
writing some logic for the rolesmapping API. It works indeed with rolesmapping.

However, I am curious why I was able to login into Kibana with the right tenant + index permissions with only backendroles set. Could you maybe explain that?

···

On Wednesday, 28 November 2018 15:04:40 UTC+1, Jochen Kressin wrote:

The multi tenancy feature also includes index patterns, yes. The problem here is that the dummyuser is not assigned to any Search Guard role, thus it has no tenants defined:

[2018-11-28T13:21:03,458][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=dummyuser, roles=[dummytag], requestedTenant=dummytenant] [IndexType [index=.kibana6_-143601838_dummytenant, type=*]] [Action [[indices:admin/create]]] [RolesChecked []]

``

The RolesCheck field is empty. My first guess is that you might have forgotten to map the dummyuser to the dummytag role:

https://docs.search-guard.com/latest/mapping-users-roles

Let me know if this helps. You can also use the authinfo endpoint in Search Guard to check the settings for the currenly logged in user:

https://sgssl-0.example.com:9200/_searchguard/authinfo

``

On Wednesday, November 28, 2018 at 1:53:40 PM UTC+1, Jeroen van Heugten wrote:

On my development Elasticsearch cluster, I am trying to add the multitenancy feature. However, after setting up everything (and flushing cache), I don’t seem to
be able to create index patterns in Kibana. The error shown in the ES logs is:

es-hot1.c1: [2018-11-28T13:21:03,457][WARN ][c.f.s.c.PrivilegesInterceptorImpl] Tenant dummytenant is not allowed for user dummyuser

[2018-11-28T13:21:03,458][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=dummyuser, roles=[dummytag], requestedTenant=dummytenant] [IndexType [index=.kibana6_-143601838_dummytenant, type=*]] [Action [[indices:admin/create]]] [RolesChecked ]

``

Important remarks:

  • Logging into Kibana works
  • The tenants page shows “Active tenant: dummytenant”

Am I doing something wrong? Or is the tenant system only for Dashboards / Visualizations and not index patterns? If that is the case, why can’t I see the index patterns

from other users then?

  • Search Guard and Elasticsearch version

ES: 6.2.3

SG: 6.2.3-31.0
SG-Kibana: 6.2.3-12

  • Installed and used enterprise modules, if any

All

  • JVM version and operating system version
    1.8.0_162, Debian Jessie

_searchguard/api/roles/dummytag

{
“dummytag”: {
“cluster”: [
“indices:data/read/mget”,
“indices:data/read/msearch”,
“indices:data/read/search”
],
“tenants”: {
“dummytenant”: “RW”
},
“indices”: {
“?kibana6”: {
": [
“READ”
]
},
"?kibana6
dummytenant”: {
": [
“UNLIMITED”
]
},
"heartbeat
”: {
“*”: [
“READ”
],
dls”: “{“match”:{“resolve.host”:“dummytag.server”}}”
}
}
}
}

``

_searchguard/api/internalusers/dummyuser

{
“dummyuser”: {
“password”: “”,
“roles”: [
“dummytag”
],
“hash”: “$2y…”
}
}

``

The login page / process checks whether the provided credentials are correct. If this is the case, you can enter Kibana and then the Search Guard roles define what data you can see. We are working on more fine-grained access permissions for Kibana and better error message though.

···

On Wednesday, November 28, 2018 at 3:27:38 PM UTC+1, Jeroen van Heugten wrote:

Ah, I was linking the user to the role with the backendroles instead of rolesmapping, as that would have saved me from
writing some logic for the rolesmapping API. It works indeed with rolesmapping.

However, I am curious why I was able to login into Kibana with the right tenant + index permissions with only backendroles set. Could you maybe explain that?

On Wednesday, 28 November 2018 15:04:40 UTC+1, Jochen Kressin wrote:

The multi tenancy feature also includes index patterns, yes. The problem here is that the dummyuser is not assigned to any Search Guard role, thus it has no tenants defined:

[2018-11-28T13:21:03,458][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=dummyuser, roles=[dummytag], requestedTenant=dummytenant] [IndexType [index=.kibana6_-143601838_dummytenant, type=*]] [Action [[indices:admin/create]]] [RolesChecked []]

``

The RolesCheck field is empty. My first guess is that you might have forgotten to map the dummyuser to the dummytag role:

https://docs.search-guard.com/latest/mapping-users-roles

Let me know if this helps. You can also use the authinfo endpoint in Search Guard to check the settings for the currenly logged in user:

https://sgssl-0.example.com:9200/_searchguard/authinfo

``

On Wednesday, November 28, 2018 at 1:53:40 PM UTC+1, Jeroen van Heugten wrote:

On my development Elasticsearch cluster, I am trying to add the multitenancy feature. However, after setting up everything (and flushing cache), I don’t seem to
be able to create index patterns in Kibana. The error shown in the ES logs is:

es-hot1.c1: [2018-11-28T13:21:03,457][WARN ][c.f.s.c.PrivilegesInterceptorImpl] Tenant dummytenant is not allowed for user dummyuser

[2018-11-28T13:21:03,458][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=dummyuser, roles=[dummytag], requestedTenant=dummytenant] [IndexType [index=.kibana6_-143601838_dummytenant, type=*]] [Action [[indices:admin/create]]] [RolesChecked ]

``

Important remarks:

  • Logging into Kibana works
  • The tenants page shows “Active tenant: dummytenant”

Am I doing something wrong? Or is the tenant system only for Dashboards / Visualizations and not index patterns? If that is the case, why can’t I see the index patterns

from other users then?

  • Search Guard and Elasticsearch version

ES: 6.2.3

SG: 6.2.3-31.0
SG-Kibana: 6.2.3-12

  • Installed and used enterprise modules, if any

All

  • JVM version and operating system version
    1.8.0_162, Debian Jessie

_searchguard/api/roles/dummytag

{
“dummytag”: {
“cluster”: [
“indices:data/read/mget”,
“indices:data/read/msearch”,
“indices:data/read/search”
],
“tenants”: {
“dummytenant”: “RW”
},
“indices”: {
“?kibana6”: {
": [
“READ”
]
},
"?kibana6
dummytenant”: {
": [
“UNLIMITED”
]
},
"heartbeat
”: {
“*”: [
“READ”
],
dls”: “{“match”:{“resolve.host”:“dummytag.server”}}”
}
}
}
}

``

_searchguard/api/internalusers/dummyuser

{
“dummyuser”: {
“password”: “”,
“roles”: [
“dummytag”
],
“hash”: “$2y…”
}
}

``