Kibana no permissions for [indices:data/read/search]

Search Guard
1

Hi,

I am sure I have seen an answer to this in this forum somewhere but I can’t find it.

sg_internal_users.yml

martin:

hash:

readonly: ‘true’

roles: [kibanauser, customer]

sg_roles_mapping.yml

sg_kibana_user:

backendroles:

  • “kibanauser”

sg_customer:

readonly: true

backendroles:

  • “customer”

sg_roles.yml

sg_kibana_user:

<default settings from https://github.com/floragunncom/search-guard/blob/master/sgconfig/sg_roles.yml>

sg_customer:

readonly: true

indices:

'logstash-${user_name}-*':

  '*':

  - "MANAGE"

  - "INDEX"

  - "READ"

  - "indices:data/read/search*"

I tried adding - “indices:data/read/search*” but this this still gives me no data in my visualisation and an error in kibana no permissions for [indices:data/read/search] and User [name=martin, roles=[kibanauser, customer], requestedTenant=null]]

If I change sg_customer in sg_role.yml

sg_customer:

readonly: true

indices:

'logstash-${user_name}-*':

  '*':

  - "MANAGE"

  - "INDEX"

  - "READ"

‘logstash-*’:

‘*’:

  - "indices:data/read/search*"

Then I don’t get any errors but all the data is returned in the visualisation. It is not restricted to logstash-martin-*, when I login as the user martin.

I thought I read here somewhere that there is an option I can set in kibana.yml to prevent these permission errors from appearing in the Kibana UI, and I was wondering if that might solve the issue too. i.e. Kibana wont show the entries from matching indices because there are permission errors reading other indices.

Thanks for any help.

2

This error occurs when I try and use a visualisation that uses logstash-*. If I create a visualisation from logstash-martin-* then I don’t get any permission errors, even without - “indices:data/read/search*”
Creating visualisations for every customer will not be scalable.

3

I finally found the Kibana option I was looking for. My mistake was thinking it was an option in the kibana.yml, it is an option in sg_config.yml. It is also described in the docs

One line from that doc really scared me:

If you are using the Enterprise Edition of Search Guard, enable the do not fail on forbidden mode in sg_config.yml like:

I am VERY relieved to find that this works in the community edition too!

4

I corrected the docs

···

Am 08.02.2019 um 13:00 schrieb martin.lester@vualto.com:

I finally found the Kibana option I was looking for. My mistake was thinking it was an option in the kibana.yml, it is an option in sg_config.yml. It is also described in the docs

One line from that doc really scared me:

   If you are using the Enterprise Edition of Search Guard, enable the do not fail on forbidden mode in sg_config.yml like:

I am VERY relieved to find that this works in the community edition too!

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/b592de52-055f-4d87-b2c2-64212c913cae%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.