Kibana defaulting back to admin role after JWT expiration

ES6 and SG6

I am able to login into kibana using a JWT token and it works as expected based on the roles that the token payload has. The issue shows up when that JWT token expires and I refresh the page, Kibana defaults back to “admin” allowing access to everything again. Is there a way to turn that off, such that when my JWT tokens are no longer valid it should either redirect back to home or throw an error?

Here are my config files and please let me know if you catch something out of the ordinary or if I am doing something completely wrong.

Note: the backend user I pass through JWT payload is “superman”.

sg_roles.yml

Allows everything, but no changes to searchguard configuration index

sg_all_access:

readonly: true

cluster:

- UNLIMITED

indices:

'*':

  '*':

    - UNLIMITED

tenants:

admin_tenant: RW

Read all, but no write permissions

sg_readall:

readonly: true

cluster:

- CLUSTER_COMPOSITE_OPS_RO

indices:

'*':

  '*':

    - READ

Read all and monitor, but no write permissions

sg_readall_and_monitor:

cluster:

- CLUSTER_MONITOR

- CLUSTER_COMPOSITE_OPS_RO

indices:

'*':

  '*':

    - READ

For users which use kibana, access to indices must be granted separately

sg_kibana_user:

readonly: true

cluster:

- MONITOR

- CLUSTER_COMPOSITE_OPS

indices:

'?kibana':

  '*':

    - MANAGE

    - INDEX

    - READ

    - DELETE

'*':

  '*':

    - indices:data/read/field_caps*

For the kibana server

sg_kibana_server:

readonly: true

cluster:

  - CLUSTER_MONITOR

  - CLUSTER_COMPOSITE_OPS

  - cluster:admin/xpack/monitoring*

  - indices:admin/template*

indices:

'?kibana':

  '*':

    - INDICES_ALL

'?reporting*':

  '*':

    - INDICES_ALL

'?monitoring*':

  '*':

    - INDICES_ALL

For logstash and beats

sg_logstash:

cluster:

- CLUSTER_MONITOR

- CLUSTER_COMPOSITE_OPS

- indices:admin/template/get

- indices:admin/template/put

indices:

'logstash-*':

  '*':

    - CRUD

    - CREATE_INDEX

'*beat*':

  '*':

    - CRUD

    - CREATE_INDEX

Allows adding and modifying repositories and creating and restoring snapshots

sg_manage_snapshots:

cluster:

- MANAGE_SNAPSHOTS

indices:

'*':

  '*':

    - "indices:data/write/index"

    - "indices:admin/create"

Allows each user to access own named index

sg_own_index:

cluster:

- CLUSTER_COMPOSITE_OPS

indices:

'${user_name}':

  '*':

    - INDICES_ALL

X-Pack COMPATIBILITY

sg_xp_monitoring:

readonly: true

indices:

'?monitor*':

  '*':

    - INDICES_ALL

sg_xp_alerting:

readonly: true

cluster:

- indices:data/read/scroll

- cluster:admin/xpack/watcher*

- cluster:monitor/xpack/watcher*

indices:

'?watches*':

  '*':

    - INDICES_ALL

'?watcher-history-*':

  '*':

    - INDICES_ALL

'?triggered_watches':

  '*':

    - INDICES_ALL

'*':

  '*':

    - READ

    - indices:admin/aliases/get

sg_xp_machine_learning:

readonly: true

cluster:

- cluster:admin/persistent*

- cluster:internal/xpack/ml*

- indices:data/read/scroll*

- cluster:admin/xpack/ml*

- cluster:monitor/xpack/ml*

indices:

'*':

  '*':

    - READ

    - indices:admin/get*

'?ml-*':

  '*':

    - "*"

LEGACY ROLES, FOR COMPATIBILITY ONLY

WILL BE REMOVED IN SG7, DO NOT USE ANYMORE

sg_readonly_and_monitor:

cluster:

- CLUSTER_MONITOR

- CLUSTER_COMPOSITE_OPS_RO

indices:

'*':

  '*':

    - READ

Make xpack monitoring work

sg_monitor:

cluster:

- cluster:admin/xpack/monitoring/*

- cluster:admin/ingest/pipeline/put

- cluster:admin/ingest/pipeline/get

- indices:admin/template/get

- indices:admin/template/put

- CLUSTER_MONITOR

- CLUSTER_COMPOSITE_OPS

indices:

'?monitor*':

  '*':

    - INDICES_ALL

'?marvel*':

  '*':

    - INDICES_ALL

'?kibana*':

  '*':

    - READ

'*':

  '*':

    - indices:data/read/field_caps

Make xpack alerting work

sg_alerting:

cluster:

- indices:data/read/scroll

- cluster:admin/xpack/watcher/watch/put

- cluster:admin/xpack/watcher*

- CLUSTER_MONITOR

- CLUSTER_COMPOSITE_OPS

indices:

'?kibana*':

  '*':

    - READ

'?watches*':

  '*':

    - INDICES_ALL

'?watcher-history-*':

  '*':

    - INDICES_ALL

'?triggered_watches':

  '*':

    - INDICES_ALL

'*':

  '*':

    - READ

user:

readonly: true

cluster:

- UNLIMITED

indices:

'*myCustomIndex1*':

  '*':

    - UNLIMITED

'*myCustomIndex2*':

  '*':

    - UNLIMITED

#tenants:

#admin_tenant: RW

``

sg_*roles_*mapping.yml

In this file users, backendroles and hosts can be mapped to Search Guard roles.

Permissions for Search Guard roles are configured in sg_roles.yml

sg_all_access:

readonly: true

backendroles:

- admin

sg_logstash:

backendroles:

- logstash

sg_kibana_server:

readonly: true

users:

- kibanaserver

sg_kibana_user:

backendroles:

- kibanauser

- superman

sg_readall:

readonly: true

backendroles:

- readall

sg_manage_snapshots:

readonly: true

backendroles:

- snapshotrestore

sg_own_index:

users:

- '*'

user:

readonly: true

backendroles:

- superman

``

Kibana.yml

console.enabled: true

appender.rolling.policies.time.type = TimeBasedTriggeringPolicy

elasticsearch.requestTimeout: 600000

elasticsearch.shardTimeout: 595000

elasticsearch.ssl.verificationMode: none

elasticsearch.url: “https://localhost:9200

elasticsearch.username: “kibanaserver”

elasticsearch.password: “kibanaserver”

logging.verbose: false

server.basePath: “/jwt_kibana”

server.host: “0.0.0.0”

kibana.index: “.kibana”

searchguard.basicauth.enabled: false

searchguard.jwt.enabled: true

searchguard.multitenancy.enable_filter: true

searchguard.multitenancy.enabled: true

searchguard.multitenancy.tenants.enable_global: true

searchguard.multitenancy.tenants.enable_private: true

elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant”, “jwt_token”, “x-forwarded-for”, “x-forwarded-server”, “x-forwarded-by”]

``

We need to see the sg_config.yml. If a token expires the user does not automatically get assigned to another role, there is no automatic fallback or something the like. The only thing I can imagine is that you also enabled Basic Authentication with the internal user database, probably for the Kibana server user. And that you have some cached Basic Auth credentials in your browser.

To further investigate or validate my assumption try to monitor the network traffic when the token expires. I guess you will find some basic auth credentials somewhere.

BTW - the error page when the token expires will be part of the upcoming Kibana v14 release.

···

On Tuesday, July 3, 2018 at 10:50:16 PM UTC+2, .mni wrote:

ES6 and SG6

I am able to login into kibana using a JWT token and it works as expected based on the roles that the token payload has. The issue shows up when that JWT token expires and I refresh the page, Kibana defaults back to “admin” allowing access to everything again. Is there a way to turn that off, such that when my JWT tokens are no longer valid it should either redirect back to home or throw an error?

Here are my config files and please let me know if you catch something out of the ordinary or if I am doing something completely wrong.

Note: the backend user I pass through JWT payload is “superman”.

sg_roles.yml

Allows everything, but no changes to searchguard configuration index

sg_all_access:

readonly: true

cluster:

- UNLIMITED

indices:

'*':

  '*':

    - UNLIMITED

tenants:

admin_tenant: RW

Read all, but no write permissions

sg_readall:

readonly: true

cluster:

- CLUSTER_COMPOSITE_OPS_RO

indices:

'*':

  '*':

    - READ

Read all and monitor, but no write permissions

sg_readall_and_monitor:

cluster:

- CLUSTER_MONITOR

- CLUSTER_COMPOSITE_OPS_RO

indices:

'*':

  '*':

    - READ

For users which use kibana, access to indices must be granted separately

sg_kibana_user:

readonly: true

cluster:

- MONITOR

- CLUSTER_COMPOSITE_OPS

indices:

'?kibana':

  '*':

    - MANAGE

    - INDEX

    - READ

    - DELETE

'*':

  '*':

    - indices:data/read/field_caps*

For the kibana server

sg_kibana_server:

readonly: true

cluster:

  - CLUSTER_MONITOR

  - CLUSTER_COMPOSITE_OPS

  - cluster:admin/xpack/monitoring*

  - indices:admin/template*

indices:

'?kibana':

  '*':

    - INDICES_ALL

'?reporting*':

  '*':

    - INDICES_ALL

'?monitoring*':

  '*':

    - INDICES_ALL

For logstash and beats

sg_logstash:

cluster:

- CLUSTER_MONITOR

- CLUSTER_COMPOSITE_OPS

- indices:admin/template/get

- indices:admin/template/put

indices:

'logstash-*':

  '*':

    - CRUD

    - CREATE_INDEX

'*beat*':

  '*':

    - CRUD

    - CREATE_INDEX

Allows adding and modifying repositories and creating and restoring snapshots

sg_manage_snapshots:

cluster:

- MANAGE_SNAPSHOTS

indices:

'*':

  '*':

    - "indices:data/write/index"

    - "indices:admin/create"

Allows each user to access own named index

sg_own_index:

cluster:

- CLUSTER_COMPOSITE_OPS

indices:

'${user_name}':

  '*':

    - INDICES_ALL

X-Pack COMPATIBILITY

sg_xp_monitoring:

readonly: true

indices:

'?monitor*':

  '*':

    - INDICES_ALL

sg_xp_alerting:

readonly: true

cluster:

- indices:data/read/scroll

- cluster:admin/xpack/watcher*

- cluster:monitor/xpack/watcher*

indices:

'?watches*':

  '*':

    - INDICES_ALL

'?watcher-history-*':

  '*':

    - INDICES_ALL

'?triggered_watches':

  '*':

    - INDICES_ALL

'*':

  '*':

    - READ

    - indices:admin/aliases/get

sg_xp_machine_learning:

readonly: true

cluster:

- cluster:admin/persistent*

- cluster:internal/xpack/ml*

- indices:data/read/scroll*

- cluster:admin/xpack/ml*

- cluster:monitor/xpack/ml*

indices:

'*':

  '*':

    - READ

    - indices:admin/get*

'?ml-*':

  '*':

    - "*"

LEGACY ROLES, FOR COMPATIBILITY ONLY

WILL BE REMOVED IN SG7, DO NOT USE ANYMORE

sg_readonly_and_monitor:

cluster:

- CLUSTER_MONITOR

- CLUSTER_COMPOSITE_OPS_RO

indices:

'*':

  '*':

    - READ

Make xpack monitoring work

sg_monitor:

cluster:

- cluster:admin/xpack/monitoring/*

- cluster:admin/ingest/pipeline/put

- cluster:admin/ingest/pipeline/get

- indices:admin/template/get

- indices:admin/template/put

- CLUSTER_MONITOR

- CLUSTER_COMPOSITE_OPS

indices:

'?monitor*':

  '*':

    - INDICES_ALL

'?marvel*':

  '*':

    - INDICES_ALL

'?kibana*':

  '*':

    - READ

'*':

  '*':

    - indices:data/read/field_caps

Make xpack alerting work

sg_alerting:

cluster:

- indices:data/read/scroll

- cluster:admin/xpack/watcher/watch/put

- cluster:admin/xpack/watcher*

- CLUSTER_MONITOR

- CLUSTER_COMPOSITE_OPS

indices:

'?kibana*':

  '*':

    - READ

'?watches*':

  '*':

    - INDICES_ALL

'?watcher-history-*':

  '*':

    - INDICES_ALL

'?triggered_watches':

  '*':

    - INDICES_ALL

'*':

  '*':

    - READ

user:

readonly: true

cluster:

- UNLIMITED

indices:

'*myCustomIndex1*':

  '*':

    - UNLIMITED

'*myCustomIndex2*':

  '*':

    - UNLIMITED

#tenants:

#admin_tenant: RW

``

sg_*roles_*mapping.yml

In this file users, backendroles and hosts can be mapped to Search Guard roles.

Permissions for Search Guard roles are configured in sg_roles.yml

sg_all_access:

readonly: true

backendroles:

- admin

sg_logstash:

backendroles:

- logstash

sg_kibana_server:

readonly: true

users:

- kibanaserver

sg_kibana_user:

backendroles:

- kibanauser

- superman

sg_readall:

readonly: true

backendroles:

- readall

sg_manage_snapshots:

readonly: true

backendroles:

- snapshotrestore

sg_own_index:

users:

- '*'

user:

readonly: true

backendroles:

- superman

``

Kibana.yml

console.enabled: true

appender.rolling.policies.time.type = TimeBasedTriggeringPolicy

elasticsearch.requestTimeout: 600000

elasticsearch.shardTimeout: 595000

elasticsearch.ssl.verificationMode: none

elasticsearch.url: “https://localhost:9200

elasticsearch.username: “kibanaserver”

elasticsearch.password: “kibanaserver”

logging.verbose: false

server.basePath: “/jwt_kibana”

server.host: “0.0.0.0”

kibana.index: “.kibana”

searchguard.basicauth.enabled: false

searchguard.jwt.enabled: true

searchguard.multitenancy.enable_filter: true

searchguard.multitenancy.enabled: true

searchguard.multitenancy.tenants.enable_global: true

searchguard.multitenancy.tenants.enable_private: true

elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant”, “jwt_token”, “x-forwarded-for”, “x-forwarded-server”, “x-forwarded-by”]

``

I apoligize for a very late response. Will there also be a config for redirecting the page to our auth servers once that JWT expiration message shows up?

···

On Wednesday, July 4, 2018 at 1:55:42 PM UTC-6, Jochen Kressin wrote:

We need to see the sg_config.yml. If a token expires the user does not automatically get assigned to another role, there is no automatic fallback or something the like. The only thing I can imagine is that you also enabled Basic Authentication with the internal user database, probably for the Kibana server user. And that you have some cached Basic Auth credentials in your browser.

To further investigate or validate my assumption try to monitor the network traffic when the token expires. I guess you will find some basic auth credentials somewhere.

BTW - the error page when the token expires will be part of the upcoming Kibana v14 release.

On Tuesday, July 3, 2018 at 10:50:16 PM UTC+2, .mni wrote:

ES6 and SG6

I am able to login into kibana using a JWT token and it works as expected based on the roles that the token payload has. The issue shows up when that JWT token expires and I refresh the page, Kibana defaults back to “admin” allowing access to everything again. Is there a way to turn that off, such that when my JWT tokens are no longer valid it should either redirect back to home or throw an error?

Here are my config files and please let me know if you catch something out of the ordinary or if I am doing something completely wrong.

Note: the backend user I pass through JWT payload is “superman”.

sg_roles.yml

Allows everything, but no changes to searchguard configuration index

sg_all_access:

readonly: true

cluster:

- UNLIMITED

indices:

'*':

  '*':

    - UNLIMITED

tenants:

admin_tenant: RW

Read all, but no write permissions

sg_readall:

readonly: true

cluster:

- CLUSTER_COMPOSITE_OPS_RO

indices:

'*':

  '*':

    - READ

Read all and monitor, but no write permissions

sg_readall_and_monitor:

cluster:

- CLUSTER_MONITOR

- CLUSTER_COMPOSITE_OPS_RO

indices:

'*':

  '*':

    - READ

For users which use kibana, access to indices must be granted separately

sg_kibana_user:

readonly: true

cluster:

- MONITOR

- CLUSTER_COMPOSITE_OPS

indices:

'?kibana':

  '*':

    - MANAGE

    - INDEX

    - READ

    - DELETE

'*':

  '*':

    - indices:data/read/field_caps*

For the kibana server

sg_kibana_server:

readonly: true

cluster:

  - CLUSTER_MONITOR

  - CLUSTER_COMPOSITE_OPS

  - cluster:admin/xpack/monitoring*

  - indices:admin/template*

indices:

'?kibana':

  '*':

    - INDICES_ALL

'?reporting*':

  '*':

    - INDICES_ALL

'?monitoring*':

  '*':

    - INDICES_ALL

For logstash and beats

sg_logstash:

cluster:

- CLUSTER_MONITOR

- CLUSTER_COMPOSITE_OPS

- indices:admin/template/get

- indices:admin/template/put

indices:

'logstash-*':

  '*':

    - CRUD

    - CREATE_INDEX

'*beat*':

  '*':

    - CRUD

    - CREATE_INDEX

Allows adding and modifying repositories and creating and restoring snapshots

sg_manage_snapshots:

cluster:

- MANAGE_SNAPSHOTS

indices:

'*':

  '*':

    - "indices:data/write/index"

    - "indices:admin/create"

Allows each user to access own named index

sg_own_index:

cluster:

- CLUSTER_COMPOSITE_OPS

indices:

'${user_name}':

  '*':

    - INDICES_ALL

X-Pack COMPATIBILITY

sg_xp_monitoring:

readonly: true

indices:

'?monitor*':

  '*':

    - INDICES_ALL

sg_xp_alerting:

readonly: true

cluster:

- indices:data/read/scroll

- cluster:admin/xpack/watcher*

- cluster:monitor/xpack/watcher*

indices:

'?watches*':

  '*':

    - INDICES_ALL

'?watcher-history-*':

  '*':

    - INDICES_ALL

'?triggered_watches':

  '*':

    - INDICES_ALL

'*':

  '*':

    - READ

    - indices:admin/aliases/get

sg_xp_machine_learning:

readonly: true

cluster:

- cluster:admin/persistent*

- cluster:internal/xpack/ml*

- indices:data/read/scroll*

- cluster:admin/xpack/ml*

- cluster:monitor/xpack/ml*

indices:

'*':

  '*':

    - READ

    - indices:admin/get*

'?ml-*':

  '*':

    - "*"

LEGACY ROLES, FOR COMPATIBILITY ONLY

WILL BE REMOVED IN SG7, DO NOT USE ANYMORE

sg_readonly_and_monitor:

cluster:

- CLUSTER_MONITOR

- CLUSTER_COMPOSITE_OPS_RO

indices:

'*':

  '*':

    - READ

Make xpack monitoring work

sg_monitor:

cluster:

- cluster:admin/xpack/monitoring/*

- cluster:admin/ingest/pipeline/put

- cluster:admin/ingest/pipeline/get

- indices:admin/template/get

- indices:admin/template/put

- CLUSTER_MONITOR

- CLUSTER_COMPOSITE_OPS

indices:

'?monitor*':

  '*':

    - INDICES_ALL

'?marvel*':

  '*':

    - INDICES_ALL

'?kibana*':

  '*':

    - READ

'*':

  '*':

    - indices:data/read/field_caps

Make xpack alerting work

sg_alerting:

cluster:

- indices:data/read/scroll

- cluster:admin/xpack/watcher/watch/put

- cluster:admin/xpack/watcher*

- CLUSTER_MONITOR

- CLUSTER_COMPOSITE_OPS

indices:

'?kibana*':

  '*':

    - READ

'?watches*':

  '*':

    - INDICES_ALL

'?watcher-history-*':

  '*':

    - INDICES_ALL

'?triggered_watches':

  '*':

    - INDICES_ALL

'*':

  '*':

    - READ

user:

readonly: true

cluster:

- UNLIMITED

indices:

'*myCustomIndex1*':

  '*':

    - UNLIMITED

'*myCustomIndex2*':

  '*':

    - UNLIMITED

#tenants:

#admin_tenant: RW

``

sg_*roles_*mapping.yml

In this file users, backendroles and hosts can be mapped to Search Guard roles.

Permissions for Search Guard roles are configured in sg_roles.yml

sg_all_access:

readonly: true

backendroles:

- admin

sg_logstash:

backendroles:

- logstash

sg_kibana_server:

readonly: true

users:

- kibanaserver

sg_kibana_user:

backendroles:

- kibanauser

- superman

sg_readall:

readonly: true

backendroles:

- readall

sg_manage_snapshots:

readonly: true

backendroles:

- snapshotrestore

sg_own_index:

users:

- '*'

user:

readonly: true

backendroles:

- superman

``

Kibana.yml

console.enabled: true

appender.rolling.policies.time.type = TimeBasedTriggeringPolicy

elasticsearch.requestTimeout: 600000

elasticsearch.shardTimeout: 595000

elasticsearch.ssl.verificationMode: none

elasticsearch.url: “https://localhost:9200

elasticsearch.username: “kibanaserver”

elasticsearch.password: “kibanaserver”

logging.verbose: false

server.basePath: “/jwt_kibana”

server.host: “0.0.0.0”

kibana.index: “.kibana”

searchguard.basicauth.enabled: false

searchguard.jwt.enabled: true

searchguard.multitenancy.enable_filter: true

searchguard.multitenancy.enabled: true

searchguard.multitenancy.tenants.enable_global: true

searchguard.multitenancy.tenants.enable_private: true

elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant”, “jwt_token”, “x-forwarded-for”, “x-forwarded-server”, “x-forwarded-by”]

``

Hmm … if you’re saying you want to have the users redirected to your auth servers, are you probably looking for OpenID Connect integration?

···

On Monday, July 16, 2018 at 5:02:11 PM UTC+2, .mni wrote:

I apoligize for a very late response. Will there also be a config for redirecting the page to our auth servers once that JWT expiration message shows up?

On Wednesday, July 4, 2018 at 1:55:42 PM UTC-6, Jochen Kressin wrote:

We need to see the sg_config.yml. If a token expires the user does not automatically get assigned to another role, there is no automatic fallback or something the like. The only thing I can imagine is that you also enabled Basic Authentication with the internal user database, probably for the Kibana server user. And that you have some cached Basic Auth credentials in your browser.

To further investigate or validate my assumption try to monitor the network traffic when the token expires. I guess you will find some basic auth credentials somewhere.

BTW - the error page when the token expires will be part of the upcoming Kibana v14 release.

On Tuesday, July 3, 2018 at 10:50:16 PM UTC+2, .mni wrote:

ES6 and SG6

I am able to login into kibana using a JWT token and it works as expected based on the roles that the token payload has. The issue shows up when that JWT token expires and I refresh the page, Kibana defaults back to “admin” allowing access to everything again. Is there a way to turn that off, such that when my JWT tokens are no longer valid it should either redirect back to home or throw an error?

Here are my config files and please let me know if you catch something out of the ordinary or if I am doing something completely wrong.

Note: the backend user I pass through JWT payload is “superman”.

sg_roles.yml

Allows everything, but no changes to searchguard configuration index

sg_all_access:

readonly: true

cluster:

- UNLIMITED

indices:

'*':

  '*':

    - UNLIMITED

tenants:

admin_tenant: RW

Read all, but no write permissions

sg_readall:

readonly: true

cluster:

- CLUSTER_COMPOSITE_OPS_RO

indices:

'*':

  '*':

    - READ

Read all and monitor, but no write permissions

sg_readall_and_monitor:

cluster:

- CLUSTER_MONITOR

- CLUSTER_COMPOSITE_OPS_RO

indices:

'*':

  '*':

    - READ

For users which use kibana, access to indices must be granted separately

sg_kibana_user:

readonly: true

cluster:

- MONITOR

- CLUSTER_COMPOSITE_OPS

indices:

'?kibana':

  '*':

    - MANAGE

    - INDEX

    - READ

    - DELETE

'*':

  '*':

    - indices:data/read/field_caps*

For the kibana server

sg_kibana_server:

readonly: true

cluster:

  - CLUSTER_MONITOR

  - CLUSTER_COMPOSITE_OPS

  - cluster:admin/xpack/monitoring*

  - indices:admin/template*

indices:

'?kibana':

  '*':

    - INDICES_ALL

'?reporting*':

  '*':

    - INDICES_ALL

'?monitoring*':

  '*':

    - INDICES_ALL

For logstash and beats

sg_logstash:

cluster:

- CLUSTER_MONITOR

- CLUSTER_COMPOSITE_OPS

- indices:admin/template/get

- indices:admin/template/put

indices:

'logstash-*':

  '*':

    - CRUD

    - CREATE_INDEX

'*beat*':

  '*':

    - CRUD

    - CREATE_INDEX

Allows adding and modifying repositories and creating and restoring snapshots

sg_manage_snapshots:

cluster:

- MANAGE_SNAPSHOTS

indices:

'*':

  '*':

    - "indices:data/write/index"

    - "indices:admin/create"

Allows each user to access own named index

sg_own_index:

cluster:

- CLUSTER_COMPOSITE_OPS

indices:

'${user_name}':

  '*':

    - INDICES_ALL

X-Pack COMPATIBILITY

sg_xp_monitoring:

readonly: true

indices:

'?monitor*':

  '*':

    - INDICES_ALL

sg_xp_alerting:

readonly: true

cluster:

- indices:data/read/scroll

- cluster:admin/xpack/watcher*

- cluster:monitor/xpack/watcher*

indices:

'?watches*':

  '*':

    - INDICES_ALL

'?watcher-history-*':

  '*':

    - INDICES_ALL

'?triggered_watches':

  '*':

    - INDICES_ALL

'*':

  '*':

    - READ

    - indices:admin/aliases/get

sg_xp_machine_learning:

readonly: true

cluster:

- cluster:admin/persistent*

- cluster:internal/xpack/ml*

- indices:data/read/scroll*

- cluster:admin/xpack/ml*

- cluster:monitor/xpack/ml*

indices:

'*':

  '*':

    - READ

    - indices:admin/get*

'?ml-*':

  '*':

    - "*"

LEGACY ROLES, FOR COMPATIBILITY ONLY

WILL BE REMOVED IN SG7, DO NOT USE ANYMORE

sg_readonly_and_monitor:

cluster:

- CLUSTER_MONITOR

- CLUSTER_COMPOSITE_OPS_RO

indices:

'*':

  '*':

    - READ

Make xpack monitoring work

sg_monitor:

cluster:

- cluster:admin/xpack/monitoring/*

- cluster:admin/ingest/pipeline/put

- cluster:admin/ingest/pipeline/get

- indices:admin/template/get

- indices:admin/template/put

- CLUSTER_MONITOR

- CLUSTER_COMPOSITE_OPS

indices:

'?monitor*':

  '*':

    - INDICES_ALL

'?marvel*':

  '*':

    - INDICES_ALL

'?kibana*':

  '*':

    - READ

'*':

  '*':

    - indices:data/read/field_caps

Make xpack alerting work

sg_alerting:

cluster:

- indices:data/read/scroll

- cluster:admin/xpack/watcher/watch/put

- cluster:admin/xpack/watcher*

- CLUSTER_MONITOR

- CLUSTER_COMPOSITE_OPS

indices:

'?kibana*':

  '*':

    - READ

'?watches*':

  '*':

    - INDICES_ALL

'?watcher-history-*':

  '*':

    - INDICES_ALL

'?triggered_watches':

  '*':

    - INDICES_ALL

'*':

  '*':

    - READ

user:

readonly: true

cluster:

- UNLIMITED

indices:

'*myCustomIndex1*':

  '*':

    - UNLIMITED

'*myCustomIndex2*':

  '*':

    - UNLIMITED

#tenants:

#admin_tenant: RW

``

sg_*roles_*mapping.yml

In this file users, backendroles and hosts can be mapped to Search Guard roles.

Permissions for Search Guard roles are configured in sg_roles.yml

sg_all_access:

readonly: true

backendroles:

- admin

sg_logstash:

backendroles:

- logstash

sg_kibana_server:

readonly: true

users:

- kibanaserver

sg_kibana_user:

backendroles:

- kibanauser

- superman

sg_readall:

readonly: true

backendroles:

- readall

sg_manage_snapshots:

readonly: true

backendroles:

- snapshotrestore

sg_own_index:

users:

- '*'

user:

readonly: true

backendroles:

- superman

``

Kibana.yml

console.enabled: true

appender.rolling.policies.time.type = TimeBasedTriggeringPolicy

elasticsearch.requestTimeout: 600000

elasticsearch.shardTimeout: 595000

elasticsearch.ssl.verificationMode: none

elasticsearch.url: “https://localhost:9200

elasticsearch.username: “kibanaserver”

elasticsearch.password: “kibanaserver”

logging.verbose: false

server.basePath: “/jwt_kibana”

server.host: “0.0.0.0”

kibana.index: “.kibana”

searchguard.basicauth.enabled: false

searchguard.jwt.enabled: true

searchguard.multitenancy.enable_filter: true

searchguard.multitenancy.enabled: true

searchguard.multitenancy.tenants.enable_global: true

searchguard.multitenancy.tenants.enable_private: true

elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant”, “jwt_token”, “x-forwarded-for”, “x-forwarded-server”, “x-forwarded-by”]

``