Error in "clear scroll"

SG 7.1.1-35.0.0

We’ve been finding trouble when generating reports in Kibana, for non-admin users, where a few seconds after requesting the report, an error is thrown like

no permissions for [indices:data/read/scroll/clear] and User ...

This looks similar to the issue Permissions issue when using _search/scroll and clear where someone was using an explicit scroll. Has a fix been applied to a release of Search Guard? I can’t see it mentioned in the changelogs.

I also noticed when trying this manually that a DELETE _search/scroll/...id... returns a result which suggests it is clearing more than the requested single scroll context:

{
  "succeeded" : true,
  "num_freed" : 20
}

This might be related to why it’s a cluster-level permission, but perhaps represents a bug in Elasticsearch.

Did you try the config suggested by @jkressin? Permissions issue when using _search/scroll and clear

Yes, sorry, I hadn’t worded that well; I’m not reporting a new issue, I’d have continued commenting on the other ticket if it hadn’t auto-closed, so I didn’t see the need for full version info.

I used the cluster permission change suggested in the other post, and that fixes this Kibana reporting issue - I wanted to know if that permission has since been added to the demo configuration.

In the course of looking at it, I’m just noting that the DELETE (now successful) reports an unexpected value, and this might have a bearing on why this is a cluster permission instead of an index permission.

Please give the link to that ticket. I’ll try to reproduce it and let you know.

Sorry, other “topic” rather than “ticket” - the one in my OP and which you linked to in your previous comment - Permissions issue when using _search/scroll and clear

I tried to create a report and saw no errors. Tried with 7.7.1-42.0.0 and 7.1.1-37.0.0.

The user:

$ curl -k -u admin:admin -X GET https://localhost:9200/_searchguard/api/internalusers/trex?pretty
{
 "trex" : {
  "hash" : "",
  "reserved" : false,
  "hidden" : false,
  "backend_roles" : [
   "kibanauser"
  ],
  "attributes" : { },
  "search_guard_roles" : [ ],
  "static" : false
 }
}

The role:

$ curl -k -u admin:admin -X GET https://localhost:9200/_searchguard/api/roles/read_ecommerce?pretty
{
 "read_ecommerce" : {
  "reserved" : false,
  "hidden" : false,
  "description" : "",
  "cluster_permissions" : [ ],
  "index_permissions" : [
   {
    "index_patterns" : [
     "kibana_sample_data_ecommerce"
    ],
    "fls" : [ ],
    "masked_fields" : [ ],
    "allowed_actions" : [
     "SGS_READ",
     "SGS_SEARCH"
    ]
   }
  ],
  "tenant_permissions" : [ ],
  "static" : false
 }
}

The role mapping:

$ curl -k -u admin:admin -X GET https://localhost:9200/_searchguard/api/rolesmapping/read_ecommerce?pretty
{
 "read_ecommerce" : {
  "reserved" : false,
  "hidden" : false,
  "backend_roles" : [ ],
  "hosts" : [ ],
  "users" : [
   "trex"
  ],
  "and_backend_roles" : [ ],
  "description" : ""
 }
}

The Kibana log:

server   log   [16:36:11.007] [info][queue-job][reporting] Successfully queued job: kb2fkhti15rn9d0062bksb78
server   log   [16:36:11.413] [info][esqueue][queue-worker][reporting] kb2fhxn215rn9d00623xsd87 - Job marked as claimed: /.reporting-2020.05.31/_doc/kb2fkhti15rn9d0062bksb78
server   log   [16:36:11.414] [info][esqueue][queue-worker][reporting] kb2fhxn215rn9d00623xsd87 - Starting job
server   log   [16:36:11.450] [info][browser-driver][execute][kb2fkhti15rn9d0062bksb78][printable_pdf][reporting] Creating browser page driver
server   log   [16:36:12.019] [info][execute][kb2fkhti15rn9d0062bksb78][printable_pdf][reporting] opening url https://localhost:5601/app/kibana#/dashboard/722b74f0-b882-11e8-a6d9-e546fe2bba5f?_a=(description%3A'Analyze%20mock%20eCommerce%20orders%20and%20revenue'%2Cfilters%3A!()%2CfullScreenMode%3A!f%2Coptions%3A(hidePanelTitles%3A!f%2CuseMargins%3A!t)%2Cpanels%3A!((embeddableConfig%3A(vis%3A(colors%3A('Men!'s%20Accessories'%3A%2382B5D8%2C'Men!'s%20Clothing'%3A%23F9BA8F%2C'Men!'s%20Shoes'%3A%23F29191%2C'Women!'s%20Accessories'%3A%23F4D598%2C'Women!'s%20Clothing'%3A%2370DBED%2C'Women!'s%20Shoes'%3A%23B7DBAB)))%2CgridData%3A(h%3A10%2Ci%3A'1'%2Cw%3A36%2Cx%3A12%2Cy%3A18)%2Cid%3A'37cc8650-b882-11e8-a6d9-e546fe2bba5f'%2CpanelIndex%3A'1'%2Ctype%3Avisualization%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A(vis%3A(colors%3A(FEMALE%3A%236ED0E0%2CMALE%3A%23447EBC)%2ClegendOpen%3A!f))%2CgridData%3A(h%3A11%2Ci%3A'2'%2Cw%3A12%2Cx%3A12%2Cy%3A7)%2Cid%3Aed8436b0-b88b-11e8-a6d9-e546fe2bba5f%2CpanelIndex%3A'2'%2Ctype%3Avisualization%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A()%2CgridData%3A(h%3A7%2Ci%3A'3'%2Cw%3A18%2Cx%3A0%2Cy%3A0)%2Cid%3A'09ffee60-b88c-11e8-a6d9-e546fe2bba5f'%2CpanelIndex%3A'3'%2Ctype%3Avisualization%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A()%2CgridData%3A(h%3A7%2Ci%3A'4'%2Cw%3A30%2Cx%3A18%2Cy%3A0)%2Cid%3A'1c389590-b88d-11e8-a6d9-e546fe2bba5f'%2CpanelIndex%3A'4'%2Ctype%3Avisualization%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A()%2CgridData%3A(h%3A11%2Ci%3A'5'%2Cw%3A48%2Cx%3A0%2Cy%3A28)%2Cid%3A'45e07720-b890-11e8-a6d9-e546fe2bba5f'%2CpanelIndex%3A'5'%2Ctype%3Avisualization%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A()%2CgridData%3A(h%3A10%2Ci%3A'6'%2Cw%3A12%2Cx%3A0%2Cy%3A18)%2Cid%3A'10f1a240-b891-11e8-a6d9-e546fe2bba5f'%2CpanelIndex%3A'6'%2Ctype%3Avisualization%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A()%2CgridData%3A(h%3A11%2Ci%3A'7'%2Cw%3A12%2Cx%3A0%2Cy%3A7)%2Cid%3Ab80e6540-b891-11e8-a6d9-e546fe2bba5f%2CpanelIndex%3A'7'%2Ctype%3Avisualization%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A(vis%3A(colors%3A('0%20-%2050'%3A%23E24D42%2C'50%20-%2075'%3A%23EAB839%2C'75%20-%20100'%3A%237EB26D)%2CdefaultColors%3A('0%20-%2050'%3A'rgb(165%2C0%2C38)'%2C'50%20-%2075'%3A'rgb(255%2C255%2C190)'%2C'75%20-%20100'%3A'rgb(0%2C104%2C55)')%2ClegendOpen%3A!f))%2CgridData%3A(h%3A11%2Ci%3A'8'%2Cw%3A12%2Cx%3A24%2Cy%3A7)%2Cid%3A'4b3ec120-b892-11e8-a6d9-e546fe2bba5f'%2CpanelIndex%3A'8'%2Ctype%3Avisualization%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A(vis%3A(colors%3A('0%20-%202'%3A%23E24D42%2C'2%20-%203'%3A%23F2C96D%2C'3%20-%204'%3A%239AC48A)%2CdefaultColors%3A('0%20-%202'%3A'rgb(165%2C0%2C38)'%2C'2%20-%203'%3A'rgb(255%2C255%2C190)'%2C'3%20-%204'%3A'rgb(0%2C104%2C55)')%2ClegendOpen%3A!f))%2CgridData%3A(h%3A11%2Ci%3A'9'%2Cw%3A12%2Cx%3A36%2Cy%3A7)%2Cid%3A'9ca7aa90-b892-11e8-a6d9-e546fe2bba5f'%2CpanelIndex%3A'9'%2Ctype%3Avisualization%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A()%2CgridData%3A(h%3A18%2Ci%3A'10'%2Cw%3A48%2Cx%3A0%2Cy%3A54)%2Cid%3A'3ba638e0-b894-11e8-a6d9-e546fe2bba5f'%2CpanelIndex%3A'10'%2Ctype%3Asearch%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A(hiddenLayers%3A!()%2CisLayerTOCOpen%3A!f%2CmapCenter%3A(lat%3A45.88578%2Clon%3A-15.07605%2Czoom%3A2.11)%2CopenTOCDetails%3A!())%2CgridData%3A(h%3A15%2Ci%3A'11'%2Cw%3A24%2Cx%3A0%2Cy%3A39)%2Cid%3A'2c9c1f60-1909-11e9-919b-ffe5949a18d2'%2CpanelIndex%3A'11'%2Ctype%3Amap%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A()%2CgridData%3A(h%3A15%2Ci%3A'12'%2Cw%3A24%2Cx%3A24%2Cy%3A39)%2Cid%3Ab72dd430-bb4d-11e8-9c84-77068524bcab%2CpanelIndex%3A'12'%2Ctype%3Avisualization%2Cversion%3A'7.7.2'))%2Cquery%3A(language%3Akuery%2Cquery%3A'')%2CtimeRestore%3A!t%2Ctitle%3A'%5BeCommerce%5D%20Revenue%20Dashboard'%2CviewMode%3Aview)&_g=(filters%3A!()%2CrefreshInterval%3A(pause%3A!f%2Cvalue%3A900000)%2Ctime%3A(from%3Anow-7d%2Cto%3Anow))&forceNow=2020-06-05T16%3A36%3A10.421Z
server   log   [16:36:20.041] [info][execute][kb2fkhti15rn9d0062bksb78][printable_pdf][reporting] handled 127 page requests
server   log   [16:36:29.999] [info][execute][kb2fkhti15rn9d0062bksb78][printable_pdf][reporting] timeRange: May 29, 2020 @ 18:36:21.957 to Jun 5, 2020 @ 18:36:21.957
server   log   [16:36:30.002] [info][execute][kb2fkhti15rn9d0062bksb78][printable_pdf][reporting] taking screenshots
server   log   [16:36:31.351] [info][execute][kb2fkhti15rn9d0062bksb78][printable_pdf][reporting] screenshots taken: 1
server   log   [16:36:33.024] [info][esqueue][queue-worker][reporting] kb2fhxn215rn9d00623xsd87 - Job execution completed successfully
server   log   [16:36:33.160] [info][esqueue][queue-worker][reporting] kb2fhxn215rn9d00623xsd87 - Job data saved successfully: /.reporting-2020.05.31/_doc/kb2fkhti15rn9d0062bksb78