Index Alias - Allows too much or not enough permission

Hello,

When using Elasticsearch / Kibana v.6.32 (Searchguard 23.0)

I have a number of Indexes like:

• firewall-*

• syslog-*

• logstash-*

• docker-*

I also have a number of group/roles that can see mix of 1,2,3 or all indexes, that config is working fine.

What I want is to create an index alias called ‘last_7_days’ that contains all of the above indexes, but depending what roles you are in you only see search results from those indexes to which you have permissions to search.

I would like to do it like this so I can assign ‘last_7_days’ as the default Kibana index that way people don’t get errors when they login etc.

The problem so far is, if no searchGuard permissions being defined for the alias, users can not access the ‘last_7_days’ alias (Discover: no permissions for [indices:data/read/search])

As soon as I grant any permissions to the alias like:

'last_7_days':
  '*':
    - READ

``

Then the users can now read indexes that they don’t have permission to read.

1). I thought SearchGuard would resolve the underlying index and check the permissions based on the underlying index?

2). How can I create an alias that includes all indexes, but only allows people to read the results, they are suppose to have access too?

Thanks

Cam

Hi,

yes and no So let’s assume you have defined the ‘last_7_days’ to include all of the four indices you mentioned. If you access this alias it would expand to the four indices, and we will check index permissions for each. The tricky part is how Search Guard should handle partial permissions. Assume your user has only access to 2 of the 4 indices, should the call fail completely or not?

The default behavior of Search Guard is to return a result only if the user has all permissions to all indices in the request. If the user lacks permissions for one or more of these indices, the request would be disallowed. However, if you want SG to return only data from allowed indices, and discard others, you can do so by setting the do_not_fail_on_forbidden flag to true:

searchguard:
dynamic:
kibana:
do_not_fail_on_forbidden**: true**

``

Yes, it’s probably not the most intuitive name we could come up with It’s listed in the Kibana section of the config because this is the most prominent use case: Kibana issues a lot of wildcard queries, so for any Kibana related use case it should be set to true. The reason why the default value is false is that when using aggregations this can lead to false results (because of some indices might be skipped) without the user noticing it.

Regarding the general approach: Using filtered index aliases to achieve this is not really recommended. The proper way of implementing this would be to add a document level security query that limits the results to the last 7 days.

Thanks for the reply,

I have tried toggling:

kibana:
  do_not_fail_on_forbidden: true

``

It seems that alone is not enough for a user to search the IndexAlias by itself, as it still errors with: "``Discover: no permissions for [indices:data/read/search]"

The closest I have come to success is defining the following:

sg_kibana_user:
readonly: true
cluster:
- MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘?kibana’:
‘':
- MANAGE
- INDEX
- READ
- DELETE
‘last_7_days’:
'’:
- “indices:data/read/search”

``

With the above defined, I could not search in Kibana the indexes I did not have access to, by defining those indexes in the index-drop-down menu BUT if searched the alias 'last_7_days' for data that existed in indexes to which my user did not have permission, it still returned the data, it was not supposed to get.

Is there a particular capability that I need to define for indexes and do_not_fail_on_forbidden to work?

Thanks

Cam

``

Ok, this is weird since we have a lot of tests with aliases, so your setup/use case is supposed to work. There has been an issue that was fixed with 23.1, so can you please try to update to this version and see if the issue still persists? There is nothing more to do to enable the do_not_fail_on_forbidden feature. Just set it to true and apply with sgadmin.

Hello,

I updated to 23.1 as requested and index aliases are working as expected!

Thanks very much.