I am not able to create roles with new user and how to add new role with single index based

Poonam · September 3, 2018, 11:25am

When asking questions, please provide the following information:

Search Guard and Elasticsearch version
Installed and used enterprise modules, if any
JVM version and operating system version
Search Guard configuration files
Elasticsearch log messages on debug level
Other installed Elasticsearch or Kibana plugins, if any

Poonam · September 3, 2018, 11:43am

I am using search guard community version.
*Elasticsearch version- 6.4.0

Search Guard version - 23.0

Installed and used enterprise modules, if any -no

I have created 2 new users nitu and poonam with two new roles niturole and poonamrole. I am able to access these users from kibana GUI but not able to access their readonly role. I can see dashboard only in admin role not even in read modes of other roles as well and how to configure new role with a specific index studentdb where I can see only its index data with readall role.

I was using search guard demo script for POC

this is my search guard sg_roles.yml

Allows everything, but no changes to searchguard configuration index

sg_all_access:
readonly: true
cluster:
- UNLIMITED
indices:
‘':
'’:
- UNLIMITED
tenants:
admin_tenant: RW

Read all, but no write permissions

sg_readall:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘':
'’:
- UNLIMITED
#a new role for only reading content
sg_niturole:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘studentdb’:
‘*’:
- INDICES_ALL

sg_poonamrole:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘':
'’:
- MANAGE
- INDEX
- READ
- SEARCH

Read all and monitor, but no write permissions

sg_readall_and_monitor:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘':
'’:
- READ

For users which use kibana, access to indices must be granted separately

sg_kibana_user:
readonly: true
cluster:
- INDICES_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
‘?kibana’:
‘':
- MANAGE
- INDEX
- READ
- DELETE
‘?kibana-6’:
'’:
- MANAGE
- INDEX
- READ
- DELETE
‘':
'’:
- indices:data/read/field_caps*

For the kibana server

sg_kibana_server:
readonly: true
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- cluster:admin/xpack/monitoring*
- indices:admin/template*
indices:
‘?kibana’:
‘':
- INDICES_ALL
‘?kibana-6’:
'’:
- INDICES_ALL
‘?reporting*’:
‘':
- INDICES_ALL
'?monitoring’:
‘*’:
- INDICES_ALL

This is my sg_roles_mapping.yml file

sg_all_access:
readonly: true
backendroles:
- admin
sg_logstash:
backendroles:
- logstash

sg_kibana_server:
readonly: true
users:
- kibanaserver

sg_kibana_user:
backendroles:
- kibanauser
sg_readall:
readonly: true
backendroles:
- readall
sg_manage_snapshots:
readonly: true
backendroles:
- snapshotrestore
sg_own_index:
users:
- ‘*’
sg_niturole:
readonly: true
backendroles:
- admin
sg_poonamrole:
readonly: true
backendroles:
- readall
- search
- data_access

this is my sg_internal_users.yml

#password is: admin
admin:
readonly: true
hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv…TOG
roles:
- admin
attributes:
#no dots allowed in attribute names
attribute1: value1
attribute2: value2
attribute3: value3
#password is: logstash
logstash:
hash: $2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2
roles:
- logstash
#password is: kibanaserver
kibanaserver:
readonly: true
hash: $2y$12$MRkUaL4Q6WPDbr6rgTVZ1.a8Xm.hps8Q0ONc2Yh6FJTQG0TdgVug2
#password is: kibanaro
kibanaro:
hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC
roles:
- kibanauser
- readall
#password is: readall
readall:
hash: $2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2
#password is: readall
roles:
- readall
#password is: snapshotrestore
snapshotrestore:
hash: $2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W
roles:
- snapshotrestore

password is :poonam

poonam:
hash: $2y$12$MRkUaL4Q6WPDbr6rgTVZ1.a8Xm.hps8Q0ONc2Yh6FJTQG0TdgVug2
roles:
- poonamrole

password is :nitu

nitu:
hash: $2y$12$jaGYV6N7niIpdNyrBMAgh.9.TyIR62jH.masyku3YnsdMoOBzEvI2
roles:
- niturole

jkressin · September 5, 2018, 11:56pm

Your role mapping does not seem correct, you are not mapping the backend roles of your users to the respective SG roles.

With this definition here:

password is :poonam

poonam:
hash: $2y$12$MRkUaL4Q6WPDbr6rgTVZ1.a8Xm.hps8Q0ONc2Yh6FJTQG0TdgVug2
roles:
- poonamrole

password is :nitu

nitu:
hash: $2y$12$jaGYV6N7niIpdNyrBMAgh.9.TyIR62jH.masyku3YnsdMoOBzEvI2
roles:
- niturole

``

You are assigning niturole and poonamrole to your users. You need to use these in the roles mapping:

sg_niturole:
readonly: true
backendroles:
- niturole
sg_poonamrole:
readonly: true
backendroles:
- poonamrole

If you do not require any sophisticated role mapping, you can also set the mapping mode to BACKENDROLES_ONLY:

Then you don’t need a roles mapping, and you can use the roles you define in sg_internal_users.yml directly, like:

internal users:

password is :poonam

poonam:
hash: $2y$12$MRkUaL4Q6WPDbr6rgTVZ1.a8Xm.hps8Q0ONc2Yh6FJTQG0TdgVug2
roles:
- poonamrole

password is :nitu

nitu:
hash: $2y$12$jaGYV6N7niIpdNyrBMAgh.9.TyIR62jH.masyku3YnsdMoOBzEvI2
roles:
- niturole

sg_roles.yml:

niturole:

readonly: true

cluster:

CLUSTER_COMPOSITE_OPS_RO

indices:

‘studentdb’:

‘*’:

INDICES_ALL

poonamrole:

readonly: true

cluster:

CLUSTER_COMPOSITE_OPS_RO

indices:

‘*’:

MANAGE
INDEX
READ
SEARCH

``

···

On Monday, September 3, 2018 at 7:43:35 AM UTC-4, Poonam wrote:

I am using search guard community version.
*Elasticsearch version- 6.4.0

Search Guard version - 23.0

Installed and used enterprise modules, if any -no

I have created 2 new users nitu and poonam with two new roles niturole and poonamrole. I am able to access these users from kibana GUI but not able to access their readonly role. I can see dashboard only in admin role not even in read modes of other roles as well and how to configure new role with a specific index studentdb where I can see only its index data with readall role.

I was using search guard demo script for POC

this is my search guard sg_roles.yml

Allows everything, but no changes to searchguard configuration index

sg_all_access:
readonly: true
cluster:
- UNLIMITED
indices:
‘':
'’:
- UNLIMITED
tenants:
admin_tenant: RW

Read all, but no write permissions

sg_readall:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘':
'’:
- UNLIMITED
#a new role for only reading content
sg_niturole:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘studentdb’:
‘*’:
- INDICES_ALL

sg_poonamrole:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘':
'’:
- MANAGE
- INDEX
- READ
- SEARCH

Read all and monitor, but no write permissions

sg_readall_and_monitor:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘':
'’:
- READ

For users which use kibana, access to indices must be granted separately

sg_kibana_user:
readonly: true
cluster:
- INDICES_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
‘?kibana’:
‘':
- MANAGE
- INDEX
- READ
- DELETE
‘?kibana-6’:
'’:
- MANAGE
- INDEX
- READ
- DELETE
‘':
'’:
- indices:data/read/field_caps*

For the kibana server

sg_kibana_server:
readonly: true
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- cluster:admin/xpack/monitoring*
- indices:admin/template*
indices:
‘?kibana’:
‘':
- INDICES_ALL
‘?kibana-6’:
'’:
- INDICES_ALL
‘?reporting*’:
‘':
- INDICES_ALL
'?monitoring’:
‘*’:
- INDICES_ALL

This is my sg_roles_mapping.yml file

sg_all_access:
readonly: true
backendroles:
- admin
sg_logstash:
backendroles:
- logstash

sg_kibana_server:
readonly: true
users:
- kibanaserver

sg_kibana_user:
backendroles:
- kibanauser
sg_readall:
readonly: true
backendroles:
- readall
sg_manage_snapshots:
readonly: true
backendroles:
- snapshotrestore
sg_own_index:
users:
- ‘*’
sg_niturole:
readonly: true
backendroles:
- admin
sg_poonamrole:
readonly: true
backendroles:
- readall
- search
- data_access

this is my sg_internal_users.yml

#password is: admin
admin:
readonly: true
hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv…TOG
roles:
- admin
attributes:
#no dots allowed in attribute names
attribute1: value1
attribute2: value2
attribute3: value3
#password is: logstash
logstash:
hash: $2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2
roles:
- logstash
#password is: kibanaserver
kibanaserver:
readonly: true
hash: $2y$12$MRkUaL4Q6WPDbr6rgTVZ1.a8Xm.hps8Q0ONc2Yh6FJTQG0TdgVug2
#password is: kibanaro
kibanaro:
hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC
roles:
- kibanauser
- readall
#password is: readall
readall:
hash: $2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2
#password is: readall
roles:
- readall
#password is: snapshotrestore
snapshotrestore:
hash: $2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W
roles:
- snapshotrestore

password is :poonam

poonam:
hash: $2y$12$MRkUaL4Q6WPDbr6rgTVZ1.a8Xm.hps8Q0ONc2Yh6FJTQG0TdgVug2
roles:
- poonamrole

password is :nitu

nitu:
hash: $2y$12$jaGYV6N7niIpdNyrBMAgh.9.TyIR62jH.masyku3YnsdMoOBzEvI2
roles:
- niturole

Topic		Replies	Views
unable to create user specific role where i can restrict user to access user specific indices Search Guard	2	557	November 16, 2018
Sg_kibana_user role doesn't let users use Kibana Search Guard	3	863	December 3, 2019
Search guard kibana not working. Search Guard	4	392	January 25, 2018
How to setup a new readall user Search Guard	1	437	May 24, 2018
Failed to create new users and roles Search Guard	4	2557	July 9, 2019

I am not able to create roles with new user and how to add new role with single index based

Allows everything, but no changes to searchguard configuration index

Read all, but no write permissions

Read all and monitor, but no write permissions

For users which use kibana, access to indices must be granted separately

For the kibana server

password is :poonam

password is :nitu

password is :poonam

password is :nitu

password is :poonam

password is :nitu

Allows everything, but no changes to searchguard configuration index

Read all, but no write permissions

Read all and monitor, but no write permissions

For users which use kibana, access to indices must be granted separately

For the kibana server

password is :poonam

password is :nitu

Related Topics