Kibanaserver user: No permissions for indices:admin/mappings/get* and indices:monitor/stats

Search Guard version:
7.9.3-47.0.0
Elasticsearch version:
7.9.3, OSS
Kibana version (if relevant):
7.9.3 OSS
Server OS version:
CentOS Linux release 7.6.1810 (Core)

Describe the issue:
I have Elasticsearch, Filebeat, Metricbeat and Kibana running. Search Guard plugin for ES is installed; no plugin installed in Kibana. The Elasticsearch log indicates a permissions issue for the “kibanaserver” user reported by search guard: indices:admin/mappings/get* and indices:monitor/stats. The log events are at the INFO level, but, I am not sure if this is service affecting or not. Can you advise if I have the search guard configuration wrong or do I need the additional permissions added beyond that of SGS_KIBANA_SERVER?

Steps to reproduce:

  1. Install Elasticsearch, Filebeat, Metricbeat, Kibana
  2. Observe the ES log

Expected behavior:
All permissions configured for the deployment.

Configuration:
sg_config.yml

sg_config:
  dynamic:
    kibana:
      multitenancy_enabled: false
      server_username: "kibanaserver"
      index: ".kibana"
      rbac_enabled: false
      do_not_fail_on_forbidden: true

sg_internal_users.yml:

kibanaserver
  hash: "xxxxxxxxxxx"
  reserved: true
  hidden: true
  static: true
  backend_roles: [ ]
  attributes: { }
  search_guard_roles: [ ]

sg_roles_mapping.yml

SGS_KIBANA_SERVER:
  reserved: true
  hidden: true
  hosts: [ ]
  users:
    - "kibanaserver"
  and_backend_roles: [ ]

Elasticsearch logs:

2021-04-05 14:08:43.311Z INFO  [elasticsearch[esnode-xxxxxxxxxxx][transport_worker][T#53]] com.floragunn.searchguard.privileges.PrivilegesEvaluator - No index-level perm match for User [name=kibanaserver, backend_roles=[], requestedTenant=null] Resolved [aliases=[*], indices=[*], allIndices=[*], types=[*], originalRequested=[], remoteIndices=[]] [Action [indices:admin/mappings/get]] [RolesChecked [SGS_KIBANA_SERVER, SGS_OWN_INDEX]]
2021-04-05 14:08:43.312Z INFO  [elasticsearch[esnode-xxxxxxxxxxx][transport_worker][T#55]] com.floragunn.searchguard.privileges.PrivilegesEvaluator - No index-level perm match for User [name=kibanaserver, backend_roles=[], requestedTenant=null] Resolved [aliases=[], indices=[searchguard, filebeat-7.9.3-2021.04.05, metricbeat-7.9.3-2021.04.05], allIndices=[searchguard, filebeat-7.9.3-2021.04.05, metricbeat-7.9.3-2021.04.05], types=[*], originalRequested=[rsa.*, *magento2*, *squarespace*, *weebly*, logs-endpoint.*, *artifactory*, squid.*, *barracuda*, *bluecoat*, .app-search-*, rsa_*, *sonicwall*, *cylance*, *meow*, *cyberark*, *checkpoint*, fluentd*, *tomcat*, snort-*, *magento*, rsa-*, *drupal*, logstash-*, pan-*, *fortinet*, *symantec*, *sophos*, *nginx*, squid-*, *acquia*, *kaspersky*, apm-*, winlogbeat-*, *citrix*, logstash-snort*, *-*-*-*, .ent-search-*, arcsight-*, squid_*, pan.*, telegraf*, *paloaltonetworks*, *cisco*, functionbeat-*, pan_*, metrics-endpoint.*, *tippingpoint*, *sigma_doc*, *suricata*, *joomla*, endgame-*, *wazuh*, packetbeat-*, *aruba*, *search*, *zscaler*, *zeek*, *fireeye*, *shopify*, *apache*, *sharepoint*, .siem-signals-*, *sitecore*, *infoblox*, *wordpress*, *mcafee*, filebeat-*, prometheusbeat*, auditbeat-*, ecs-corelight*, *tripwire*, heartbeat-*, *trendmicro*, metricbeat-*, fluentbit*], remoteIndices=[]] [Action [indices:monitor/stats]] [RolesChecked [SGS_KIBANA_SERVER, SGS_OWN_INDEX]]
2021-04-05 14:08:43.313Z INFO  [elasticsearch[esnode-xxxxxxxxxxx][transport_worker][T#53]] com.floragunn.searchguard.privileges.PrivilegesEvaluator - No permissions for [indices:admin/mappings/get]
2021-04-05 14:08:43.313Z INFO  [elasticsearch[esnode-xxxxxxxxxxx][transport_worker][T#55]] com.floragunn.searchguard.privileges.PrivilegesEvaluator - No permissions for [indices:monitor/stats]

Kibana auth info:
# curl -k -u kibanaserver:xxxxxxxxxxx -XGET “https://localhost:9200/_searchguard/authinfo?pretty
{
“user” : “User [name=kibanaserver, backend_roles=, requestedTenant=null]”,
“user_name” : “kibanaserver”,
“user_requested_tenant” : null,
“remote_address” : “172.17.0.1:40636”,
“backend_roles” : ,
“custom_attribute_names” : ,
“attribute_names” : ,
“sg_roles” : [
“SGS_KIBANA_SERVER”,
“SGS_OWN_INDEX”
],
“sg_tenants” : {
“kibanaserver” : true
},
“principal” : null,
“peer_certificates” : “0”,
“sso_logout_url” : null
}

Hi @jmcclure,

It seems the sg_config.yml is slightly misconfigured. The do_not_fail_on_forbidden: true should be under dynamic, as its not a setting of kibana. It should look as follows:

    sg_config:
         dynamic:
            do_not_fail_on_forbidden: true
            kibana:
              multitenancy_enabled: false
              server_username: kibanaserver
              index: '.kibana'
              rbac_enabled: false

However interestingly this should have failed for you when you tried to upload the config using sgadmin.sh script.

Can you update the config and re-upload it using the provided script. If you used install_demo_configuration.sh script, there should have been a script created called sgadmin_demo.sh, which is the easiest way to upload and doesn’t require any additional arguments.
Otherwise please use sgadmin.sh with necessary arguments such as admin certs, configuration file/folder etc.

@sirHusky it did not fail with the parameter under kibana; also did not see any warning. I did move the do_not_fail_on_forbidden: true under dynamic as you suggested. I am still seeing the two permission issues output in the Elasticsearch log.

An interesting note is that those two permission log events happen about 5 minutes after Kibana is started. Observed them from both a clean installation and by stopping/starting Kibana after installation.

I believe I have found the cause for this. I am using Kibana OSS for Docker. Seems there is a plugin for usage collection (telemetry) that is enabled by default. I disabled the plugin and re-installed and am not seeing the log events for those two permission issues.

I added this configuration to kibana.yml

telemetry.enabled: false