Dynamic users in community edition

I am trying to create something similar to the logstash role that allows any user with the ingress_user role to be able to create an index with their own name and push data to it:

role:

sg_igress_user:

cluster:

- UNLIMITED

indices:

'${user_name}-*':

  '*':

    - UNLIMITED

mapping:

sg_ingress_user:

backendroles:

- ingress_user

internal user:

martin:

readonly: true

hash:

roles:

- ingress_user

When I post data with this curl I get the following error:

$ curl -XPUT -sk -u martin: “https:///martin-2018-11/doc/1?pretty” -H ‘Content-Type: application/json’ -d’{ “d”: “some data”}’

{

“error” : {

"root_cause" : [

  {

    "type" : "security_exception",

    "reason" : "no permissions for [indices:data/write/index] and User [name=martin, roles=[ingress_user], requestedTenant=null]"

  }

],

"type" : "security_exception",

"reason" : "no permissions for [indices:data/write/index] and User [name=martin, roles=[ingress_user], requestedTenant=null]"

},

“status” : 403

}

If I post the same with the admin user it works.

Does ${user_name} work in the community edition? Given it’s described on the community doc https://docs.search-guard.com/latest/roles-permissions#dynamic-index-names-user-name-substitution I’m guessing it should but I’ve been caught out by this before.

Also while I’m posting, is it {user_name} or {user.name}? The text in documents uses dot whereas the examples use underscore.

Regards,

Martin

This feature is part of the Community Edition, so you can use it without a license. Your configuration also seems correct at first glance, so we need to test it here, stay tuned.

${user_name} is also correct, you can refer to the sg_own_index demo role:

sg_own_index:
cluster:
- CLUSTER_COMPOSITE_OPS
indices:
‘${user_name}’:
‘*’:
- INDICES_ALL

``

···

On Wednesday, November 14, 2018 at 3:54:36 PM UTC+1, Martin wrote:

I am trying to create something similar to the logstash role that allows any user with the ingress_user role to be able to create an index with their own name and push data to it:

role:

sg_igress_user:

cluster:

- UNLIMITED

indices:

'${user_name}-*':
  '*':
    - UNLIMITED

mapping:

sg_ingress_user:

backendroles:

- ingress_user

internal user:

martin:

readonly: true

hash:

roles:

- ingress_user

When I post data with this curl I get the following error:

$ curl -XPUT -sk -u martin: “https:///martin-2018-11/doc/1?pretty” -H ‘Content-Type: application/json’ -d’{ “d”: “some data”}’

{

“error” : {

"root_cause" : [
  {
    "type" : "security_exception",
    "reason" : "no permissions for [indices:data/write/index] and User [name=martin, roles=[ingress_user], requestedTenant=null]"
  }
],
"type" : "security_exception",
"reason" : "no permissions for [indices:data/write/index] and User [name=martin, roles=[ingress_user], requestedTenant=null]"

},

“status” : 403

}

If I post the same with the admin user it works.

Does ${user_name} work in the community edition? Given it’s described on the community doc https://docs.search-guard.com/latest/roles-permissions#dynamic-index-names-user-name-substitution I’m guessing it should but I’ve been caught out by this before.

Also while I’m posting, is it {user_name} or {user.name}? The text in documents uses dot whereas the examples use underscore.

Regards,

Martin

Thanks for the update. I’m hoping there’s an easy fix as for now I’m adding a separate role and mapping for each user, which works but is cumbersome.

Do you have any insights yet?
Is there some debugging I should enable to get a better idea of where the error might be?

Regards,

Martin.

Have you managed to have a look at this?

Please can you give an update on this.

I need to start adding and managing users to our system in reasonably large volumes very soon and this feature makes the process significantly simpler.

Still nothing?

Sorry for the delay, the release of ES 6.5.0 and then the release of ES 6.5.1 immediately after that kept us busy. Things are back to normal, so expect an answer by today.

···

On Monday, November 26, 2018 at 11:21:25 AM UTC+1, martin.lester@vualto.com wrote:

Still nothing?

Hi Martin,

I can confirm that username substitution with wildcards work correctly also in the Community edition. We basically use the same role definition as you do:

sg_usernamewildcardsubstitution:
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘${user_name}-’:
'
’:
- UNLIMITED

``

usernamewildcardsubstitution:
hash: $2y$12$dnVvW00VMliDpmEzxzfnbu0OYTvk5s3r70XxEo9boiHtl6BGbfIZi

``

sg_usernamewildcardsubstitution:
users:
- usernamewildcardsubstitution

``

With this user I’m able to create an index and index documents:

curl -Ss --insecure -u usernamewildcardsubstitution:usernamewildcardsubstitution -XPUT “https://sgssl-0.example.com:9200/usernamewildcardsubstitution-2018-12.01

``

curl -Ss --insecure -u usernamewildcardsubstitution:usernamewildcardsubstitution
-H ‘Content-Type: application/json’
-XPUT “https://sgssl-0.example.com:9200/usernamewildcardsubstitution-2018.12.01/doc/1
-d’{ “d”: “some data”}’

``

I think we both just overlooked a typo in your configuration:

sg_igress_user:
cluster:
- UNLIMITED
indices:
‘${user_name}-’:
'
’:
- UNLIMITED

``

That should read “sg_ingress_user” I guess.

A tip on debugging permission problems:

You can first check whether the user has all Search Guard roles by visiting the authinfo endpoint:

https://sgssl-0.example.com:9200/_searchguard/authinfo

``

This will print user information, including backend roles and Search Guard roles in JSON format.

Next you can check the ES logs. In case of a permission problem you will see a log entry that tells you what user tried to acces which indices, what roles the user has and what permissions are missing. For example:

sgssl-0.example.com_1_e2c77bd40af3 | [2018-11-27T12:49:15,401][INFO ][c.f.s.p.PrivilegesEvaluator] No index**-*level perm match for User [name=usernamewildcardsubstitution, roles=[], requestedTenant=null] Resolved [aliases=[], indices__=[usernamesubstitution-2018-12.01], allIndices=[usernamesubstitution-2018-12.01], types=[], isAll()=false, isEmpty()=false]__ [Action [indices:admin/create]] [RolesChecked [sg_own_index, sg_usernamewildcardsubstitution]]

``

···

On Monday, November 26, 2018 at 11:41:35 AM UTC+1, Jochen Kressin wrote:

Sorry for the delay, the release of ES 6.5.0 and then the release of ES 6.5.1 immediately after that kept us busy. Things are back to normal, so expect an answer by today.

On Monday, November 26, 2018 at 11:21:25 AM UTC+1, martin.lester@vualto.com wrote:

Still nothing?

So obvious! Thanks for that and the debugging tip.