Hi,
I am trying to upgrade my Elastic 6.6.2 cluster to Elastic 6.7.2 and am getting errors about kibanaserver not having permissions for [indices:data/read/search] on the .kibana_task_manager index. The end result is that the Elasticsearch nodes cluster without issue but Kibana fails to start its service after the upgrade.
Elasticsearch log:
[2019-06-05T12:05:32,375][INFO ][c.f.s.p.PrivilegesEvaluator] [ip-xx-xx-xx-xxx] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] Resolved [aliases=, indices=[.kibana_task_manager], allIndices=[.kibana_task_manager], types=[_doc], originalRequested=[.kibana_task_manager], remoteIndices=] [Action [indices:data/read/search]] [RolesChecked [sg_kibana_server]]
[2019-06-05T12:05:32,376][INFO ][c.f.s.p.PrivilegesEvaluator] [ip-xx-xx-xx-xxx] No permissions for [indices:data/read/search]
Kibana log:
{“type”:“log”,“@timestamp”:“2019-06-05T17:05:26Z”,“tags”:[“error”,“task_manager”],“pid”:26788,“message”:“Failed to poll for work: [security_exception] no permissions for [indices:data/read/search] and User [name=kibanaserver, roles=, requestedTenant=null] :: {"path":"/.kibana_task_manager/_doc/_search","query":{"ignore_unavailable":true},"body":"{\"query\":{\"bool\":{\"must\":[{\"term\":{\"type\":\"task\"}},{\"bool\":{\"must\":[{\"terms\":{\"task.taskType\":[\"maps_telemetry\",\"vis_telemetry\"]}},{\"range\":{\"task.attempts\":{\"lte\":3}}},{\"range\":{\"task.runAt\":{\"lte\":\"now\"}}},{\"range\":{\"kibana.apiVersion\":{\"lte\":1}}}]}}]}},\"size\":10,\"sort\":{\"task.runAt\":{\"order\":\"asc\"}},\"seq_no_primary_term\":true}","statusCode":403,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:data/read/search] and User [name=kibanaserver, roles=, requestedTenant=null]\"}],\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:data/read/search] and User [name=kibanaserver, roles=, requestedTenant=null]\"},\"status\":403}"}”}
In researching this issue it seems that the fix is to configure sg_config.yml with dynamic.kibana.do_not_fail_on_forbidden=true, preventing the service from dying when it encounters that error. Is this still true in this scenario or is there a different approach to take?
elasticsearch.yml:
# Generated by chef
#
---
cluster:
name: elk_test_cluster
routing:
allocation:
allow_rebalance: always
disk:
watermark:
low: 90%
high: 95%
path:
data: "/data"
logs: "/var/log/elasticsearch/"
network:
host:
- 192.168.10.10
- localhost
http:
port: '9200'
xpack:
ml:
enabled: false
security:
enabled: false
http:
ssl:
verification_mode: none
monitoring:
enabled: true
graph:
enabled: true
watcher:
enabled: true
notification:
email:
account:
smtp_account:
profile: standard
smtp:
host: localhost
searchguard:
restapi:
roles_enabled:
- sg_all_access
ssl:
transport:
pemcert_filepath: x-pack/elasticsearch.crt
pemkey_filepath: x-pack/elasticsearch.key
pemtrustedcas_filepath: x-pack/ca.crt
enforce_hostname_verification: false
resolve_hostname: false
http:
enabled: true
pemcert_filepath: x-pack/elasticsearch.crt
pemkey_filepath: x-pack/elasticsearch.key
pemtrustedcas_filepath: x-pack/ca.crt
enterprise_modules_enabled: false
enable_snapshot_restore_privilege: true
authcz:
admin_dn:
- CN=admin.elastictest.com,OU=Ops,O=elastictest Com\, Inc.,DC=elastictest,DC=com
cert:
oid: 1.2.3.4.5.5
node:
name: test-master-centos-7
master: true
data: false
ingest: false
thread_pool:
bulk:
queue_size: 1000
search:
queue_size: 10000
bootstrap:
system_call_filter: false
gateway:
expected_master_nodes: 1
discovery:
zen:
ping:
unicast:
hosts:
- 192.168.10.10
minimum_master_nodes: 1
kibana.yml
# Generated by chef
#
---
server:
host: 0.0.0.0
ssl:
enabled: true
key: "/etc/kibana/kibana.key"
certificate: "/etc/kibana/kibana.crt"
elasticsearch:
url: https://localhost:9200
username: kibanaserver_user
password: kibanaserver_password
ssl:
certificateAuthorities: "/etc/kibana/ca.crt"
key: "/etc/kibana/kibana.key"
certificate: "/etc/kibana/kibana.crt"
verificationMode: none
requestHeadersWhitelist:
- authorization
- x-forwarded-for
- x-forwarded-by
- x-proxy-user
- x-proxy-roles
xpack:
security:
enabled: false
monitoring:
enabled: true
graph:
enabled: true
spaces:
enabled: false
infra:
enabled: false
reporting:
enabled: true
encryptionKey: bySecureCloud
csv:
maxSizeBytes: '20971520'
kibanaServer:
port: '5601'
protocol: https
logging:
dest: "/var/log/kibana/kibana.log"
verbose: false
pid:
file: "/var/run/kibana/kibana.pid"
searchguard:
allow_client_certificates: true
basicauth:
enabled: false
cookie:
secure: true
password: somereallylongpasswordwithmorethanthirtytwocharactersinit
console.proxyConfig:
- ssl.verify: false
sg_action_groups.yml
UNLIMITED:
readonly: true
permissions:
- "*"
###### INDEX LEVEL ######
INDICES_ALL:
readonly: true
permissions:
- "indices:*"
# for backward compatibility
ALL:
readonly: true
permissions:
- INDICES_ALL
MANAGE:
readonly: true
permissions:
- "indices:monitor/*"
- "indices:admin/*"
CREATE_INDEX:
readonly: true
permissions:
- "indices:admin/create"
- "indices:admin/mapping/put"
MANAGE_ALIASES:
readonly: true
permissions:
- "indices:admin/aliases*"
# for backward compatibility
MONITOR:
readonly: true
permissions:
- INDICES_MONITOR
INDICES_MONITOR:
readonly: true
permissions:
- "indices:monitor/*"
DATA_ACCESS:
readonly: true
permissions:
- "indices:data/*"
- CRUD
WRITE:
readonly: true
permissions:
- "indices:data/write*"
- "indices:admin/mapping/put"
READ:
readonly: true
permissions:
- "indices:data/read*"
- "indices:admin/mappings/fields/get*"
DELETE:
readonly: true
permissions:
- "indices:data/write/delete*"
CRUD:
readonly: true
permissions:
- READ
- WRITE
SEARCH:
readonly: true
permissions:
- "indices:data/read/search*"
- "indices:data/read/msearch*"
- SUGGEST
SUGGEST:
readonly: true
permissions:
- "indices:data/read/suggest*"
INDEX:
readonly: true
permissions:
- "indices:data/write/index*"
- "indices:data/write/update*"
- "indices:admin/mapping/put"
- "indices:data/write/bulk*"
GET:
readonly: true
permissions:
- "indices:data/read/get*"
- "indices:data/read/mget*"
###### CLUSTER LEVEL ######
CLUSTER_ALL:
readonly: true
permissions:
- "cluster:*"
CLUSTER_MONITOR:
readonly: true
permissions:
- "cluster:monitor/*"
CLUSTER_COMPOSITE_OPS_RO:
readonly: true
permissions:
- "indices:data/read/mget"
- "indices:data/read/msearch"
- "indices:data/read/mtv"
- "indices:admin/aliases/exists*"
- "indices:admin/aliases/get*"
- "indices:data/read/scroll"
CLUSTER_COMPOSITE_OPS:
readonly: true
permissions:
- "indices:data/write/bulk"
- "indices:admin/aliases*"
- "indices:data/write/reindex"
- CLUSTER_COMPOSITE_OPS_RO
MANAGE_SNAPSHOTS:
readonly: true
permissions:
- "cluster:admin/snapshot/*"
- "cluster:admin/repository/*"
sg_config.yml
# Generated by chef
#
---
searchguard:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: true
internalProxies: ".*"
remoteIpHeader: x-forwarded-for
proxiesHeader: x-forwarded-by
trustedProxies: ".*"
authc:
proxy_auth_domain:
http_enabled: true
order: 0
http_authenticator:
type: proxy
challenge: false
config:
user_header: x-proxy-user
roles_header: x-proxy-roles
authentication_backend:
type: noop
basic_internal_auth_domain:
enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authenication_backend:
type: intern
sg_internal_users.yml
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
#password is: admin
admin:
readonly: true
hash: $2y$12...
roles:
- admin
logstash:
hash: $2y$12...
roles:
- logstash
- xp_monitoring
kibanaserver:
readonly: true
hash: $2y$12...
curator:
hash: $2y$12...
roles:
- admin
snapshotrestore:
hash: $2y$12...
roles:
- snapshotrestore
sg_roles_mapping.yml
# Generated by chef
#
# In this file users, backendroles and hosts can be mapped to Search Guard roles.
# Permissions for Search Guard roles are configured in sg_roles.yml
sg_all_access:
readonly: true
backendroles:
- admin
- dc_power_user
sg_logstash:
backendroles:
- logstash
sg_kibana_server:
readonly: true
users:
- kibanaserver
sg_kibana_user:
backendroles:
- cloud_power
- skyblue_power_user
- mixology_power_user
sg_alerting:
backendroles:
- cloud_power
- skyblue_power_user
- mixology_power_user
sg_curator:
users:
- curator
sg_snapshot_restore:
users:
- admin
sg_manage_snapshots:
readonly: true
backendroles:
- snapshotrestore
sg_xp_monitoring:
backendroles:
- xp_monitoring
sg_roles.yml
# Generated by chef
#
#<sg_role_name>:
# cluster:
# - '<permission>'
# indices:
# '<indexname or alias>':
# '<type>':
# - '<permission>'
# _dls_: '<dls query>'
# _fls_:
# - '<field>'
# - '<field>'
# When a user make a request to Elasticsearch then the following roles will be evaluated to see if the user has
# permissions for the request. A request is always associated with an action and is executed against and index (or alias)
# and a type. If a request is executed against all indices (or all types) then the asterix ('*') is needed.
# Every role a user has will be examined if it allows the action against an index (or type). At least one role must match
# for the request to be successful. If no role match then the request will be denied. Currently a match must happen within
# one single role - that means that permissions can not span multiple roles.
# For <permission>, <indexname or alias> and <type> simple wildcards and regular expressions are possible.
# A asterix (*) will match any character sequence (or an empty sequence)
# A question mark (?) will match any single character (but NOT empty character)
# Example: '*my*index' will match 'my_first_index' as well as 'myindex' but not 'myindex1'
# Example: '?kibana' will match '.kibana' but not 'kibana'
# To use a full blown regex you have to pre- and apend a '/' to use regex instead of simple wildcards
# '/<java regex>/'
# Example: '/\S*/' will match any non whitespace characters
# Important:
# Index, alias or type names can not contain dots (.) in the <indexname or alias> or <type> expression.
# Reason is that we currently parse the config file into a elasticsearch settings object which cannot cope with dots in keys.
# Workaround: Just configure something like '?kibana' instead of '.kibana' or 'my?index' instead of 'my.index'
# This limitation will likely removed with Search Guard 6
# DLS (Document level security) - NOT FREE FOR COMMERCIAL
# http://docs.search-guard.com/v6/document-level-security
# FLS (Field level security) - NOT FREE FOR COMMERCIAL
# http://docs.search-guard.com/v6/field-level-security
# Kibana multitenancy - NOT FREE FOR COMMERCIAL
# http://docs.search-guard.com/v6/kibana-multi-tenancy
# Allows everything, but no changes to searchguard configuration index
sg_all_access:
readonly: true
cluster:
- UNLIMITED
indices:
'*':
'*':
- UNLIMITED
tenants:
admin_tenant: RW
# Read all, but no write permissions
sg_readall:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
'*':
'*':
- READ
# Read all and monitor, but no write permissions
sg_readall_and_monitor:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
'*':
'*':
- READ
# For users which use kibana, access to indices must be granted separately
sg_kibana_user:
readonly: true
cluster:
- MONITOR
- CLUSTER_COMPOSITE_OPS
- "indices:data/read/scroll*"
indices:
'?kibana':
'*':
- MANAGE
- INDEX
- READ
- DELETE
'?kibana-6':
'*':
- MANAGE
- INDEX
- READ
- DELETE
'?kibana_*':
'*':
- MANAGE
- INDEX
- READ
- DELETE
'?tasks':
'*':
- INDICES_ALL
'?management-beats':
'*':
- INDICES_ALL
'*':
'*':
- indices:data/read/field_caps*
- indices:data/read/xpack/rollup*
- indices:admin/mappings/get*
- indices:admin/get
# For the kibana server
sg_kibana_server:
readonly: true
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- cluster:admin/xpack/monitoring*
- indices:admin/template*
indices:
'?kibana':
'*':
- INDICES_ALL
'?kibana-6':
'*':
- INDICES_ALL
'?kibana_*':
'*':
- INDICES_ALL
'?reporting*':
'*':
- INDICES_ALL
'?monitoring*':
'*':
- INDICES_ALL
'?tasks':
'*':
- INDICES_ALL
'?management-beats*':
'*':
- INDICES_ALL
'*':
'*':
- "indices:admin/aliases*"
sg_snapshot_restore:
cluster:
- cluster:admin/repository/put
- cluster:admin/repository/get
- cluster:admin/snapshot/status
- cluster:admin/snapshot/get
- cluster:admin/snapshot/create
- cluster:admin/snapshot/restore
- cluster:admin/snapshot/delete
indices:
'*':
'*':
- indices:data/write/index
- indices:admin/create
# For logstash and beats
sg_logstash:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- indices:admin/template/get
- indices:admin/template/put
indices:
'logstash-*':
'*':
- CRUD
- CREATE_INDEX
'*beat*':
'*':
- CRUD
- CREATE_INDEX
# For the curator user
sg_curator:
cluster:
- "CLUSTER_MONITOR"
- "CLUSTER_COMPOSITE_OPS"
indices:
'*':
'*':
- UNLIMITED
# Allows adding and modifying repositories and creating and restoring snapshots
sg_manage_snapshots:
cluster:
- MANAGE_SNAPSHOTS
indices:
'*':
'*':
- "indices:data/write/index"
- "indices:admin/create"
# Allows each user to access own named index
sg_own_index:
cluster:
- CLUSTER_COMPOSITE_OPS
indices:
'${user_name}':
'*':
- INDICES_ALL
### X-Pack COMPATIBILITY
sg_xp_monitoring:
readonly: true
cluster:
- cluster:monitor/xpack/info
- cluster:monitor/main
- cluster:admin/xpack/monitoring/bulk
indices:
'?monitor*':
'*':
- INDICES_ALL
sg_xp_alerting:
readonly: true
cluster:
- indices:data/read/scroll
- cluster:admin/xpack/watcher*
- cluster:monitor/xpack/watcher*
indices:
'?watches*':
'*':
- INDICES_ALL
'?watcher-history-*':
'*':
- INDICES_ALL
'?triggered_watches':
'*':
- INDICES_ALL
'*':
'*':
- READ
- indices:admin/aliases/get
sg_xp_machine_learning:
readonly: true
cluster:
- cluster:admin/persistent*
- cluster:internal/xpack/ml*
- indices:data/read/scroll*
- cluster:admin/xpack/ml*
- cluster:monitor/xpack/ml*
indices:
'*':
'*':
- READ
- indices:admin/get*
'?ml-*':
'*':
- "*"
### LEGACY ROLES, FOR COMPATIBILITY ONLY
### WILL BE REMOVED IN SG7, DO NOT USE ANYMORE
sg_readonly_and_monitor:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
'*':
'*':
- READ
# Make xpack monitoring work
sg_monitor:
cluster:
- cluster:admin/xpack/monitoring/*
- cluster:admin/ingest/pipeline/put
- cluster:admin/ingest/pipeline/get
- indices:admin/template/get
- indices:admin/template/put
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
'?monitor*':
'*':
- INDICES_ALL
'?marvel*':
'*':
- INDICES_ALL
'?kibana*':
'*':
- READ
'*':
'*':
- indices:data/read/field_caps
# Make xpack alerting work
sg_alerting:
cluster:
- indices:data/read/scroll
- cluster:admin/xpack/watcher/watch/put
- cluster:admin/xpack/watcher*
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
'?kibana*':
'*':
- READ
'?watches*':
'*':
- INDICES_ALL
'?watcher-history-*':
'*':
- INDICES_ALL
'?triggered_watches':
'*':
- INDICES_ALL
'*':
'*':
- READ
