Lost in searchguard roles configuration

Hi Everyone,
I am trying to set up basic elastic administration using SG following https://docs.search-guard.com/latest/demo-users-roles docs. However, I am unable to produce the desired effect. The whole setup is run in docker containers with mounted config files.

I have users:
admin - should have all rights
logstash - Should be able to write and create indices
curator - Should be able to delete old indices
OPS: should be able to RW but only on index ‘docker-*
ACC: should be able to RO but only on index ‘invoices-*

But despite all effort, I can’t get the settings to work as intended (eg. ACC user can see ‘docker*’ indices), please could you help - tell me what I do wrong?

I tried this:

sg_internal_users.yml

admin:
  hash: '$2y$12$gNVSJeeCHOIKIvxYGKygrO1EF9hoqGaJT4ZFd/LaayNXsWpmgLdGO' #test
  backend_roles:
  - admin

OPS:
  hash: '$2y$12$gNVSJeeCHOIKIvxYGKygrO1EF9hoqGaJT4ZFd/LaayNXsWpmgLdGO' #test
  backend_roles:
  - kibana_user_OPS

ACC:
  hash: '$2y$12$gNVSJeeCHOIKIvxYGKygrO1EF9hoqGaJT4ZFd/LaayNXsWpmgLdGO' #test
  backend_roles:
  - kibana_user_ACC

sg_roles_mapping.yml

_sg_meta:
  type: "rolesmapping"
  config_version: 2

kibana_user_OPS:
  backend_roles:
  - "read_only_OPS"
  hosts:
  - "*"

kibana_user_ACC:
  backend_roles:
  - "read_only_ACC"
  hosts:
  - "*"

admin:
  backend_roles:
  - "admin"
  hosts:
  - "*"

sg_roles.yml

_sg_meta:
  type: "roles"
  config_version: 2

read_only:
  cluster_permissions: []
  index_permissions:
  - index_patterns:
    - "*"
    allowed_actions:
    - "READ"

read_only_ACC:
  cluster_permissions: []
  index_permissions:
  - index_patterns:
    - "invoices*"
    allowed_actions:
    - "READ"

read_only_OPS:
  cluster_permissions: []
  index_permissions:
  - index_patterns:
    - "docker*"
    allowed_actions:
    - "READ"

admin:
  cluster_permissions:
  - "ALL"
  index_permissions:
  - index_patterns:
    - "*"
    allowed_actions:
    - "ALL"

The hosts attribute in your rolemapping is the culprit.

The existence of only one criterion listed below a rolemapping entry to sufficient to assign this role. Thus, you give all roles to all hosts.

So, just remove the hosts entries. You don’t need them in most cases.

Thanks! I have modified roles-mapping.yml

_sg_meta:
type: “rolesmapping”
config_version: 2

kibana_user_OPS:
  backend_roles:
  - "read_only_OPS"
  users:
  - "OPS"

kibana_user_ACC:
  backend_roles:
  - "read_only_ACC"
  users:
  - "ACC"

admin:
  backend_roles:
  - "admin"
  users:
  - "admin"

However now my users could not create or read anything now :confused:

The roles.yml you have listed above don’t contain roles named kibana_user_OPS, kibana_user_ACC.

The roles on the top level of rolemapping.yml however must match the Search Guard roles defined in roles.yml.

See also:

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.