Help with roll mapping

Search Guard
1
  • Search Guard and Elasticsearch version: 6.1.1

I’m trying to access indices via kibana via a proxy with SSO. I’m trying to use a passed in header to limit access to specific indices by name. When I look at the logs it appears the user has no access to any indices. What am I doing wrong? In this example the user should have access too any indices starting with ‘filebeat-ic43’.

Files uploaded. Action Groups have been left as default.

sg_role_mapping-2.yml (526 Bytes)

sg_roles-2.yml (3.48 KB)

elasticsearch-2.logs (5.71 KB)

2

Can you please also post your elasticsearch.yml and the kibana.yml?

···

On Friday, February 2, 2018 at 8:55:31 PM UTC+1, Michael Evans wrote:

  • Search Guard and Elasticsearch version: 6.1.1

I’m trying to access indices via kibana via a proxy with SSO. I’m trying to use a passed in header to limit access to specific indices by name. When I look at the logs it appears the user has no access to any indices. What am I doing wrong? In this example the user should have access too any indices starting with ‘filebeat-ic43’.

Files uploaded. Action Groups have been left as default.

3

Ah, sorry, I think I got it. When debugging permission problems, it’s always useful to have a look at the ES logs when the problem occurs. In your case, these log entries here tell the story:

[2018-02-02T11:46:31,320][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=60762, roles=[ic00], requestedTenant=null] [IndexType [index=.kibana, type=]] [Action [[indices:data/read/search]]] [RolesChecked [sg_own_index, sg_read_ic00, sg_read_ic43]]
[2018-02-02T11:46:31,320][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_own_index=[IndexType [index=.kibana, type=]], sg_read_ic00=[IndexType [index=.kibana, type=]], sg_read_ic43=[IndexType [index=.kibana, type=]]}
[2018-02-02T11:46:31,326][DEBUG][c.f.s.f.SearchGuardFilter] no permissions for [indices:data/read/search]

``

The log message says that the user 60762:

for User [name=60762, roles=[ic00], requestedTenant=null]

lacks permission on index-level (as opposed to cluster-level):

No index-level perm match

for the index “.kibana”:

[IndexType [index=.kibana, type=*]]

And the permission that is missing is:

[Action [[indices:data/read/search]]]

The user has the following Search Guard roles:

[RolesChecked [sg_own_index, sg_read_ic00, sg_read_ic43]]

So the problem here is not the ‘filebeat-ic43*’ index, but the Kibana index. So this also tells me that you tried to access the index via Kibana, correct?

The solution is quite easy. Every user that accesses ES via Kibana should be assigned to the role sg_kibana_user in addition to other roles. The sg_kibana_user roles defines the minimum permissions for Kibana usage. So, just map the user 60762 to the sg_kibana_user role in addition, then this error should go away.

···

On Saturday, February 3, 2018 at 6:27:39 PM UTC+1, Jochen Kressin wrote:

Can you please also post your elasticsearch.yml and the kibana.yml?

On Friday, February 2, 2018 at 8:55:31 PM UTC+1, Michael Evans wrote:

  • Search Guard and Elasticsearch version: 6.1.1

I’m trying to access indices via kibana via a proxy with SSO. I’m trying to use a passed in header to limit access to specific indices by name. When I look at the logs it appears the user has no access to any indices. What am I doing wrong? In this example the user should have access too any indices starting with ‘filebeat-ic43’.

Files uploaded. Action Groups have been left as default.

4

Thar worked perfectly Thank you.

···

On Saturday, February 3, 2018 at 10:47:34 AM UTC-8, Jochen Kressin wrote:

Ah, sorry, I think I got it. When debugging permission problems, it’s always useful to have a look at the ES logs when the problem occurs. In your case, these log entries here tell the story:

[2018-02-02T11:46:31,320][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=60762, roles=[ic00], requestedTenant=null] [IndexType [index=.kibana, type=]] [Action [[indices:data/read/search]]] [RolesChecked [sg_own_index, sg_read_ic00, sg_read_ic43]]
[2018-02-02T11:46:31,320][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_own_index=[IndexType [index=.kibana, type=]], sg_read_ic00=[IndexType [index=.kibana, type=]], sg_read_ic43=[IndexType [index=.kibana, type=]]}
[2018-02-02T11:46:31,326][DEBUG][c.f.s.f.SearchGuardFilter] no permissions for [indices:data/read/search]

``

The log message says that the user 60762:

for User [name=60762, roles=[ic00], requestedTenant=null]

lacks permission on index-level (as opposed to cluster-level):

No index-level perm match

for the index “.kibana”:

[IndexType [index=.kibana, type=*]]

And the permission that is missing is:

[Action [[indices:data/read/search]]]

The user has the following Search Guard roles:

[RolesChecked [sg_own_index, sg_read_ic00, sg_read_ic43]]

So the problem here is not the ‘filebeat-ic43*’ index, but the Kibana index. So this also tells me that you tried to access the index via Kibana, correct?

The solution is quite easy. Every user that accesses ES via Kibana should be assigned to the role sg_kibana_user in addition to other roles. The sg_kibana_user roles defines the minimum permissions for Kibana usage. So, just map the user 60762 to the sg_kibana_user role in addition, then this error should go away.

On Saturday, February 3, 2018 at 6:27:39 PM UTC+1, Jochen Kressin wrote:

Can you please also post your elasticsearch.yml and the kibana.yml?

On Friday, February 2, 2018 at 8:55:31 PM UTC+1, Michael Evans wrote:

  • Search Guard and Elasticsearch version: 6.1.1

I’m trying to access indices via kibana via a proxy with SSO. I’m trying to use a passed in header to limit access to specific indices by name. When I look at the logs it appears the user has no access to any indices. What am I doing wrong? In this example the user should have access too any indices starting with ‘filebeat-ic43’.

Files uploaded. Action Groups have been left as default.