Help with exclude_index_permissions

Search Guard
1

Elasticsearch version: 7.10.1

Kibana version (if relevant): 7.10.1

Describe the issue:
I am trying to use the “Index Exclusions” feature from Searchguard to block access to a specific set of indices in my cluster. However. it seems that none of the variations that I am trying seem to work. Would appreciate any guidance on this.

Steps to reproduce:

  1. From the Searchguard UI, go to Roles and add Index Exclusions. Under that add a new one with following setting:
    Index Pattarn: security-other*
    Action Groups: ALL, SGS_INDICES_ALL, UNLIMITED

  2. Save and then try to access security-other* index pattern from the Kibana Discover page

Expected behavior:
The index "security-other*: should not be accessible via the Discover page in Kibana.

Relevant Config Files:
sg_roles.yml:

test:
  reserved: false
  hidden: false
  description: "Migrated from v6 (all types mapped)"
  cluster_permissions:
  - "CLUSTER_COMPOSITE_OPS_RO"
  - "SGS_CLUSTER_COMPOSITE_OPS_RO"
  - "indices:data/read/async_search/submit"
  - "indices:data/read/scroll*"
  index_permissions:
  - index_patterns:
    - "*"
    fls: []
    masked_fields: []
    allowed_actions:
    - "indices:data/read/async_search/submit"
    - "indices:data/read/explain"
    - "indices:data/read/field_caps"
    - "indices:data/read/field_caps*"
    - "indices:data/read/get"
    - "indices:data/read/mget"
    - "indices:data/read/mget*"
    - "indices:data/read/msearch"
    - "indices:data/read/msearch/template"
    - "indices:data/read/mtv"
    - "indices:data/read/mtv*"
    - "indices:data/read/scroll"
    - "indices:data/read/scroll/clear"
    - "indices:data/read/search"
    - "indices:data/read/search*"
    - "indices:data/read/search/template"
    - "indices:data/read/tv"
    - "indices:data/write/bulk"
    - "indices:data/write/bulk*"
    - "indices:data/write/index"
  tenant_permissions:
  - tenant_patterns:
    - "Test"
    allowed_actions:
    - "SGS_KIBANA_ALL_READ"
    - "SGS_KIBANA_ALL_WRITE"
  exclude_cluster_permissions: []
  exclude_index_permissions:
  - index_patterns:
    - "security-other*"
    actions:
    - "ALL"
    - "SGS_INDICES_ALL"
    - "UNLIMITED"
  static: false

sg_roles_mappings.yml:

test:
  reserved: false
  hidden: false
  backend_roles:
  - "TestSAMLRole"
  hosts: []
  users:
  - "admin"
  and_backend_roles: []
2

@mchakradeo
I’m not able to reproduce this issue, the user mapped to this role is not able to view data via discover tab or search via dev tools. Can you verify that the user in question is indeed mapped to ths roles by using the “Account” option in UI or running below query from dev tools:

GET /_searchguard/authinfo

Can you also verify that the latest config files have been loaded into SG index via sgadmin tool? Reliable way to check would be to retrieve the configs from the index using --retrieve option with sgadmin script.

3

Thanks for your response!

Yeah, I double-checked that the user is assigned to the right role and also that the configuration is indeed what is showing in the UI by using sgadmin tool.

One question I had was, does the index exclude_index_permission apply after the index_permissions? What I am thinking is, maybe the "*" access in the index_permissions is conflicting with the exclude_index_permission?

4

@mchakradeo Can you DM me the configuration files to try and reproduce the issue:

elasticsearch.yml
kibana.yml
sg_roles
sg_roles_mapping
(Redact any sensitive information)

5

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.