Kibana status red - no permissions for [indices:admin/mappings/get]

Search Guard
1

Search Guard,
Elasticsearch and Kibana version 6.1.2

Java openjdk version
1.8.0, Debian jessie

Default demo Search
Guard config

(0)#:
bin/elasticsearch-plugin list

search-guard-6

(0)#:
bin/kibana-plugin list

searchguard@6.1.2

When I log into
Kibana with any user (kibanaro, admin) Kiabana status is red and this error is displayed:

plugin:elasticsearch@6.1.2

      [security_exception] no permissions for

[indices:admin/mappings/get]
and User [name=kibanaserver, roles=,

requestedTenant=null]

``

Nothing in
elasticsearch log (debug level).

Am I missing
anything? As I said, default demo Search Guard config which I’ve
loaded with the sgadmin_demo.sh script:

(0)#: tools/sgadmin_demo.sh

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to 10.2.60.170:9300 … done

Elasticsearch Version: 6.1.2

Search Guard Version: 6.1.2-22.0

Connected as CN=kirk,OU=client,O=client,L=Test,C=DE

Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …

Clustername: do2-elastest

Clusterstate: GREEN

Number of nodes: 2

Number of data nodes: 2

searchguard index already exists, so we do not need to create one.

Populate config from /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/

Will update ‘sg/config’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_config.yml

SUCC: Configuration for ‘config’ created or updated

Will update ‘sg/roles’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles.yml

SUCC: Configuration for ‘roles’ created or updated

Will update ‘sg/rolesmapping’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml

SUCC: Configuration for ‘rolesmapping’ created or updated

Will update ‘sg/internalusers’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_internal_users.yml

SUCC: Configuration for ‘internalusers’ created or updated

Will update ‘sg/actiongroups’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_action_groups.yml

SUCC: Configuration for ‘actiongroups’ created or updated

Done with success

``

Thanks for the help.

2

I cannot reproduce the problem unfortunately. Here’s what I did:

  1. Download and install ES 6.1.2

  2. Install SG:

bin/elasticsearch-plugin install com.floragunn:search-guard-6:6.1.2-22.0

``

  1. Execute the demo installer

/install_demo_configuration.sh

``

  1. Start ES

  2. Download and Install KI 6.1.2

  3. Download the SG Kibana plugin 6.1.2-12

  4. Performing an offline install:

bin/kibana-plugin install file:///path/to/zip

``

  1. Added the minimal Kibana configuration:

searchguard.multitenancy.enabled: true

searchguard.basicauth.enabled: true

Use HTTPS instead of HTTP

elasticsearch.url: “https://localhost:9200

Configure the Kibana internal server user

elasticsearch.username: “kibanaserver”

elasticsearch.password: “kibanaserver”

Disable SSL verification because we use self-signed demo certificates

elasticsearch.ssl.verificationMode: none

``

  1. Log in to Kibana with admin or kibanaro

I do not see any exception here, did you do something different when you installed SG/ES/KI?

Also you write:

“Nothing in elasticsearch log (debug level).”

That cannot really be the case because of this message here you see in Kibana:

[security_exception] no permissions for

[indices:admin/mappings/get]

and User [name=kibanaserver, roles=,

requestedTenant=null]

``

This is an error message from the Search Guard ES plugin, so it must be logged in the ES logs, otherwise it would not appear in Kibana. You should see something like:

no index-level perm match …
no cluster-level perm match …

``

somewhere in the log files. It should be printed on WARN level.

···

On Monday, April 23, 2018 at 2:11:58 AM UTC-7, Pablo Perza wrote:

Search Guard,
Elasticsearch and Kibana version 6.1.2

Java openjdk version
1.8.0, Debian jessie

Default demo Search
Guard config

(0)#:
bin/elasticsearch-plugin list

search-guard-6

(0)#:
bin/kibana-plugin list

searchguard@6.1.2

When I log into
Kibana with any user (kibanaro, admin) Kiabana status is red and this error is displayed:

plugin:elasticsearch@6.1.2

      [security_exception] no permissions for

[indices:admin/mappings/get]
and User [name=kibanaserver, roles=,

requestedTenant=null]

``

Nothing in
elasticsearch log (debug level).

Am I missing
anything? As I said, default demo Search Guard config which I’ve
loaded with the sgadmin_demo.sh script:

(0)#: tools/sgadmin_demo.sh

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to 10.2.60.170:9300 … done

Elasticsearch Version: 6.1.2

Search Guard Version: 6.1.2-22.0

Connected as CN=kirk,OU=client,O=client,L=Test,C=DE

Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …

Clustername: do2-elastest

Clusterstate: GREEN

Number of nodes: 2

Number of data nodes: 2

searchguard index already exists, so we do not need to create one.

Populate config from /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/

Will update ‘sg/config’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_config.yml

SUCC: Configuration for ‘config’ created or updated

Will update ‘sg/roles’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles.yml

SUCC: Configuration for ‘roles’ created or updated

Will update ‘sg/rolesmapping’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml

SUCC: Configuration for ‘rolesmapping’ created or updated

Will update ‘sg/internalusers’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_internal_users.yml

SUCC: Configuration for ‘internalusers’ created or updated

Will update ‘sg/actiongroups’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_action_groups.yml

SUCC: Configuration for ‘actiongroups’ created or updated

Done with success

``

Thanks for the help.

3

Also, do you start with an empty .kibana index, or do you have already some contents in it? If so - can you post the contents of the .kibana index?

···

On Monday, April 23, 2018 at 2:11:58 AM UTC-7, Pablo Perza wrote:

Search Guard,
Elasticsearch and Kibana version 6.1.2

Java openjdk version
1.8.0, Debian jessie

Default demo Search
Guard config

(0)#:
bin/elasticsearch-plugin list

search-guard-6

(0)#:
bin/kibana-plugin list

searchguard@6.1.2

When I log into
Kibana with any user (kibanaro, admin) Kiabana status is red and this error is displayed:

plugin:elasticsearch@6.1.2

      [security_exception] no permissions for

[indices:admin/mappings/get]
and User [name=kibanaserver, roles=,

requestedTenant=null]

``

Nothing in
elasticsearch log (debug level).

Am I missing
anything? As I said, default demo Search Guard config which I’ve
loaded with the sgadmin_demo.sh script:

(0)#: tools/sgadmin_demo.sh

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to 10.2.60.170:9300 … done

Elasticsearch Version: 6.1.2

Search Guard Version: 6.1.2-22.0

Connected as CN=kirk,OU=client,O=client,L=Test,C=DE

Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …

Clustername: do2-elastest

Clusterstate: GREEN

Number of nodes: 2

Number of data nodes: 2

searchguard index already exists, so we do not need to create one.

Populate config from /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/

Will update ‘sg/config’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_config.yml

SUCC: Configuration for ‘config’ created or updated

Will update ‘sg/roles’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles.yml

SUCC: Configuration for ‘roles’ created or updated

Will update ‘sg/rolesmapping’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml

SUCC: Configuration for ‘rolesmapping’ created or updated

Will update ‘sg/internalusers’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_internal_users.yml

SUCC: Configuration for ‘internalusers’ created or updated

Will update ‘sg/actiongroups’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_action_groups.yml

SUCC: Configuration for ‘actiongroups’ created or updated

Done with success

``

Thanks for the help.

4

I installed Elasticsearch and Kibana with their puppet modules. No big changes to the config other than cluster names and nodes IPs afaik.

You are right, Jochen. I can see entries in the log. I expected them at the time of the login process but actually they show up when I start Kibana (log attached). And we do have some previous content in kibana index (also attached).

kibana-index-content (59.9 KB)

elasticsearch-log (20.1 KB)

···

El lunes, 23 de abril de 2018, 20:36:40 (UTC+2), Jochen Kressin escribió:

Also, do you start with an empty .kibana index, or do you have already some contents in it? If so - can you post the contents of the .kibana index?

On Monday, April 23, 2018 at 2:11:58 AM UTC-7, Pablo Perza wrote:

Search Guard,
Elasticsearch and Kibana version 6.1.2

Java openjdk version
1.8.0, Debian jessie

Default demo Search
Guard config

(0)#:
bin/elasticsearch-plugin list

search-guard-6

(0)#:
bin/kibana-plugin list

searchguard@6.1.2

When I log into
Kibana with any user (kibanaro, admin) Kiabana status is red and this error is displayed:

plugin:elasticsearch@6.1.2

      [security_exception] no permissions for

[indices:admin/mappings/get]
and User [name=kibanaserver, roles=,

requestedTenant=null]

``

Nothing in
elasticsearch log (debug level).

Am I missing
anything? As I said, default demo Search Guard config which I’ve
loaded with the sgadmin_demo.sh script:

(0)#: tools/sgadmin_demo.sh

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to 10.2.60.170:9300 … done

Elasticsearch Version: 6.1.2

Search Guard Version: 6.1.2-22.0

Connected as CN=kirk,OU=client,O=client,L=Test,C=DE

Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …

Clustername: do2-elastest

Clusterstate: GREEN

Number of nodes: 2

Number of data nodes: 2

searchguard index already exists, so we do not need to create one.

Populate config from /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/

Will update ‘sg/config’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_config.yml

SUCC: Configuration for ‘config’ created or updated

Will update ‘sg/roles’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles.yml

SUCC: Configuration for ‘roles’ created or updated

Will update ‘sg/rolesmapping’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml

SUCC: Configuration for ‘rolesmapping’ created or updated

Will update ‘sg/internalusers’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_internal_users.yml

SUCC: Configuration for ‘internalusers’ created or updated

Will update ‘sg/actiongroups’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_action_groups.yml

SUCC: Configuration for ‘actiongroups’ created or updated

Done with success

``

Thanks for the help.

5

If I add “admin” role to kibanaserver user, Kibana starts without issues. So I guess it’s a permission problem but not sure how to fix it. Of course having admin rights for kibanaserver user is not an option so this is still a problem.

6

Ah, now it is getting clearer. This is the exception I was looking for:

[2018-04-24T12:52:15,056][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] [IndexType [index=.kibana-6, type=*]] [Action [[indices:admin/mappings/get]]] [RolesChecked [sg_kibana_server, sg_own_index]]

``

From that, I assume that you initially had an index named “.kibana” and then renamed it to “.kibana-6”, is this correct? What is your entry in kibana.yml for this config key:

kibana.index: “.kibana”

``

For the moment please try to change the sg_kibana_server role in sg_roles.yml from:


indices:

‘?kibana’:

‘*’:

  • INDICES_ALL

``

to


indices:

‘?kibana-6’:

‘*’:

  • INDICES_ALL

``

And also change from ?kibana to ?kibana-6 in sg_kibana_user.

Please let me know if this solved the problem.

···

On Friday, April 27, 2018 at 10:34:16 AM UTC+2, Pablo Perza wrote:

If I add “admin” role to kibanaserver user, Kibana starts without issues. So I guess it’s a permission problem but not sure how to fix it. Of course having admin rights for kibanaserver user is not an option so this is still a problem.

7

That’s it. We don’t have a kibana.index entry in our kibana.yml but we do renamed .kibana index to .kibana-6 as part of our kibana migration from 5 to 6 version (and created an alias for .kibana pointing to .kibana-6).

Your solution works like a charm.

Thanks!

···

El jueves, 3 de mayo de 2018, 16:57:04 (UTC+2), Jochen Kressin escribió:

Ah, now it is getting clearer. This is the exception I was looking for:

[2018-04-24T12:52:15,056][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] [IndexType [index=.kibana-6, type=*]] [Action [[indices:admin/mappings/get]]] [RolesChecked [sg_kibana_server, sg_own_index]]

``

From that, I assume that you initially had an index named “.kibana” and then renamed it to “.kibana-6”, is this correct? What is your entry in kibana.yml for this config key:

kibana.index: “.kibana”

``

For the moment please try to change the sg_kibana_server role in sg_roles.yml from:


indices:

‘?kibana’:

‘*’:

  • INDICES_ALL

``

to


indices:

‘?kibana-6’:

‘*’:

  • INDICES_ALL

``

And also change from ?kibana to ?kibana-6 in sg_kibana_user.

Please let me know if this solved the problem.

On Friday, April 27, 2018 at 10:34:16 AM UTC+2, Pablo Perza wrote:

If I add “admin” role to kibanaserver user, Kibana starts without issues. So I guess it’s a permission problem but not sure how to fix it. Of course having admin rights for kibanaserver user is not an option so this is still a problem.