Left menu links doesn't work in Kibana after login with a user created under internal_users

Search Guard
1

Hi,

I created a user with roles sg_own_index and sg_kibana_user. But when I log in with that user the left side menu links for visualization, dashboard, Management are inactive ( ie if i click on these links I see nothing just blank whitespace no options to create dashboard or visualization or index patern…just an empty screen).

I have attached a file showing roles for user ‘Suresh’. Infact, funny part is that it is working for only one user ‘pankaj1’, if I create user with any other name it is not showing any thing. I have index created by name pankaj1, pankaj2, pankaj3 etc. But if i create users pankaj2, pankaj3 with same sg_own_index and sg_kibana_user permission, I don’t see any thing in visualization and other links.

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version - SG - 6.4.2-23.2 - ES 6.4.2

  • Installed and used enterprise modules, if any

  • JVM version and operating system version

  • Search Guard configuration files

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any

Regards

Pankaj

1573×777 78.6 KB

2

This usually means that the user does not have the required privileges to use Kibana.

Can you check that your users are actually assigned to the s_kibana_user role? For that, visit the SG authinfo endpoint:

https://sgssl-0.example.com:9200/_searchguard/authinfo

And in the JSON please check the sg_roles, it has to contain the sg_kibnana_user role.

···

On Tuesday, November 27, 2018 at 11:37:17 AM UTC+1, pankaj chand wrote:

Hi,

I created a user with roles sg_own_index and sg_kibana_user. But when I log in with that user the left side menu links for visualization, dashboard, Management are inactive ( ie if i click on these links I see nothing just blank whitespace no options to create dashboard or visualization or index patern…just an empty screen).

I have attached a file showing roles for user ‘Suresh’. Infact, funny part is that it is working for only one user ‘pankaj1’, if I create user with any other name it is not showing any thing. I have index created by name pankaj1, pankaj2, pankaj3 etc. But if i create users pankaj2, pankaj3 with same sg_own_index and sg_kibana_user permission, I don’t see any thing in visualization and other links.

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version - SG - 6.4.2-23.2 - ES 6.4.2
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Regards

Pankaj

3

https://localhost:9200/_searchguard/api/internalusers

{

“logstash”: {
“hash”: “”,
“roles”: [
“logstash”
]
},
“snapshotrestore”: {
“hash”: “”,
“roles”: [
“snapshotrestore”
]
},
“formcept”: {
“hash”: “”,
“roles”: [
“sg_mecbot_pankaj1”
]
},
“admin”: {
“attributes”: {
“attribute1”: “value1”,
“attribute3”: “value3”,
“attribute2”: “value2”
},
“readonly”: “true”,
“hash”: “”,
“roles”: [
“admin”
]
},
“suresh”: {
“hash”: “”,
“roles”: [
“sg_own_index”,
“sg_kibana_user”
]
},
“pankaj1”: {
“hash”: “”,
“roles”: [
“sg_own_index”,
“sg_kibana_user”
]
},
“kibanaserver”: {
“readonly”: “true”,
“hash”: “”
},
“kibanaro”: {
“hash”: “”,
“roles”: [
“kibanauser”,
“readall”
]
},
“readall”: {
“hash”: “”,
“roles”: [
“readall”
]
}
}

For user pankaj1 authinfo

{

“user”: “User [name=pankaj1, roles=[sg_own_index, sg_kibana_user], requestedTenant=null]”,

“user_name”: “pankaj1”,

“user_requested_tenant”: null,

“remote_address”: “[::1]:49750”,

“backend_roles”: [

“sg_own_index”,

“sg_kibana_user”

],

“custom_attribute_names”: ,

“sg_roles”: [

“sg_own_index”

],

“sg_tenants”: {

“pankaj1”: true

},

“principal”: null,

“peer_certificates”: “0”,

“sso_logout_url”: null

}

For user suresh authinfo

{

“user”: “User [name=suresh, roles=[sg_own_index, sg_kibana_user], requestedTenant=null]”,

“user_name”: “suresh”,

“user_requested_tenant”: null,

“remote_address”: “[::1]:49750”,

“backend_roles”: [

“sg_own_index”,

“sg_kibana_user”

],

“custom_attribute_names”: ,

“sg_roles”: [

“sg_own_index”

],

“sg_tenants”: {

“suresh”: true

},

“principal”: null,

“peer_certificates”: “0”,

“sso_logout_url”: null

}

Given the above configs when i login as suresh I can’t create visualization or dashboard while everything is fine with pankaj1 login. Infact, any other user I create with same role config I am not able to create visualization or dashboard.

Note - pankaj1 was the first user i created.

This is extremely critical for us because we are very near to releasing the product.

Thanks

···

On Wednesday, November 28, 2018 at 4:22:56 PM UTC+5:30, Jochen Kressin wrote:

This usually means that the user does not have the required privileges to use Kibana.

Can you check that your users are actually assigned to the s_kibana_user role? For that, visit the SG authinfo endpoint:

https://sgssl-0.example.com:9200/_searchguard/authinfo

And in the JSON please check the sg_roles, it has to contain the sg_kibnana_user role.

On Tuesday, November 27, 2018 at 11:37:17 AM UTC+1, pankaj chand wrote:

Hi,

I created a user with roles sg_own_index and sg_kibana_user. But when I log in with that user the left side menu links for visualization, dashboard, Management are inactive ( ie if i click on these links I see nothing just blank whitespace no options to create dashboard or visualization or index patern…just an empty screen).

I have attached a file showing roles for user ‘Suresh’. Infact, funny part is that it is working for only one user ‘pankaj1’, if I create user with any other name it is not showing any thing. I have index created by name pankaj1, pankaj2, pankaj3 etc. But if i create users pankaj2, pankaj3 with same sg_own_index and sg_kibana_user permission, I don’t see any thing in visualization and other links.

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version - SG - 6.4.2-23.2 - ES 6.4.2
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Regards

Pankaj

4

Hi Folks,

Any updates on this issue?

Regards

Pankaj

···

On Thursday, November 29, 2018 at 10:26:15 AM UTC+5:30, pankaj chand wrote:

https://localhost:9200/_searchguard/api/internalusers

{

“logstash”: {
“hash”: “”,
“roles”: [
“logstash”
]
},
“snapshotrestore”: {
“hash”: “”,
“roles”: [
“snapshotrestore”
]
},
“formcept”: {
“hash”: “”,
“roles”: [
“sg_mecbot_pankaj1”
]
},
“admin”: {
“attributes”: {
“attribute1”: “value1”,
“attribute3”: “value3”,
“attribute2”: “value2”
},
“readonly”: “true”,
“hash”: “”,
“roles”: [
“admin”
]
},
“suresh”: {
“hash”: “”,
“roles”: [
“sg_own_index”,
“sg_kibana_user”
]
},
“pankaj1”: {
“hash”: “”,
“roles”: [
“sg_own_index”,
“sg_kibana_user”
]
},
“kibanaserver”: {
“readonly”: “true”,
“hash”: “”
},
“kibanaro”: {
“hash”: “”,
“roles”: [
“kibanauser”,
“readall”
]
},
“readall”: {
“hash”: “”,
“roles”: [
“readall”
]
}
}

For user pankaj1 authinfo

{

“user”: “User [name=pankaj1, roles=[sg_own_index, sg_kibana_user], requestedTenant=null]”,

“user_name”: “pankaj1”,

“user_requested_tenant”: null,

“remote_address”: “[::1]:49750”,

“backend_roles”: [

“sg_own_index”,

“sg_kibana_user”

],

“custom_attribute_names”: ,

“sg_roles”: [

“sg_own_index”

],

“sg_tenants”: {

“pankaj1”: true

},

“principal”: null,

“peer_certificates”: “0”,

“sso_logout_url”: null

}

For user suresh authinfo

{

“user”: “User [name=suresh, roles=[sg_own_index, sg_kibana_user], requestedTenant=null]”,

“user_name”: “suresh”,

“user_requested_tenant”: null,

“remote_address”: “[::1]:49750”,

“backend_roles”: [

“sg_own_index”,

“sg_kibana_user”

],

“custom_attribute_names”: ,

“sg_roles”: [

“sg_own_index”

],

“sg_tenants”: {

“suresh”: true

},

“principal”: null,

“peer_certificates”: “0”,

“sso_logout_url”: null

}

Given the above configs when i login as suresh I can’t create visualization or dashboard while everything is fine with pankaj1 login. Infact, any other user I create with same role config I am not able to create visualization or dashboard.

Note - pankaj1 was the first user i created.

This is extremely critical for us because we are very near to releasing the product.

Thanks

On Wednesday, November 28, 2018 at 4:22:56 PM UTC+5:30, Jochen Kressin wrote:

This usually means that the user does not have the required privileges to use Kibana.

Can you check that your users are actually assigned to the s_kibana_user role? For that, visit the SG authinfo endpoint:

https://sgssl-0.example.com:9200/_searchguard/authinfo

And in the JSON please check the sg_roles, it has to contain the sg_kibnana_user role.

On Tuesday, November 27, 2018 at 11:37:17 AM UTC+1, pankaj chand wrote:

Hi,

I created a user with roles sg_own_index and sg_kibana_user. But when I log in with that user the left side menu links for visualization, dashboard, Management are inactive ( ie if i click on these links I see nothing just blank whitespace no options to create dashboard or visualization or index patern…just an empty screen).

I have attached a file showing roles for user ‘Suresh’. Infact, funny part is that it is working for only one user ‘pankaj1’, if I create user with any other name it is not showing any thing. I have index created by name pankaj1, pankaj2, pankaj3 etc. But if i create users pankaj2, pankaj3 with same sg_own_index and sg_kibana_user permission, I don’t see any thing in visualization and other links.

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version - SG - 6.4.2-23.2 - ES 6.4.2
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Regards

Pankaj

5

Your are using the wrong backenrole for your Kibana users. The sequence is:

  1. Search Guard will pick up a users backend roles

  2. Search Guard will read the sg_rolesmapping.yml

  3. Search Guard will assign the Search Guard roles based in the settings in sg_rolesmapping.

The corresponding entry in sg_rolesmapping:

sg_kibana_user:
backendroles:
- kibanauser

``

So you need to assign the backendrole “kibanauser” in your internalusers.yml like:

"suresh": {
    "hash": "",
    "roles": [
        "sg_own_index",
        **"kibanauser"**
    ]
}

``

···

On Monday, December 3, 2018 at 8:53:15 AM UTC+1, pankaj chand wrote:

Hi Folks,

Any updates on this issue?

Regards

Pankaj

On Thursday, November 29, 2018 at 10:26:15 AM UTC+5:30, pankaj chand wrote:

https://localhost:9200/_searchguard/api/internalusers

{

“logstash”: {
“hash”: “”,
“roles”: [
“logstash”
]
},
“snapshotrestore”: {
“hash”: “”,
“roles”: [
“snapshotrestore”
]
},
“formcept”: {
“hash”: “”,
“roles”: [
“sg_mecbot_pankaj1”
]
},
“admin”: {
“attributes”: {
“attribute1”: “value1”,
“attribute3”: “value3”,
“attribute2”: “value2”
},
“readonly”: “true”,
“hash”: “”,
“roles”: [
“admin”
]
},
“suresh”: {
“hash”: “”,
“roles”: [
“sg_own_index”,
“sg_kibana_user”
]
},
“pankaj1”: {
“hash”: “”,
“roles”: [
“sg_own_index”,
“sg_kibana_user”
]
},
“kibanaserver”: {
“readonly”: “true”,
“hash”: “”
},
“kibanaro”: {
“hash”: “”,
“roles”: [
“kibanauser”,
“readall”
]
},
“readall”: {
“hash”: “”,
“roles”: [
“readall”
]
}
}

For user pankaj1 authinfo

{

“user”: “User [name=pankaj1, roles=[sg_own_index, sg_kibana_user], requestedTenant=null]”,

“user_name”: “pankaj1”,

“user_requested_tenant”: null,

“remote_address”: “[::1]:49750”,

“backend_roles”: [

“sg_own_index”,

“sg_kibana_user”

],

“custom_attribute_names”: ,

“sg_roles”: [

“sg_own_index”

],

“sg_tenants”: {

“pankaj1”: true

},

“principal”: null,

“peer_certificates”: “0”,

“sso_logout_url”: null

}

For user suresh authinfo

{

“user”: “User [name=suresh, roles=[sg_own_index, sg_kibana_user], requestedTenant=null]”,

“user_name”: “suresh”,

“user_requested_tenant”: null,

“remote_address”: “[::1]:49750”,

“backend_roles”: [

“sg_own_index”,

“sg_kibana_user”

],

“custom_attribute_names”: ,

“sg_roles”: [

“sg_own_index”

],

“sg_tenants”: {

“suresh”: true

},

“principal”: null,

“peer_certificates”: “0”,

“sso_logout_url”: null

}

Given the above configs when i login as suresh I can’t create visualization or dashboard while everything is fine with pankaj1 login. Infact, any other user I create with same role config I am not able to create visualization or dashboard.

Note - pankaj1 was the first user i created.

This is extremely critical for us because we are very near to releasing the product.

Thanks

On Wednesday, November 28, 2018 at 4:22:56 PM UTC+5:30, Jochen Kressin wrote:

This usually means that the user does not have the required privileges to use Kibana.

Can you check that your users are actually assigned to the s_kibana_user role? For that, visit the SG authinfo endpoint:

https://sgssl-0.example.com:9200/_searchguard/authinfo

And in the JSON please check the sg_roles, it has to contain the sg_kibnana_user role.

On Tuesday, November 27, 2018 at 11:37:17 AM UTC+1, pankaj chand wrote:

Hi,

I created a user with roles sg_own_index and sg_kibana_user. But when I log in with that user the left side menu links for visualization, dashboard, Management are inactive ( ie if i click on these links I see nothing just blank whitespace no options to create dashboard or visualization or index patern…just an empty screen).

I have attached a file showing roles for user ‘Suresh’. Infact, funny part is that it is working for only one user ‘pankaj1’, if I create user with any other name it is not showing any thing. I have index created by name pankaj1, pankaj2, pankaj3 etc. But if i create users pankaj2, pankaj3 with same sg_own_index and sg_kibana_user permission, I don’t see any thing in visualization and other links.

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version - SG - 6.4.2-23.2 - ES 6.4.2
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Regards

Pankaj

6

Thanks Jochen,

If I want my users to have access to specific indexes ( different users might have access to different set of indexes) I have to create new sg roles first, then new sg role mappings to new backend roles and then assign those backend roles to users? Please let me know if I have understood it properly.

Also, if I want users to have access to only their own dashboards or visualizations in Kibana. How can I achieve that? Kibana stores all dashboards in same index and same document type. Also the documents stored don’t have any field which might indicate the owner/creator of that dashboard.

···

On Monday, December 3, 2018 at 4:42:02 PM UTC+5:30, Jochen Kressin wrote:

Your are using the wrong backenrole for your Kibana users. The sequence is:

  1. Search Guard will pick up a users backend roles
  1. Search Guard will read the sg_rolesmapping.yml
  1. Search Guard will assign the Search Guard roles based in the settings in sg_rolesmapping.

The corresponding entry in sg_rolesmapping:

sg_kibana_user:
backendroles:
- kibanauser

``

So you need to assign the backendrole “kibanauser” in your internalusers.yml like:

"suresh": {
    "hash": "",
    "roles": [
        "sg_own_index",
        **"kibanauser"**
    ]
}

``

On Monday, December 3, 2018 at 8:53:15 AM UTC+1, pankaj chand wrote:

Hi Folks,

Any updates on this issue?

Regards

Pankaj

On Thursday, November 29, 2018 at 10:26:15 AM UTC+5:30, pankaj chand wrote:

https://localhost:9200/_searchguard/api/internalusers

{

“logstash”: {
“hash”: “”,
“roles”: [
“logstash”
]
},
“snapshotrestore”: {
“hash”: “”,
“roles”: [
“snapshotrestore”
]
},
“formcept”: {
“hash”: “”,
“roles”: [
“sg_mecbot_pankaj1”
]
},
“admin”: {
“attributes”: {
“attribute1”: “value1”,
“attribute3”: “value3”,
“attribute2”: “value2”
},
“readonly”: “true”,
“hash”: “”,
“roles”: [
“admin”
]
},
“suresh”: {
“hash”: “”,
“roles”: [
“sg_own_index”,
“sg_kibana_user”
]
},
“pankaj1”: {
“hash”: “”,
“roles”: [
“sg_own_index”,
“sg_kibana_user”
]
},
“kibanaserver”: {
“readonly”: “true”,
“hash”: “”
},
“kibanaro”: {
“hash”: “”,
“roles”: [
“kibanauser”,
“readall”
]
},
“readall”: {
“hash”: “”,
“roles”: [
“readall”
]
}
}

For user pankaj1 authinfo

{

“user”: “User [name=pankaj1, roles=[sg_own_index, sg_kibana_user], requestedTenant=null]”,

“user_name”: “pankaj1”,

“user_requested_tenant”: null,

“remote_address”: “[::1]:49750”,

“backend_roles”: [

“sg_own_index”,

“sg_kibana_user”

],

“custom_attribute_names”: ,

“sg_roles”: [

“sg_own_index”

],

“sg_tenants”: {

“pankaj1”: true

},

“principal”: null,

“peer_certificates”: “0”,

“sso_logout_url”: null

}

For user suresh authinfo

{

“user”: “User [name=suresh, roles=[sg_own_index, sg_kibana_user], requestedTenant=null]”,

“user_name”: “suresh”,

“user_requested_tenant”: null,

“remote_address”: “[::1]:49750”,

“backend_roles”: [

“sg_own_index”,

“sg_kibana_user”

],

“custom_attribute_names”: ,

“sg_roles”: [

“sg_own_index”

],

“sg_tenants”: {

“suresh”: true

},

“principal”: null,

“peer_certificates”: “0”,

“sso_logout_url”: null

}

Given the above configs when i login as suresh I can’t create visualization or dashboard while everything is fine with pankaj1 login. Infact, any other user I create with same role config I am not able to create visualization or dashboard.

Note - pankaj1 was the first user i created.

This is extremely critical for us because we are very near to releasing the product.

Thanks

On Wednesday, November 28, 2018 at 4:22:56 PM UTC+5:30, Jochen Kressin wrote:

This usually means that the user does not have the required privileges to use Kibana.

Can you check that your users are actually assigned to the s_kibana_user role? For that, visit the SG authinfo endpoint:

https://sgssl-0.example.com:9200/_searchguard/authinfo

And in the JSON please check the sg_roles, it has to contain the sg_kibnana_user role.

On Tuesday, November 27, 2018 at 11:37:17 AM UTC+1, pankaj chand wrote:

Hi,

I created a user with roles sg_own_index and sg_kibana_user. But when I log in with that user the left side menu links for visualization, dashboard, Management are inactive ( ie if i click on these links I see nothing just blank whitespace no options to create dashboard or visualization or index patern…just an empty screen).

I have attached a file showing roles for user ‘Suresh’. Infact, funny part is that it is working for only one user ‘pankaj1’, if I create user with any other name it is not showing any thing. I have index created by name pankaj1, pankaj2, pankaj3 etc. But if i create users pankaj2, pankaj3 with same sg_own_index and sg_kibana_user permission, I don’t see any thing in visualization and other links.

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version - SG - 6.4.2-23.2 - ES 6.4.2
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Regards

Pankaj

7

Maybe I can reply from what I’ve learnt, Jochen may complete or correct my answer.

You seem to have understood the roles system.

If you want to split what dashboards and visualizations users can see in Kibana, you will have to look towards the multi tenany system described here: Kibana Multitenancy | Security for Elasticsearch | Search Guard

Hope it helps!

8

Yes, for splitting dashboards and visualizations by role/tenant you need to use the multi-tenancy feature.

Your understanding of the role system is correct, but I would rephrase it a bit:

You create new users and then map those users to Search Guard roles by using the roles mapping. You can map users by their backend role(s) and also directly by their username. Using backend roles is the preferred way because it gives you more flexibility.

···

On Wednesday, December 5, 2018 at 9:56:47 AM UTC+1, marc.zominy@hoomano.com wrote:

Maybe I can reply from what I’ve learnt, Jochen may complete or correct my answer.

You seem to have understood the roles system.

If you want to split what dashboards and visualizations users can see in Kibana, you will have to look towards the multi tenany system described here: https://docs.search-guard.com/latest/kibana-multi-tenancy

Hope it helps!