Kibana dashboard_only_user login error

Search Guard
1

Elastic/Kibana
7.10.2
search-guard-7
Version: 7.10.2-52.3.0

Steps to reproduce:

I followed your steps to configure kibana dashboard only user support for kibana_dashboard_only_user but I am not able to login. I am getting “No application was found at this URL. Try going back or choosing an app from the menu.”

No matter what I set as default Route I am being forwarded to “https://kibana.com/basePath/app/kibana#/dashboards” and getting “Application Not Found” Error. If I rewrite the URL to “https://kibana.com/basePath/app/dashboards#” I land to dashboard space of “kiosek” tenant and everything works as expected. Looks like the only impacted user with this is dashboard only user “do” in this case.

My setup:

sg_roles.yml

read_only:
  cluster_permissions:
  - "CLUSTER_COMPOSITE_OPS_RO"
  index_permissions:
  - index_patterns:
    - "*"
    allowed_actions:
    - "SGS_READ"
    fls:
    masked_fields: []
  tenant_permissions:
  - tenant_patterns:
    - "kiosek"
    allowed_actions:
    - "SGS_KIBANA_ALL_READ"

sg_internal_user.yml

do:
  hash: "$2y$12$v/dJK3of2GF/VTyqy8RIT.Ib/Uj8Ne6zdpT5F27JdRG4AHj7sSck."
  reserved: false
  description: "Kibana dashboard only user"
  search_guard_roles:
  - "SGS_KIBANA_USER"
  - "read_only"

kibana.yml

searchguard.readonly_mode.roles: ["read_only"]

defaultRoute in kibana advanced settings I’ve tried:

  • /app/home
  • /app/dashboards
  • /app/dashboards#

kibana.yml I’ve tried with or without defaultAppId settings

kibana.defaultAppId: dashboards

2

@peter82
I don’t fully follow the issue.

The permissions that were defined are only for 1 tenant (kiosek). Therefore only user that has access to this tenant will be able to see the dashboards.

DefaultRoute can be left at default of /app/home.

When the user logs in, he/she would need to select the relevant tenant and then click on dashboards and any dashboards in that tenant should be visible. If the user has no read access to the tenant the “Application Not Found” label will be visible.

Is this not the behaviour you are seeing? If not, can you share the full kibana.yml and is there a reason for using base_path?

3

Yes that’s what I am seeing but I don’t want this user to choose the tenant, instead I want “do” user to be automatically directed to tenant “kiosek”, because he has permissions to see only this tenant. I posted the setup for the user, can you see the issue ?

I am using basePath because that’s how we access kibana via apache reverse proxy.

THx, Peter.

4

@peter82
You will need to set up preferred tenant using below line in kibana.yml

searchguard.multitenancy.tenants.preferred: ["kiosek", "global_tenant"]

Further documentation is available here

5

Hmm but I already have tried that and with different tenants order as well… ok here is my

kibana.yml the SG part:

#####################SSOSG############################################
searchguard.auth.type: "basicauth"
#searchguard.auth.type: "saml"
searchguard.cookie.isSameSite: None
searchguard.cookie.secure: true
searchguard.cookie.name: "cookie_env_app" # unique name
searchguard.cookie.password: "xxx"

searchguard.session.keepalive: true


server.xsrf.whitelist: ["/searchguard/saml/acs", "/searchguard/saml/logout"]
elasticsearch.requestHeadersWhitelist: ["sgtenant", "authorization", "Authorization", "X-Forwarded-For", "x-proxy-user", "x-proxy-roles", "urltoken", "jwtheader"]

searchguard.auth.debug: true

# prevent system users from logging to kibana
searchguard.basicauth.forbidden_usernames: ["kibanaserver"]

# enable multitenancy
searchguard.multitenancy.enabled: true

#disable private tenant
searchguard.multitenancy.tenants.enable_private: false

#disable global tenant
searchguard.multitenancy.tenants.enable_global: false

# tenants
searchguard.multitenancy.tenants.preferred: [ "tenant1","tenant2", "kiosek" ]

#  readonly roles
searchguard.readonly_mode.roles: ["read_only"]

sg_tenants.yml

tenant1:
  reserved: false
  description: "Tenant for application user"

tenant2:
  reserved: false
  description: "Tenant for application user"

kiosek:
  reserved: false
  description: "kiosek tenant"

error_kiosek
error_kiosek1807×509 121 KB

6

Ok the 403 error is not related to the issue, every user was getting it during logon.

“res”:{“statusCode”:403,“responseTime”:30,“contentLength”:9},“message”:“POST
api/v1/searchguard_authtokens/authtoken/_search 403 30ms - 9.0B”}

I updated cluster_permissions for the role, nonetheless original login issue remains.

read_only:
  cluster_permissions:
  - "CLUSTER_COMPOSITE_OPS_RO"
  - "cluster:admin:searchguard:authtoken/_own/search"  # Could you explain what is it for ?

“res”:{“statusCode”:200,“responseTime”:21,“contentLength”:9},“message”:“POST /api/v1/searchguard_authtokens/authtoken/_search 200 21ms - 9.0B”}

7

@peter82
Does the “do” user have access to “tenant1” or “tenant2” and when you login as “do” user what tenant is selected under “multitenancy” tab.

8

No “do” user does not have access to “tenant1” or “tenant2” but it makes no difference if it has. I’ve tried to make “do” user with unlimited cluster + index access + all tenants and its still the same. The user is stuck at “Application not found” banner after login, so it can’t select anything.

But my case scenario is I don’t want this user to have access to another tenants and dashboards. Why when I literally just change the URL path:

from https://kibana.domain.com/basePath/app/kibana#/dashboards
to https://kibana.domain.com/basePath/app/dashboards

the user “do” is redirected to “kiosek” tenant, able to see only kiosek tenant and has dashboard only rights, everything works. Seems to me the problem is elsewhere then in roles and users.

9

@peter82 I’m not able to reproduce the behaviour, in my case the user is assigned the first tenant in “searchguard.multitenancy.tenants.preferred” that he/she has access to.
They are directed to http://localhost:5601/app/home#/, and after selecting dashboards, directed to /app/dashboards#/list?_g=…

Also, if the user has no access to any other tenant, the multitenacy tab is not available, as there is no other option for the user anyway.

What tenant is automatically selected in multitenacy tab when you log in as user “do”?

10

if I disable read only mode in kibana.yml and restart kibana, then user “do” is able to login and see only kiosek tenant which is being automatically assigned to him but of course then he can see all parts of kibana Discover/devtools etc.

11

@peter82
From terminal, could you run the below command for “do” user and paste the response here?

curl --insecure -u<username>:<password> -XGET "https://<opendistro>:9200/_searchguard/authinfo?pretty"

12 
:~$ curl -u 'do:do' -k -H 'Content-Type: application/json' -XGET 'https://elastic.com:9201/_searchguard/authinfo?pretty'
{
  "user" : "User do <basic/internal> [sg_roles=[read_only, SGS_KIBANA_USER]]",
  "user_name" : "do",
  "user_requested_tenant" : null,
  "remote_address" : "ip:22662",
  "backend_roles" : [ ],
  "custom_attribute_names" : [ ],
  "attribute_names" : [ ],
  "sg_roles" : [
    "SGS_KIBANA_USER",
    "read_only"
  ],
  "sg_tenants" : {
    "kiosek" : false,
    "SGS_GLOBAL_TENANT" : true,
    "do" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}
13

I was able to fix the login error by disabling spaces, apparently it conflicts with searchguard implementation of multitenacy. @sirHusky this settings is deprecated in 7 and won’t be available in els 8, just saying :slight_smile:

xpack.spaces.enabled: false

Readonly mode works as expected now. Thanks a lot for help.

14

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.