jmb
May 12, 2020, 2:46pm
1
SG 7.1.1-35.0.0
We’ve been finding trouble when generating reports in Kibana, for non-admin users, where a few seconds after requesting the report, an error is thrown like
no permissions for [indices:data/read/scroll/clear] and User ...
This looks similar to the issue Permissions issue when using _search/scroll and clear where someone was using an explicit scroll. Has a fix been applied to a release of Search Guard? I can’t see it mentioned in the changelogs .
I also noticed when trying this manually that a DELETE _search/scroll/...id... returns a result which suggests it is clearing more than the requested single scroll context:
{
"succeeded" : true,
"num_freed" : 20
}
This might be related to why it’s a cluster-level permission, but perhaps represents a bug in Elasticsearch.
srgbnd
May 13, 2020, 11:45am
3
jmb
May 14, 2020, 6:05pm
4
Yes, sorry, I hadn’t worded that well; I’m not reporting a new issue, I’d have continued commenting on the other ticket if it hadn’t auto-closed, so I didn’t see the need for full version info.
I used the cluster permission change suggested in the other post, and that fixes this Kibana reporting issue - I wanted to know if that permission has since been added to the demo configuration.
In the course of looking at it, I’m just noting that the DELETE (now successful) reports an unexpected value, and this might have a bearing on why this is a cluster permission instead of an index permission.
srgbnd
May 15, 2020, 11:29am
5
Please give the link to that ticket. I’ll try to reproduce it and let you know.
jmb
May 28, 2020, 4:41pm
6
Sorry, other “topic” rather than “ticket” - the one in my OP and which you linked to in your previous comment - Permissions issue when using _search/scroll and clear
I tried to create a report and saw no errors. Tried with 7.7.1-42.0.0 and 7.1.1-37.0.0.
The user:
$ curl -k -u admin:admin -X GET https://localhost:9200/_searchguard/api/internalusers/trex?pretty
{
"trex" : {
"hash" : "",
"reserved" : false,
"hidden" : false,
"backend_roles" : [
"kibanauser"
],
"attributes" : { },
"search_guard_roles" : [ ],
"static" : false
}
}
The role:
$ curl -k -u admin:admin -X GET https://localhost:9200/_searchguard/api/roles/read_ecommerce?pretty
{
"read_ecommerce" : {
"reserved" : false,
"hidden" : false,
"description" : "",
"cluster_permissions" : [ ],
"index_permissions" : [
{
"index_patterns" : [
"kibana_sample_data_ecommerce"
],
"fls" : [ ],
"masked_fields" : [ ],
"allowed_actions" : [
"SGS_READ",
"SGS_SEARCH"
]
}
],
"tenant_permissions" : [ ],
"static" : false
}
}
The role mapping:
$ curl -k -u admin:admin -X GET https://localhost:9200/_searchguard/api/rolesmapping/read_ecommerce?pretty
{
"read_ecommerce" : {
"reserved" : false,
"hidden" : false,
"backend_roles" : [ ],
"hosts" : [ ],
"users" : [
"trex"
],
"and_backend_roles" : [ ],
"description" : ""
}
}
The Kibana log:
server log [16:36:11.007] [info][queue-job][reporting] Successfully queued job: kb2fkhti15rn9d0062bksb78
server log [16:36:11.413] [info][esqueue][queue-worker][reporting] kb2fhxn215rn9d00623xsd87 - Job marked as claimed: /.reporting-2020.05.31/_doc/kb2fkhti15rn9d0062bksb78
server log [16:36:11.414] [info][esqueue][queue-worker][reporting] kb2fhxn215rn9d00623xsd87 - Starting job
server log [16:36:11.450] [info][browser-driver][execute][kb2fkhti15rn9d0062bksb78][printable_pdf][reporting] Creating browser page driver
server log [16:36:12.019] [info][execute][kb2fkhti15rn9d0062bksb78][printable_pdf][reporting] opening url https://localhost:5601/app/kibana#/dashboard/722b74f0-b882-11e8-a6d9-e546fe2bba5f?_a=(description%3A'Analyze%20mock%20eCommerce%20orders%20and%20revenue'%2Cfilters%3A!()%2CfullScreenMode%3A!f%2Coptions%3A(hidePanelTitles%3A!f%2CuseMargins%3A!t)%2Cpanels%3A!((embeddableConfig%3A(vis%3A(colors%3A('Men!'s%20Accessories'%3A%2382B5D8%2C'Men!'s%20Clothing'%3A%23F9BA8F%2C'Men!'s%20Shoes'%3A%23F29191%2C'Women!'s%20Accessories'%3A%23F4D598%2C'Women!'s%20Clothing'%3A%2370DBED%2C'Women!'s%20Shoes'%3A%23B7DBAB)))%2CgridData%3A(h%3A10%2Ci%3A'1'%2Cw%3A36%2Cx%3A12%2Cy%3A18)%2Cid%3A'37cc8650-b882-11e8-a6d9-e546fe2bba5f'%2CpanelIndex%3A'1'%2Ctype%3Avisualization%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A(vis%3A(colors%3A(FEMALE%3A%236ED0E0%2CMALE%3A%23447EBC)%2ClegendOpen%3A!f))%2CgridData%3A(h%3A11%2Ci%3A'2'%2Cw%3A12%2Cx%3A12%2Cy%3A7)%2Cid%3Aed8436b0-b88b-11e8-a6d9-e546fe2bba5f%2CpanelIndex%3A'2'%2Ctype%3Avisualization%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A()%2CgridData%3A(h%3A7%2Ci%3A'3'%2Cw%3A18%2Cx%3A0%2Cy%3A0)%2Cid%3A'09ffee60-b88c-11e8-a6d9-e546fe2bba5f'%2CpanelIndex%3A'3'%2Ctype%3Avisualization%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A()%2CgridData%3A(h%3A7%2Ci%3A'4'%2Cw%3A30%2Cx%3A18%2Cy%3A0)%2Cid%3A'1c389590-b88d-11e8-a6d9-e546fe2bba5f'%2CpanelIndex%3A'4'%2Ctype%3Avisualization%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A()%2CgridData%3A(h%3A11%2Ci%3A'5'%2Cw%3A48%2Cx%3A0%2Cy%3A28)%2Cid%3A'45e07720-b890-11e8-a6d9-e546fe2bba5f'%2CpanelIndex%3A'5'%2Ctype%3Avisualization%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A()%2CgridData%3A(h%3A10%2Ci%3A'6'%2Cw%3A12%2Cx%3A0%2Cy%3A18)%2Cid%3A'10f1a240-b891-11e8-a6d9-e546fe2bba5f'%2CpanelIndex%3A'6'%2Ctype%3Avisualization%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A()%2CgridData%3A(h%3A11%2Ci%3A'7'%2Cw%3A12%2Cx%3A0%2Cy%3A7)%2Cid%3Ab80e6540-b891-11e8-a6d9-e546fe2bba5f%2CpanelIndex%3A'7'%2Ctype%3Avisualization%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A(vis%3A(colors%3A('0%20-%2050'%3A%23E24D42%2C'50%20-%2075'%3A%23EAB839%2C'75%20-%20100'%3A%237EB26D)%2CdefaultColors%3A('0%20-%2050'%3A'rgb(165%2C0%2C38)'%2C'50%20-%2075'%3A'rgb(255%2C255%2C190)'%2C'75%20-%20100'%3A'rgb(0%2C104%2C55)')%2ClegendOpen%3A!f))%2CgridData%3A(h%3A11%2Ci%3A'8'%2Cw%3A12%2Cx%3A24%2Cy%3A7)%2Cid%3A'4b3ec120-b892-11e8-a6d9-e546fe2bba5f'%2CpanelIndex%3A'8'%2Ctype%3Avisualization%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A(vis%3A(colors%3A('0%20-%202'%3A%23E24D42%2C'2%20-%203'%3A%23F2C96D%2C'3%20-%204'%3A%239AC48A)%2CdefaultColors%3A('0%20-%202'%3A'rgb(165%2C0%2C38)'%2C'2%20-%203'%3A'rgb(255%2C255%2C190)'%2C'3%20-%204'%3A'rgb(0%2C104%2C55)')%2ClegendOpen%3A!f))%2CgridData%3A(h%3A11%2Ci%3A'9'%2Cw%3A12%2Cx%3A36%2Cy%3A7)%2Cid%3A'9ca7aa90-b892-11e8-a6d9-e546fe2bba5f'%2CpanelIndex%3A'9'%2Ctype%3Avisualization%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A()%2CgridData%3A(h%3A18%2Ci%3A'10'%2Cw%3A48%2Cx%3A0%2Cy%3A54)%2Cid%3A'3ba638e0-b894-11e8-a6d9-e546fe2bba5f'%2CpanelIndex%3A'10'%2Ctype%3Asearch%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A(hiddenLayers%3A!()%2CisLayerTOCOpen%3A!f%2CmapCenter%3A(lat%3A45.88578%2Clon%3A-15.07605%2Czoom%3A2.11)%2CopenTOCDetails%3A!())%2CgridData%3A(h%3A15%2Ci%3A'11'%2Cw%3A24%2Cx%3A0%2Cy%3A39)%2Cid%3A'2c9c1f60-1909-11e9-919b-ffe5949a18d2'%2CpanelIndex%3A'11'%2Ctype%3Amap%2Cversion%3A'7.7.2')%2C(embeddableConfig%3A()%2CgridData%3A(h%3A15%2Ci%3A'12'%2Cw%3A24%2Cx%3A24%2Cy%3A39)%2Cid%3Ab72dd430-bb4d-11e8-9c84-77068524bcab%2CpanelIndex%3A'12'%2Ctype%3Avisualization%2Cversion%3A'7.7.2'))%2Cquery%3A(language%3Akuery%2Cquery%3A'')%2CtimeRestore%3A!t%2Ctitle%3A'%5BeCommerce%5D%20Revenue%20Dashboard'%2CviewMode%3Aview)&_g=(filters%3A!()%2CrefreshInterval%3A(pause%3A!f%2Cvalue%3A900000)%2Ctime%3A(from%3Anow-7d%2Cto%3Anow))&forceNow=2020-06-05T16%3A36%3A10.421Z
server log [16:36:20.041] [info][execute][kb2fkhti15rn9d0062bksb78][printable_pdf][reporting] handled 127 page requests
server log [16:36:29.999] [info][execute][kb2fkhti15rn9d0062bksb78][printable_pdf][reporting] timeRange: May 29, 2020 @ 18:36:21.957 to Jun 5, 2020 @ 18:36:21.957
server log [16:36:30.002] [info][execute][kb2fkhti15rn9d0062bksb78][printable_pdf][reporting] taking screenshots
server log [16:36:31.351] [info][execute][kb2fkhti15rn9d0062bksb78][printable_pdf][reporting] screenshots taken: 1
server log [16:36:33.024] [info][esqueue][queue-worker][reporting] kb2fhxn215rn9d00623xsd87 - Job execution completed successfully
server log [16:36:33.160] [info][esqueue][queue-worker][reporting] kb2fhxn215rn9d00623xsd87 - Job data saved successfully: /.reporting-2020.05.31/_doc/kb2fkhti15rn9d0062bksb78