do_not_fail_on_forbidden security exception when user has access to zero indices

Elasticsearch 6.4.2

SG 23.2

SG Kibana 16

Have ran into an issue. do_not_fail_on_forbidden is enabled but when selecting an alias in Kibana Discover that a user has zero permissions to any indices under that alias Kibana will throw an exception. The audit log will show the same thing, “MISSING_PERMISSIONS” but it will not list any indices that it is missing permissions for. This happens with tenancy enabled or disabled.

Discover: [security_exception] no permissions for and User [name=username@domain.com, roles=[kibanauser, alias1], requestedTenant=null]

This only happens if the user has permissions to NO indices that is under that Alias. I created an indices called “dummy” that is 100% empty with zero documents and added it to the Alias and the exception in Kibana disappears.

Steps to replicate:

Alias:

alias1

Member indices of alias1:

indice1

indice2

  1. “alias1” is added as a Kibana index template in Kibana by a admin that has permission to everything
  2. admin user can see indice1 and indice2
  3. Normal user is created that does not have permission to indice1 or indice2.
  4. Normal user logs in and gets the security_exception when selecting “alias1” in the Discover tab
  5. admin user creates an dummy/blank indice in the alias1 alias and gives the normal user read permissions to this dummy indice
  6. Normal user can select “alias1” in the Discover tab now and it works without error. The Discover tab shows zero results since the dummy indice is empty.

Currently dnfof (do_not_fail_on_forbidden) works indeed exactly this way: If the user has no permissions for any of the queried indices than in fact a security exception is thrown

Can you file an issue for that?

···

Am 09.02.2019 um 18:25 schrieb Brian <briansrch@gmail.com>:

Elasticsearch 6.4.2
SG 23.2
SG Kibana 16

Have ran into an issue. do_not_fail_on_forbidden is enabled but when selecting an alias in Kibana Discover that a user has zero permissions to any indices under that alias Kibana will throw an exception. The audit log will show the same thing, "MISSING_PERMISSIONS" but it will not list any indices that it is missing permissions for. This happens with tenancy enabled or disabled.

Discover: [security_exception] no permissions for and User [name=username@domain.com, roles=[kibanauser, alias1], requestedTenant=null]

This only happens if the user has permissions to NO indices that is under that Alias. I created an indices called "dummy" that is 100% empty with zero documents and added it to the Alias and the exception in Kibana disappears.

Steps to replicate:

Alias:
alias1
Member indices of alias1:
indice1
indice2

  • "alias1" is added as a Kibana index template in Kibana by a admin that has permission to everything
  • admin user can see indice1 and indice2
  • Normal user is created that does not have permission to indice1 or indice2.
  • Normal user logs in and gets the security_exception when selecting "alias1" in the Discover tab
  • admin user creates an dummy/blank indice in the alias1 alias and gives the normal user read permissions to this dummy indice
  • Normal user can select "alias1" in the Discover tab now and it works without error. The Discover tab shows zero results since the dummy indice is empty.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d2279b90-328b-4c9d-b2b4-b5f8c3e20a7d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.