On Friday, 23 September 2016 14:20:55 UTC+2, Samuel Bufe wrote:

Hello,

when I log into kibana with a non full access user I i get the following error:

Error: [security_exception] no permissions for indices:data/read/msearch
ErrorAbstract@http://example.net:5601/bundles/kibana.bundle.js?v=10000:77051:20
StatusCodeError@http://example.net:5601/bundles/kibana.bundle.js?v=10000:77213:6
respond@http://example.net:5601/bundles/kibana.bundle.js?v=10000:78418:16
checkRespForFailure@http://example.net:5601/bundles/kibana.bundle.js?v=10000:78381:8
[24]</AngularConnector.prototype.request/<@http://example.net:5601/bundles/kibana.bundle.js?v=10000:76999:8
processQueue@http://example.net:5601/bundles/commons.bundle.js?v=10000:42404:29
scheduleProcessQueue/<@http://example:5601/bundles/commons.bundle.js?v=10000:42420:28
$RootScopeProvider/this.$get</Scope.prototype.$eval@http://example.net:5601/bundles/commons.bundle.js?v=10000:43648:17
$RootScopeProvider/this.$get</Scope.prototype.$digest@http://example.net:5601/bundles/commons.bundle.js?v=10000:43459:16
$RootScopeProvider/this.$get</Scope.prototype.$apply@http://example.net:5601/bundles/commons.bundle.js?v=10000:43756:14
done@http://example.net:5601/bundles/commons.bundle.js?v=10000:38205:37
completeRequest@http://example.net:5601/bundles/commons.bundle.js?v=10000:38403:8
requestLoaded@http://example.net:5601/bundles/commons.bundle.js?v=10000:38344:10

``

I run the following setup:

• elasticsearch 2.3.5
• JVM 1.8.0_102
• kibana 4.5.4

And run the following config (omitting irrelevant stuff):

sg_internal_users.yaml

admin:
hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv…TOG
kibanaserver:
hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H.
syslog:
hash: $2a$12$AeVBSy6KBDXX6mh517woUOVb6Wet2S2GoQKcOTHO7IGWOkDxttveG

``

sg_roles_mapping.yml
sg_kibana4_server:
users:
- kibanaserver

sg_all_access:
users:
- admin
- adm

sg_public:
users:
- ‘*’

sg_syslog:
users:
- syslog

sg_roles.yml
sg_all_access:
cluster:
- ‘’
indices:
'’:
‘':
- '’

sg_transport_client:

cluster:
- cluster:monitor/nodes/liveness
- cluster:monitor/state

sg_kibana4:
indices:
‘':
'’:
- READ
- indices:admin/mappings/fields/get*
- indices:admin/validate/query*
- indices:admin/get*
‘?kibana’:
'':
- indices:admin/exists
- indices:admin/mapping/put*
- indices:admin/mappings/fields/get*
- indices:admin/refresh*
- indices:admin/validate/query*
- indices:data/read/get*
- indices:data/read/mget*
- indices:data/read/search*
- indices:data/write/delete*
- indices:data/write/index*
- indices:data/write/update*

sg_kibana4_server:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
‘?kibana’:
‘*’:
- ALL

sg_logstash:
cluster:
- indices:admin/template/get
- indices:admin/template/put
indices:
‘logstash-':
'’:
- CRUD
- CREATE_INDEX
‘beat’:
‘*’:
- CRUD
- CREATE_INDEX

sg_syslog:
indices:
‘logstash-':
'’:
- KIBANA_USER
‘?kibana’:
‘*’:
- KIBANA_SERVER

``

sg_action_groups:

ALL:

• “indices:*”
  MANAGE:
• “indices:monitor/*”
• “indices:admin/*”
  CREATE_INDEX:
• “indices:admin/create”
  MANAGE_ALIASES:
• “indices:admin/aliases*”
  MONITOR:
• “indices:monitor/*”
  DATA_ACCESS:
• “indices:data/*”
  WRITE:
• “indices:data/write*”
  READ:
• “indices:data/read*”
  DELETE:
• “indices:data/write/delete*”
  CRUD:
• READ
• WRITE
  SEARCH:
• “indices:data/read/search*”
• “indices:data/read/msearch*”
• SUGGEST
  SUGGEST:
• “indices:data/read/suggest*”
  INDEX:
• “indices:data/write/index*”
• “indices:data/write/update*”
  GET:
• “indices:data/read/get*”
• “indices:data/read/mget*”

CLUSTER

CLUSTER_ALL:

• cluster:*
  CLUSTER_MONITOR:
• cluster:monitor/*

KIBANA_SERVER:

• indices:admin/exists*
• indices:admin/mapping/put*
• indices:admin/mappings/fields/get*
• indices:admin/refresh*
• indices:admin/validate/query*
• indices:data/read/get*
• indices:data/read/mget*
• indices:data/read/search*
• indices:data/write/delete*
• indices:data/write/index*
• indices:data/write/update*

KIBANA_USER:

• indices:data/read*
• indices:admin/mappings/fields/get*
• indices:admin/validate/query*
• indices:admin/get*

``

When I login as admin everything is fine, but as syslog I get the mentioned error.

I sniffed the query that failed and it looks like this:

POST /_msearch?timeout=0&ignore_unavailable=true&preference=1474538667976 HTTP/1.1

``

and the posted json like this:

{
“index”:[
“.kibana-devnull”
],
“ignore_unavailable”:true
}{
“size”:500,
“sort”:[
{
“@timestamp”:{
“order”:“desc”,
“unmapped_type”:“boolean”
}
}
],
“highlight”:{
“pre_tags”:[
“@kibana-highlighted-field@”
],
“post_tags”:[
“@/kibana-highlighted-field@”
],
“fields”:{
““:{
}
},
“require_field_match”:false,
“fragment_size”:2147483647
},
“aggs”:{
“2”:{
“date_histogram”:{
“field”:”@timestamp",
“interval”:“30s”,
“time_zone”:“Europe/Berlin”,
“min_doc_count”:0,
“extended_bounds”:{
“min”:1474537793635,
“max”:1474538693635
}
}
}
},
“query”:{
“filtered”:{
“query”:{
“match_all”:{
}
},
“filter”:{
“bool”:{
“must”:[
{
“range”:{
“@timestamp”:{
“gte”:1474537793636,
“lte”:1474538693636,
“format”:“epoch_millis”
}
}
}
],
“must_not”:[
]
}
}
}
},
“fields”:[
"”,
“_source”
],
“script_fields”:{
},
“fielddata_fields”:[
“@timestamp”
]
}

``

since the targeted index is .kibana-devnull I tried the following setting but it won’t work:

sg_syslog:
indices:
‘logstash-':
'’:
- KIBANA_USER
‘?kibana-devnull’:
‘*’:
- ALL

``

what seems to work is this, but it isn’t a secure solution:

sg_syslog:
indices:
‘logstash-':
'’:
- KIBANA_USER
‘?kibana*’:
‘':
- KIBANA_SERVER
- SEARCH
'’:
‘*’:
- SEARCH

``

Any ideas how to solve this?

Thanks for your help!