I am using SearchGuard 5 with Elasticsearch and Kibana 5.
Kibana users should be able to save searches, visualizations and dashboards. According to the docs the sg_kibana role allows full access to the .kibana index.
Nevertheless when saving a new object the operation is denied with “`Dashboard: no permissions for indices:data/write/bulk: [security_exception] no permissions for indices:data/write/bulk”
`This can only be solved by adding the “indices:data/write/bulk” cluster level permission. Why is that. I don’t want my users to write to anything else than the .kibana index.
Thomas
Which version are you using exactly? Elastic has changed the way writes and bulks are handled internally, so to advise I need the full ES and SG version. Thanks!
···
On Tuesday, January 30, 2018 at 9:58:39 AM UTC+1, Thomas Krug wrote:
I am using SearchGuard 5 with Elasticsearch and Kibana 5.
Kibana users should be able to save searches, visualizations and dashboards. According to the docs the sg_kibana role allows full access to the .kibana index.
Nevertheless when saving a new object the operation is denied with “`Dashboard: no permissions for indices:data/write/bulk: [security_exception] no permissions for indices:data/write/bulk”
`This can only be solved by adding the “indices:data/write/bulk” cluster level permission. Why is that. I don’t want my users to write to anything else than the .kibana index.
Thomas
I am using Elasticsearch 5.6.3 with SearchGuard 5.6.3-16
To give you some background: Elasticsearch has changed the way index and delete operations are handled internally. Since 5.3.0, they are converted to a bulk request with a single item: Make index and delete operation execute as single bulk item (backport of #21964) by areek · Pull Request #22812 · elastic/elasticsearch · GitHub. That’s why the additional bulk permission is needed. Since it’s an ES internal change, we can’t do anything about it. But the necessary config changes to get it to work with the Kibana index are rather straightforward:
For the following fix you need to upgrade Search Guard to at least v17, better use the latest v18. You need the “Additional permissions for inner bulk requests” enhancement introduced in v17 (Search Guard 5.x-17 | Search Guard | Security for Elasticsearch):
-
Assign the bulk permission on cluster level to the user. This will only grant the general permission to execute bulk requests, and does not automatically grant any bulk permission on index level.
-
For the Kibana index, add the indices:data/write/bulk permission. This will grant bulk permission on this index only, other indices are not affected
-
All other indices can stay as they are
Hope this helps!
···
On Tuesday, January 30, 2018 at 11:58:04 AM UTC+1, Thomas Krug wrote:
I am using Elasticsearch 5.6.3 with SearchGuard 5.6.3-16