Machine Learning permissions

Search Guard
1

Elasticsearch version:
8.5.3

Kibana version (if relevant):
8.5.3

Describe the issue:

Following the documentation (X-Pack Machine Learning | Security for Elasticsearch | Search Guard) the ML setup is done on every elastic node (elasticsearch.yml):

xpack.security.enabled: false
xpack.ml.enabled: true

The SGS_XP_MACHINE_LEARNING role is granted to the user. During the ML job creation the following errors can be seen:

{
“statusCode”: 400,
“error”: “Bad Request”,
“message”: “[security_exception: [security_exception] Reason: Insufficient permissions]: Insufficient permissions”,
“attributes”: {
“body”: {
“error”: {
“root_cause”: [
{
“type”: “security_exception”,
“reason”: “Insufficient permissions”,
“missing_permissions”: “cluster:admin/xpack/ml/job/estimate_model_memory”
}
],
“type”: “security_exception”,
“reason”: “Insufficient permissions”,
“missing_permissions”: “cluster:admin/xpack/ml/job/estimate_model_memory”
},
“status”: 403
}
}
}

{
“statusCode”: 403,
“error”: “Forbidden”,
“message”: “[security_exception: [security_exception] Reason: Insufficient permissions]: Insufficient permissions”,
“attributes”: {
“body”: {
“error”: {
“root_cause”: [
{
“type”: “security_exception”,
“reason”: “Insufficient permissions”,
“missing_permissions”: “cluster:admin/xpack/ml/job/put”
}
],
“type”: “security_exception”,
“reason”: “Insufficient permissions”,
“missing_permissions”: “cluster:admin/xpack/ml/job/put”
},
“status”: 403
}
}
}

How can we solve this issue?

Best regards,
korodif

2

@korodif I’ve just followed the ML configuration in the SG documentation and my test user was able to create and manage ML jobs.

Could you share your roles.yml, roles_mapping.yml files? What is the name of the test user?

What type of authentication/authorization do you use?

3

I’m using ldap authentication backend:

auth_domains:

  • type: “basic/internal_users_db”
  • type: basic/ldap

So based on LDAP groups I’ve the following roles:

Search Guard roles

SGS_XP_MACHINE_LEARNING
SGS_ALL_ACCESS
SGS_OWN_INDEX

But with admin user I’ve also got this error.

4

@korodif Please share the roles.yml and roles_mapping.yml files.
Also, please share the output of the following commands.

curl --insecure -u admin:admin -XGET https://<ES_node_FQDN_or_IP>:9200/_searchguard/authinfo?pretty

curl --insecure -u <reported_LDAP_user> -XGET https://<ES_node_FQDN_or_IP>:9200/_searchguard/authinfo?pretty
5

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.