I am not able to create roles with new user and how to add new role with single index based

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version

  • Installed and used enterprise modules, if any

  • JVM version and operating system version

  • Search Guard configuration files

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any

I am using search guard community version.
*Elasticsearch version- 6.4.0

  • Search Guard version - 23.0
  • Installed and used enterprise modules, if any -no

I have created 2 new users nitu and poonam with two new roles niturole and poonamrole. I am able to access these users from kibana GUI but not able to access their readonly role. I can see dashboard only in admin role not even in read modes of other roles as well and how to configure new role with a specific index studentdb where I can see only its index data with readall role.

I was using search guard demo script for POC

this is my search guard sg_roles.yml

Allows everything, but no changes to searchguard configuration index

sg_all_access:
readonly: true
cluster:
- UNLIMITED
indices:
’:
'
’:
- UNLIMITED
tenants:
admin_tenant: RW

Read all, but no write permissions

sg_readall:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
’:
'
’:
- UNLIMITED
#a new role for only reading content
sg_niturole:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘studentdb’:
‘*’:
- INDICES_ALL

sg_poonamrole:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
’:
'
’:
- MANAGE
- INDEX
- READ
- SEARCH

Read all and monitor, but no write permissions

sg_readall_and_monitor:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
’:
'
’:
- READ

For users which use kibana, access to indices must be granted separately

sg_kibana_user:
readonly: true
cluster:
- INDICES_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
‘?kibana’:
’:
- MANAGE
- INDEX
- READ
- DELETE
‘?kibana-6’:
'
’:
- MANAGE
- INDEX
- READ
- DELETE
’:
'
’:
- indices:data/read/field_caps*

For the kibana server

sg_kibana_server:
readonly: true
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- cluster:admin/xpack/monitoring*
- indices:admin/template*
indices:
‘?kibana’:
’:
- INDICES_ALL
‘?kibana-6’:
'
’:
- INDICES_ALL
‘?reporting*’:
’:
- INDICES_ALL
'?monitoring
’:
‘*’:
- INDICES_ALL

This is my sg_roles_mapping.yml file

sg_all_access:
readonly: true
backendroles:
- admin
sg_logstash:
backendroles:
- logstash

sg_kibana_server:
readonly: true
users:
- kibanaserver

sg_kibana_user:
backendroles:
- kibanauser
sg_readall:
readonly: true
backendroles:
- readall
sg_manage_snapshots:
readonly: true
backendroles:
- snapshotrestore
sg_own_index:
users:
- ‘*’
sg_niturole:
readonly: true
backendroles:
- admin
sg_poonamrole:
readonly: true
backendroles:
- readall
- search
- data_access

this is my sg_internal_users.yml

#password is: admin
admin:
readonly: true
hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv…TOG
roles:
- admin
attributes:
#no dots allowed in attribute names
attribute1: value1
attribute2: value2
attribute3: value3
#password is: logstash
logstash:
hash: $2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2
roles:
- logstash
#password is: kibanaserver
kibanaserver:
readonly: true
hash: $2y$12$MRkUaL4Q6WPDbr6rgTVZ1.a8Xm.hps8Q0ONc2Yh6FJTQG0TdgVug2
#password is: kibanaro
kibanaro:
hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC
roles:
- kibanauser
- readall
#password is: readall
readall:
hash: $2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2
#password is: readall
roles:
- readall
#password is: snapshotrestore
snapshotrestore:
hash: $2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W
roles:
- snapshotrestore

password is :poonam

poonam:
hash: $2y$12$MRkUaL4Q6WPDbr6rgTVZ1.a8Xm.hps8Q0ONc2Yh6FJTQG0TdgVug2
roles:
- poonamrole

password is :nitu

nitu:
hash: $2y$12$jaGYV6N7niIpdNyrBMAgh.9.TyIR62jH.masyku3YnsdMoOBzEvI2
roles:
- niturole

Your role mapping does not seem correct, you are not mapping the backend roles of your users to the respective SG roles.

With this definition here:

password is :poonam

poonam:
hash: $2y$12$MRkUaL4Q6WPDbr6rgTVZ1.a8Xm.hps8Q0ONc2Yh6FJTQG0TdgVug2
roles:
- poonamrole

password is :nitu

nitu:
hash: $2y$12$jaGYV6N7niIpdNyrBMAgh.9.TyIR62jH.masyku3YnsdMoOBzEvI2
roles:
- niturole

``

You are assigning niturole and poonamrole to your users. You need to use these in the roles mapping:

sg_niturole:
readonly: true
backendroles:
- niturole
sg_poonamrole:
readonly: true
backendroles:
- poonamrole

If you do not require any sophisticated role mapping, you can also set the mapping mode to BACKENDROLES_ONLY:

Then you don’t need a roles mapping, and you can use the roles you define in sg_internal_users.yml directly, like:

internal users:

password is :poonam

poonam:
hash: $2y$12$MRkUaL4Q6WPDbr6rgTVZ1.a8Xm.hps8Q0ONc2Yh6FJTQG0TdgVug2
roles:
- poonamrole

password is :nitu

nitu:
hash: $2y$12$jaGYV6N7niIpdNyrBMAgh.9.TyIR62jH.masyku3YnsdMoOBzEvI2
roles:
- niturole

sg_roles.yml:

niturole:

readonly: true

cluster:

  • CLUSTER_COMPOSITE_OPS_RO

indices:

‘studentdb’:

‘*’:

  • INDICES_ALL

poonamrole:

readonly: true

cluster:

  • CLUSTER_COMPOSITE_OPS_RO

indices:

‘*’:

‘*’:

  • MANAGE

  • INDEX

  • READ

  • SEARCH

``

···

On Monday, September 3, 2018 at 7:43:35 AM UTC-4, Poonam wrote:

I am using search guard community version.
*Elasticsearch version- 6.4.0

  • Search Guard version - 23.0
  • Installed and used enterprise modules, if any -no

I have created 2 new users nitu and poonam with two new roles niturole and poonamrole. I am able to access these users from kibana GUI but not able to access their readonly role. I can see dashboard only in admin role not even in read modes of other roles as well and how to configure new role with a specific index studentdb where I can see only its index data with readall role.

I was using search guard demo script for POC

this is my search guard sg_roles.yml

Allows everything, but no changes to searchguard configuration index

sg_all_access:
readonly: true
cluster:
- UNLIMITED
indices:
’:
'
’:
- UNLIMITED
tenants:
admin_tenant: RW

Read all, but no write permissions

sg_readall:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
’:
'
’:
- UNLIMITED
#a new role for only reading content
sg_niturole:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘studentdb’:
‘*’:
- INDICES_ALL

sg_poonamrole:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
’:
'
’:
- MANAGE
- INDEX
- READ
- SEARCH

Read all and monitor, but no write permissions

sg_readall_and_monitor:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
’:
'
’:
- READ

For users which use kibana, access to indices must be granted separately

sg_kibana_user:
readonly: true
cluster:
- INDICES_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
‘?kibana’:
’:
- MANAGE
- INDEX
- READ
- DELETE
‘?kibana-6’:
'
’:
- MANAGE
- INDEX
- READ
- DELETE
’:
'
’:
- indices:data/read/field_caps*

For the kibana server

sg_kibana_server:
readonly: true
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- cluster:admin/xpack/monitoring*
- indices:admin/template*
indices:
‘?kibana’:
’:
- INDICES_ALL
‘?kibana-6’:
'
’:
- INDICES_ALL
‘?reporting*’:
’:
- INDICES_ALL
'?monitoring
’:
‘*’:
- INDICES_ALL

This is my sg_roles_mapping.yml file

sg_all_access:
readonly: true
backendroles:
- admin
sg_logstash:
backendroles:
- logstash

sg_kibana_server:
readonly: true
users:
- kibanaserver

sg_kibana_user:
backendroles:
- kibanauser
sg_readall:
readonly: true
backendroles:
- readall
sg_manage_snapshots:
readonly: true
backendroles:
- snapshotrestore
sg_own_index:
users:
- ‘*’
sg_niturole:
readonly: true
backendroles:
- admin
sg_poonamrole:
readonly: true
backendroles:
- readall
- search
- data_access

this is my sg_internal_users.yml

#password is: admin
admin:
readonly: true
hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv…TOG
roles:
- admin
attributes:
#no dots allowed in attribute names
attribute1: value1
attribute2: value2
attribute3: value3
#password is: logstash
logstash:
hash: $2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2
roles:
- logstash
#password is: kibanaserver
kibanaserver:
readonly: true
hash: $2y$12$MRkUaL4Q6WPDbr6rgTVZ1.a8Xm.hps8Q0ONc2Yh6FJTQG0TdgVug2
#password is: kibanaro
kibanaro:
hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC
roles:
- kibanauser
- readall
#password is: readall
readall:
hash: $2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2
#password is: readall
roles:
- readall
#password is: snapshotrestore
snapshotrestore:
hash: $2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W
roles:
- snapshotrestore

password is :poonam

poonam:
hash: $2y$12$MRkUaL4Q6WPDbr6rgTVZ1.a8Xm.hps8Q0ONc2Yh6FJTQG0TdgVug2
roles:
- poonamrole

password is :nitu

nitu:
hash: $2y$12$jaGYV6N7niIpdNyrBMAgh.9.TyIR62jH.masyku3YnsdMoOBzEvI2
roles:
- niturole