Missing privileges for index .searchguard_resource_owner

peter82 · October 27, 2022, 1:43pm

Any action _cat/indices ; _cat/nodes etc in the cluster results in missing privileges logged in. Its under INFO but its super annoying and cluttering the logs. Is there a way how to fix it please? This is happening only while in kibana, same commands via curl elasticsearch API doesn’t have this issue.

Elasticsearch version:
7.17.6 , FLX plugin 1.0.0

USER privileges: SGS_ALL_ACCESS, SGS_KIBANA_USER

{"type": "server", "timestamp": "2022-10-27T15:20:18,673+02:00", "level": "INFO", "component": "c.f.s.a.PrivilegesEvaluator", "cluster.name": "test", "node.name": "test-tels03-1", "message": "### No index privileges for indices:admin/mappings/get (org.elasticsearch.action.admin.indices.mapping.get.GetMappingsRequest)\nUser: User test_user [backend_roles=ELASTICSEARCH_Admins]]\nResolved Indices: local: _all [8]\nUnresolved: [[indices=[], indicesOptions=IndicesOptions[ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, expand_wildcards_hidden=false, allow_aliases_to_multiple_indices=true, forbid_closed_indices=false, ignore_aliases=false, ignore_throttled=false], allowsRemoteIndices=false, includeDataStreams=true, role=null]]\nRoles: [SGS_KIBANA_USER, SGS_ALL_ACCESS]\nRequired Privileges: [indices:admin/mappings/get]\nStatus: INSUFFICIENT\nEvaluated Privileges:\n                                      | indices:admin/mappings/get |\n.kibana_task_manager_7.17.6_001       | ok                         |\n.kibana_-909235513_test_7.17.6_001| ok                         |\n.kibana_7.17.6_001                    | ok                         |\n.async-search                         | ok                         |\n.kibana_3556498_test_7.17.6_001       | ok                         |\ntest                                  | ok                         |\n.searchguard_resource_owner           | MISSING                    |\n.tasks                                | ok                         |\n\n", "cluster.uuid": "2MquIlKOThW5qCFrcWvpPQ", "node.id": "dTnKWnR8Q0yYaZSQ66JsVQ"  }

pablo · October 27, 2022, 2:19pm

@peter82 Could you share the config of ELASTICSEARCH_Admins role and role mapping?

peter82 · October 31, 2022, 9:43am

I am using built in roles.

role_mappings.yml

SGS_ALL_ACCESS:
  backend_roles:
  - '/(?i)ELASTICSEARCH_Admins/'
  hosts: []
  users: []
  and_backend_roles: []
  description: "Maps user to SGS_ALL_ACCESS"


SGS_KIBANA_USER:
  backend_roles:
  - '/(?i)ELASTICSEARCH_Admins/'
  hosts: []
  users: []
  and_backend_roles: []
  description: "Maps user to SGS_KIBANA_USER"

peter82 · October 31, 2022, 1:20pm

I think it is somehow related to the fact that both clusters where this happened were migrated from SG53 → FLX plugin.

one cluster had issues with .searchguard_resource_owner index and another with .searchguard_resource_owner & .searchguard index . I deleted all .searchguard* indices via curl request and deploy same configuration again and it seems that those messages has stopped for now…

peter82 · November 3, 2022, 10:14am

No it doesn’t work, this morning the WARN is back with same problem, on the same index i deleted and recreated yesterday what’s more I don’t even see this index anymore, if I list indices I see

green open .searchguard_config_history aXUytlA9R6ScL1oQBQid8g 1 1  0 0   452b   226b
green open .searchguard_sessions       BmW1NHdOSJOxhAInIGi0-Q 1 1  0 0   492b   246b
green open .searchguard                2_E0H5TnQHOr4coL_gBFdg 1 1 11 0 36.6kb 18.3kb
green open .searchguard_config_vars    w2TbCpPKSeKJEaDfD6bpkQ 1 1  2 0 12.5kb  6.2kb
green open .searchguard_authtokens     Asr-qsqVT9yBIFs5SuSwTA 1 1  0 0   452b   226

indices:admin/mappings/get]\nStatus: INSUFFICIENT\nEvaluated Privileges:\n
|\n.searchguard_resource_owner           | MISSING

And I think the same problem has METRICBEAT which is getting

{"type": "server", "timestamp": "2022-11-03T11:09:34,088+01:00", "level": "INFO", "component": "c.f.s.a.PrivilegesEvaluator", "cluster.name": "test", "node.name": "test-tels03-1", "message": "### No cluster privileges for indices:monitor/recovery (org.elasticsearch.action.admin.indices.recovery.RecoveryRequest)\nUser: User metricbeat <basic/internal_users_db> [sg_roles=[METRICBEAT]]\nRoles: [METRICBEAT]\nStatus: INSUFFICIENT\nEvaluated Privileges:\n_/indices:monitor/recovery: MISSING\n", "cluster.uuid": "2MquIlKOThW5qCFrcWvpPQ", "node.id": "dTnKWnR8Q0yYaZSQ66JsVQ"

Roles, role_mappings, users, action everything is same as SG53 version.

pablo · November 4, 2022, 6:32pm

@peter82 I’ve tested your role mapping in my lab and didn’t get any of the reported notifications.

Do you see any issues in your environment? Do you know what action triggers reported messages?

trauta · November 24, 2022, 9:18pm

Hi,

I’m having somehow the exact same issue.

When accessing the ‘Stack Mangement’ view in Kibana, the following error message is displayed in the ES logs:

[2022-11-23T10:45:16,618][INFO ][c.f.s.a.PrivilegesEvaluator] [es-node01.example.com] ### No index privileges for indices:admin/ilm/explain (org.elasticsearch.xpack.core.ilm.ExplainLifecycleRequest)
User: User admin [backend_roles=[admin] requestedTenant=TEST]
Resolved Indices: local: _all [1814]
Unresolved: [[indices=[*], indicesOptions=IndicesOptions[ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, expand_wildcards_hidden=false, allow_aliases_to_multiple_indices=true, forbid_closed_indices=false, ignore_aliases=false, ignore_throttled=false], allowsRemoteIndices=false, includeDataStreams=true, role=null]]
Roles: [SGS_KIBANA_USER_NO_DEFAULT_TENANT, SGS_ALL_ACCESS]
Required Privileges: [indices:admin/ilm/explain]
Status: INSUFFICIENT
Evaluated Privileges:
...
                                                   | indices:admin/ilm/explain |
.searchguard_resource_owner                        | MISSING                   |
...

This is from our production cluster running 7.17.6 and SG FLX (upgraded from 53).

Regards,
Alex

pablo · November 25, 2022, 5:12pm

@trauta Could you open a new thread with your issue? Please provide uncut logs of the error with kibana.yml and elasticsearch.yml files.

Also please share the names of the roles assigned to the test user with roles.yml and roles_mapping.yml files.

It would be helpful if you could also share the output of the following command.

curl --insecure -u <test_user> -XGET https://<elasticsearch_node>:9200/searchguard/authinfo?pretty

nils · November 28, 2022, 9:52am

I have filed a bug regarding the .searchguard_resource_owner index:

Log messages regarding other missing privileges are - however - different issues and need to be separately considered.

peter82 · December 5, 2022, 10:44am

Thanks, adding hidden property has fixed the issue.

trauta · December 6, 2022, 11:30am

Hi, I can also confirm that setting hidden: true manually on the .searchguard_resource_owner index helped in that case.

system · December 27, 2022, 11:31am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
No permissions for [indices:data/read/search] Search Guard	4	2170	January 2, 2023
Kibanaserver user: No permissions for indices:admin/mappings/get* and indices:monitor/stats Search Guard	4	4109	April 27, 2021
Permissions issue for tenant X Search Guard	12	523	April 25, 2022
No permissions for [indices:admin/mapping/auto_put] Search Guard	14	987	May 11, 2023
getting index-level permission issue in searchguard 6.0.0 Search Guard	1	472	January 25, 2018

Missing privileges for index .searchguard_resource_owner

Related Topics