Kibana permissions

It’s unclear to me what exactly needs to be done to give a user access to kibana.
What minimum permissions are needed for the following 2 roles:

1. full read access for tenant foo
2. read/write access for tenant ‘foo’

cheers

Use the built-in roles.

A minimal set of roles for a Kibana user:

1. Full read access: SGS_KIBANA_USER and SGS_READALL.
2. Full read/write access: SGS_KIBANA_USER and SGS_ALL_ACCESS.

If you want to check what set of permissions defines these roles, switch the System items in SG UI.

Screenshot 2020-10-08 at 16.25.151104×444 28.2 KB

sounds a bit too much. I gave the SGS_KIBANA_USER role and specific access to some indices, but that’s not enough because index-pattern management seems not possible

There should be an error in the Elasticsearch log then. Show me it.

[2020-10-15T14:05:42,175][INFO ][c.f.s.p.PrivilegesEvaluator] [node01] No index-level perm match for User [name=fwernli, backend_roles=[], requestedTenant=null] Resolved [aliases=[*], indices=[*], allIndices=[*], types=[*], originalRequested=[], remoteIndices=[]] [Action [indices:admin/resolve/index]] [RolesChecked [site, cta_query_human, grafana_admin, SGS_KIBANA_USER]]
[2020-10-15T14:05:42,176][INFO ][c.f.s.p.PrivilegesEvaluator] [node01] No permissions for [indices:admin/resolve/index]

it is also unclear to me what role or privilege is needed for allowing read/write to private kibana tenant

An important thing to keep in mind with multi tenancy is that Kibana tenants and ES access permissions are orthogonal concepts.

The tenant defines which “buckets” of Kibana saved objects (i.e., index patterns, visualisations, …) you are allowed to use. By default, the private tenant is enabled (see searchguard.multitenancy.tenants.enable_private on Kibana Multitenancy | Security for Elasticsearch | Search Guard ). Thus, any authenticated user is allowed to save index patterns in their private tenant/bucket without any further privilege.

The question which indexes a user is allowed to access and which operations a user is allowed to perform is - on the other hand - completely independent of the selected tenant. This is only governed by the index_permissions and cluster_permissions of a user.

Thanks for this clarification.
That also means that I probably hit a bug : I do have the private tenant implicitly enabled, but can’t create any index pattern. Oddly, I don’t see any security log message in ES, and kibana only logs the following:

Oct 19 10:54:14 kibana01 kibana[29728]: {"type":"response","@timestamp":"2020-10-19T08:54:14Z","tags":[],"pid":29728,"method":"post","statusCode":403,"req":{"url":"/api/saved_objects/index-pattern","method":"post","headers":{"host":"example.com","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0","accept":"*/*","accept-language":"en,en-US;q=0.8,fr;q=0.5,de;q=0.3","accept-encoding":"gzip, deflate, br","referer":"https://example.com/app/management/kibana/indexPatterns/create","content-type":"application/json","kbn-version":"7.9.1","origin":"https://example.com","content-length":"78","dnt":"1","connection":"keep-alive","sgtenant":"__user__"},"remoteAddress":"1.1.1.1","userAgent":"1.1.1.1","referer":"https://example.com/app/management/kibana/indexPatterns/create"},"res":{"statusCode":403,"responseTime":31,"contentLength":9},"message":"POST /api/saved_objects/index-pattern 403 31ms - 9.0B"}

The kibana interface merely says Error: Forbidden

On which versions of ES/SG does this error occur?

search-guard-7 7.9.1-45.0.0

Did you enable do_not_fail_on_forbidden? If not, could you enable it and try again?

The option is enabled, yes

Hi again, I still have this problem on 7.9.1-45.0.0
There is nothing in the ES logs, I only get a “Error forbidden” message in kibana when trying to save an index-pattern:

{
  "type": "response",
  "@timestamp": "2021-06-28T06:59:56Z",
  "tags": [],
  "pid": 5457,
  "method": "post",
  "statusCode": 403,
  "req": {
    "url": "/api/saved_objects/index-pattern",
    "method": "post",
    "headers": {
      "host": "sg.example.com",
      "user-agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
      "accept": "*/*",
      "accept-language": "en,en-US;q=0.8,fr;q=0.5,de;q=0.3",
      "accept-encoding": "gzip, deflate, br",
      "referer": "https://sg.example.com/app/management/kibana/indexPatterns/create",
      "content-type": "application/json",
      "kbn-version": "7.9.1",
      "origin": "https://sg.example.com",
      "content-length": "82",
      "dnt": "1",
      "connection": "keep-alive",
      "sgtenant": "__user__"
    },
    "remoteAddress": "1.1.2.4",
    "userAgent": "1.1.2.4",
    "referer": "https://sg.example.com/app/management/kibana/indexPatterns/create"
  },
  "res": {
    "statusCode": 403,
    "responseTime": 24,
    "contentLength": 9
  },
  "message": "POST /api/saved_objects/index-pattern 403 24ms - 9.0B"
}

The user has SGS_KIBANA_USER permissions, I just checked using the kibana account info page

Maybe this can be useful : I tried importing the index pattern in kibana using the import feature, and here’s what I get:

no permissions for [indices:admin/mapping/auto_put] and User [name=fwernli, backend_roles=[], requestedTenant=__user__]

Have you tried upgrading to SG 7.9.1-45.1.0?

From the release notes:

Creating index patterns with Kibana 7.9.1 and Search Guard 45.0.0 was not possible. Fixed.