I have ELK stack deployed using docker swarm, when I query data I couldn’t retrive all the data. I have multi-tenant kibana indices such as Admin-tenant can view all the data and individual-tenant where team/ins data are available using DLS function.
My Issue is I couldn’t view some group of data either on discover, dev-tools and elasticsearch curl query, but I could see the data on individual tenant. Data groups with lesser documents in indicies are not visible. Is there something on ES setting that I can update to retrive all the documents?
@sirHusky, Thanks for your reply,
I have provided all the configurations that I used to enable multi-tenancy, I never seen this issue before with SG 6.
The douments under GROUP is fewer and couldn’t access it using curl or from admin tenant (kibana) whereas data is visible on kibana under GROUP tenancy.
In your previous reply you used a curl request to search index and got zero results, can you run same query using a user that produces results and paste the first part of the response?
Can you also confirm if you are using aliases?
Can you also run GET _cat/indices/index_name?v and post the results here?
It is important to note that curl request has nothing to do with tenants if you are querying normal indices. Meaning unless you are querying kibana tenant indices (.kibana_…) the results are only filtered using index permissions granted via roles. Tenants are only used to segregate kibana objects (index patterns, dashboards etc) into different ‘tenants’ on kibana, not the actual data stored on indices.
Can you also run GET _cat/indices/index_name?v and post the results here?
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open index_name-1.0.0-2019.04 4iHYw*****K-fY1Yv3zw 2 1 4367711 0 6.7gb 3.3gb
@yasvanth
Is the ‘group_value’ static in the above curl requests or is it changing based on user?
Also, if you run the curl request using admin_user which is mapped to ADMIN_ROLE, but without the query, do you get the full results?
Users mapped to GROUP_ROLE (running same curl) should have less results as there is a DLS enabled.
@sirHusky,
t
The group_value is different for each role whereas admin doesn’t have any DLS filter, can get all the document from indices. Using admin user I get most of the group data.
Also, if you run the curl request using admin_user which is mapped to ADMIN_ROLE, but without the query, do you get the full results?
When I run curl query as an admin_user I get the results but not certain group which has fewer documents.
Users mapped to GROUP_ROLE (running same curl) should have less results as there is a DLS enabled.
Yes, Admin user should able to query all group data or even certain group is quried but Admin couldn’t get the data of group with less data.
@yasvanth
Could you extract 1 document which has the group_value that the admin user is not picking up using group_role user and DM me the result? (You can obfuscate the values, but keep the format)
Also, are there any errors in elasticsearch logs during execution of the failing curl query?