Missing privileges for index .searchguard_resource_owner

Any action _cat/indices ; _cat/nodes etc in the cluster results in missing privileges logged in. Its under INFO but its super annoying and cluttering the logs. Is there a way how to fix it please? This is happening only while in kibana, same commands via curl elasticsearch API doesn’t have this issue.

Elasticsearch version:
7.17.6 , FLX plugin 1.0.0

USER privileges: SGS_ALL_ACCESS, SGS_KIBANA_USER

{"type": "server", "timestamp": "2022-10-27T15:20:18,673+02:00", "level": "INFO", "component": "c.f.s.a.PrivilegesEvaluator", "cluster.name": "test", "node.name": "test-tels03-1", "message": "### No index privileges for indices:admin/mappings/get (org.elasticsearch.action.admin.indices.mapping.get.GetMappingsRequest)\nUser: User test_user [backend_roles=ELASTICSEARCH_Admins]]\nResolved Indices: local: _all [8]\nUnresolved: [[indices=[], indicesOptions=IndicesOptions[ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, expand_wildcards_hidden=false, allow_aliases_to_multiple_indices=true, forbid_closed_indices=false, ignore_aliases=false, ignore_throttled=false], allowsRemoteIndices=false, includeDataStreams=true, role=null]]\nRoles: [SGS_KIBANA_USER, SGS_ALL_ACCESS]\nRequired Privileges: [indices:admin/mappings/get]\nStatus: INSUFFICIENT\nEvaluated Privileges:\n                                      | indices:admin/mappings/get |\n.kibana_task_manager_7.17.6_001       | ok                         |\n.kibana_-909235513_test_7.17.6_001| ok                         |\n.kibana_7.17.6_001                    | ok                         |\n.async-search                         | ok                         |\n.kibana_3556498_test_7.17.6_001       | ok                         |\ntest                                  | ok                         |\n.searchguard_resource_owner           | MISSING                    |\n.tasks                                | ok                         |\n\n", "cluster.uuid": "2MquIlKOThW5qCFrcWvpPQ", "node.id": "dTnKWnR8Q0yYaZSQ66JsVQ"  }

@peter82 Could you share the config of ELASTICSEARCH_Admins role and role mapping?

I am using built in roles.

role_mappings.yml

SGS_ALL_ACCESS:
  backend_roles:
  - '/(?i)ELASTICSEARCH_Admins/'
  hosts: []
  users: []
  and_backend_roles: []
  description: "Maps user to SGS_ALL_ACCESS"


SGS_KIBANA_USER:
  backend_roles:
  - '/(?i)ELASTICSEARCH_Admins/'
  hosts: []
  users: []
  and_backend_roles: []
  description: "Maps user to SGS_KIBANA_USER"


I think it is somehow related to the fact that both clusters where this happened were migrated from SG53 → FLX plugin.

one cluster had issues with .searchguard_resource_owner index and another with .searchguard_resource_owner & .searchguard index . I deleted all .searchguard* indices via curl request and deploy same configuration again and it seems that those messages has stopped for now…

No it doesn’t work, this morning the WARN is back with same problem, on the same index i deleted and recreated yesterday what’s more I don’t even see this index anymore, if I list indices I see

green open .searchguard_config_history aXUytlA9R6ScL1oQBQid8g 1 1  0 0   452b   226b
green open .searchguard_sessions       BmW1NHdOSJOxhAInIGi0-Q 1 1  0 0   492b   246b
green open .searchguard                2_E0H5TnQHOr4coL_gBFdg 1 1 11 0 36.6kb 18.3kb
green open .searchguard_config_vars    w2TbCpPKSeKJEaDfD6bpkQ 1 1  2 0 12.5kb  6.2kb
green open .searchguard_authtokens     Asr-qsqVT9yBIFs5SuSwTA 1 1  0 0   452b   226
indices:admin/mappings/get]\nStatus: INSUFFICIENT\nEvaluated Privileges:\n
|\n.searchguard_resource_owner           | MISSING 

And I think the same problem has METRICBEAT which is getting

{"type": "server", "timestamp": "2022-11-03T11:09:34,088+01:00", "level": "INFO", "component": "c.f.s.a.PrivilegesEvaluator", "cluster.name": "test", "node.name": "test-tels03-1", "message": "### No cluster privileges for indices:monitor/recovery (org.elasticsearch.action.admin.indices.recovery.RecoveryRequest)\nUser: User metricbeat <basic/internal_users_db> [sg_roles=[METRICBEAT]]\nRoles: [METRICBEAT]\nStatus: INSUFFICIENT\nEvaluated Privileges:\n_/indices:monitor/recovery: MISSING\n", "cluster.uuid": "2MquIlKOThW5qCFrcWvpPQ", "node.id": "dTnKWnR8Q0yYaZSQ66JsVQ"  

Roles, role_mappings, users, action everything is same as SG53 version.

@peter82 I’ve tested your role mapping in my lab and didn’t get any of the reported notifications.

Do you see any issues in your environment? Do you know what action triggers reported messages?

Hi,

I’m having somehow the exact same issue.

When accessing the ‘Stack Mangement’ view in Kibana, the following error message is displayed in the ES logs:

[2022-11-23T10:45:16,618][INFO ][c.f.s.a.PrivilegesEvaluator] [es-node01.example.com] ### No index privileges for indices:admin/ilm/explain (org.elasticsearch.xpack.core.ilm.ExplainLifecycleRequest)
User: User admin [backend_roles=[admin] requestedTenant=TEST]
Resolved Indices: local: _all [1814]
Unresolved: [[indices=[*], indicesOptions=IndicesOptions[ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, expand_wildcards_hidden=false, allow_aliases_to_multiple_indices=true, forbid_closed_indices=false, ignore_aliases=false, ignore_throttled=false], allowsRemoteIndices=false, includeDataStreams=true, role=null]]
Roles: [SGS_KIBANA_USER_NO_DEFAULT_TENANT, SGS_ALL_ACCESS]
Required Privileges: [indices:admin/ilm/explain]
Status: INSUFFICIENT
Evaluated Privileges:
...
                                                   | indices:admin/ilm/explain |
.searchguard_resource_owner                        | MISSING                   |
...

This is from our production cluster running 7.17.6 and SG FLX (upgraded from 53).

Regards,
Alex

@trauta Could you open a new thread with your issue? Please provide uncut logs of the error with kibana.yml and elasticsearch.yml files.

Also please share the names of the roles assigned to the test user with roles.yml and roles_mapping.yml files.

It would be helpful if you could also share the output of the following command.

curl --insecure -u <test_user> -XGET https://<elasticsearch_node>:9200/searchguard/authinfo?pretty

I have filed a bug regarding the .searchguard_resource_owner index:

Log messages regarding other missing privileges are - however - different issues and need to be separately considered.