msearch permissions for kibana4

Hello,

when I log into kibana with a non full access user I i get the following error:

Error: [security_exception] no permissions for indices:data/read/msearch
ErrorAbstract@http://example.net:5601/bundles/kibana.bundle.js?v=10000:77051:20
StatusCodeError@http://example.net:5601/bundles/kibana.bundle.js?v=10000:77213:6
respond@http://example.net:5601/bundles/kibana.bundle.js?v=10000:78418:16
checkRespForFailure@http://example.net:5601/bundles/kibana.bundle.js?v=10000:78381:8
[24]</AngularConnector.prototype.request/<@http://example.net:5601/bundles/kibana.bundle.js?v=10000:76999:8
processQueue@http://example.net:5601/bundles/commons.bundle.js?v=10000:42404:29
scheduleProcessQueue/<@http://example:5601/bundles/commons.bundle.js?v=10000:42420:28
$RootScopeProvider/this.$get</Scope.prototype.$eval@http://example.net:5601/bundles/commons.bundle.js?v=10000:43648:17
$RootScopeProvider/this.$get</Scope.prototype.$digest@http://example.net:5601/bundles/commons.bundle.js?v=10000:43459:16
$RootScopeProvider/this.$get</Scope.prototype.$apply@http://example.net:5601/bundles/commons.bundle.js?v=10000:43756:14
done@http://example.net:5601/bundles/commons.bundle.js?v=10000:38205:37
completeRequest@http://example.net:5601/bundles/commons.bundle.js?v=10000:38403:8
requestLoaded@http://example.net:5601/bundles/commons.bundle.js?v=10000:38344:10

``

I run the following setup:

  • elasticsearch 2.3.5
  • JVM 1.8.0_102
  • kibana 4.5.4

And run the following config (omitting irrelevant stuff):

sg_internal_users.yaml

admin:
hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv…TOG
kibanaserver:
hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H.
syslog:
hash: $2a$12$AeVBSy6KBDXX6mh517woUOVb6Wet2S2GoQKcOTHO7IGWOkDxttveG

``

sg_roles_mapping.yml
sg_kibana4_server:
users:
- kibanaserver

sg_all_access:
users:
- admin
- adm

sg_public:
users:
- ‘*’

sg_syslog:
users:
- syslog

sg_roles.yml
sg_all_access:
cluster:
- ‘
indices:
'
’:
’:
- '

sg_transport_client:

cluster:
- cluster:monitor/nodes/liveness
- cluster:monitor/state

sg_kibana4:
indices:
’:
'
’:
- READ
- indices:admin/mappings/fields/get*
- indices:admin/validate/query*
- indices:admin/get*
‘?kibana’:
'’:
- indices:admin/exists

- indices:admin/mapping/put*
- indices:admin/mappings/fields/get*
- indices:admin/refresh*
- indices:admin/validate/query*
- indices:data/read/get*
- indices:data/read/mget*
- indices:data/read/search*
- indices:data/write/delete*
- indices:data/write/index*
- indices:data/write/update*

sg_kibana4_server:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
‘?kibana’:
‘*’:
- ALL

sg_logstash:
cluster:
- indices:admin/template/get
- indices:admin/template/put
indices:
‘logstash-’:
'
’:
- CRUD
- CREATE_INDEX
beat’:
‘*’:
- CRUD
- CREATE_INDEX

sg_syslog:
indices:
‘logstash-’:
'
’:
- KIBANA_USER
‘?kibana’:
‘*’:
- KIBANA_SERVER

``

sg_action_groups:

ALL:

  • “indices:*”
    MANAGE:
  • “indices:monitor/*”
  • “indices:admin/*”
    CREATE_INDEX:
  • “indices:admin/create”
    MANAGE_ALIASES:
  • “indices:admin/aliases*”
    MONITOR:
  • “indices:monitor/*”
    DATA_ACCESS:
  • “indices:data/*”
    WRITE:
  • “indices:data/write*”
    READ:
  • “indices:data/read*”
    DELETE:
  • “indices:data/write/delete*”
    CRUD:
  • READ
  • WRITE
    SEARCH:
  • “indices:data/read/search*”
  • “indices:data/read/msearch*”
  • SUGGEST
    SUGGEST:
  • “indices:data/read/suggest*”
    INDEX:
  • “indices:data/write/index*”
  • “indices:data/write/update*”
    GET:
  • “indices:data/read/get*”
  • “indices:data/read/mget*”

CLUSTER

CLUSTER_ALL:

  • cluster:*
    CLUSTER_MONITOR:
  • cluster:monitor/*

KIBANA_SERVER:

  • indices:admin/exists*
  • indices:admin/mapping/put*
  • indices:admin/mappings/fields/get*
  • indices:admin/refresh*
  • indices:admin/validate/query*
  • indices:data/read/get*
  • indices:data/read/mget*
  • indices:data/read/search*
  • indices:data/write/delete*
  • indices:data/write/index*
  • indices:data/write/update*

KIBANA_USER:

  • indices:data/read*
  • indices:admin/mappings/fields/get*
  • indices:admin/validate/query*
  • indices:admin/get*

``

When I login as admin everything is fine, but as syslog I get the mentioned error.

I sniffed the query that failed and it looks like this:

POST /_msearch?timeout=0&ignore_unavailable=true&preference=1474538667976 HTTP/1.1

``

and the posted json like this:

{
“index”:[
“.kibana-devnull”
],
“ignore_unavailable”:true
}{
“size”:500,
“sort”:[
{
@timestamp”:{
“order”:“desc”,
“unmapped_type”:“boolean”
}
}
],
“highlight”:{
“pre_tags”:[
@kibana-highlighted-field@”
],
“post_tags”:[
“@/kibana-highlighted-field@”
],
“fields”:{
":{
}
},
“require_field_match”:false,
“fragment_size”:2147483647
},
“aggs”:{
“2”:{
“date_histogram”:{
“field”:"@timestamp",
“interval”:“30s”,
“time_zone”:“Europe/Berlin”,
“min_doc_count”:0,
“extended_bounds”:{
“min”:1474537793635,
“max”:1474538693635
}
}
}
},
“query”:{
“filtered”:{
“query”:{
“match_all”:{
}
},
“filter”:{
“bool”:{
“must”:[
{
“range”:{
@timestamp”:{
“gte”:1474537793636,
“lte”:1474538693636,
“format”:“epoch_millis”
}
}
}
],
“must_not”:[
]
}
}
}
},
“fields”:[
"
”,
“_source”
],
“script_fields”:{
},
“fielddata_fields”:[
@timestamp
]
}

``

since the targeted index is .kibana-devnull I tried the following setting but it won’t work:

sg_syslog:
indices:
‘logstash-’:
'
’:
- KIBANA_USER
‘?kibana-devnull’:
‘*’:
- ALL

``

what seems to work is this, but it isn’t a secure solution:

sg_syslog:
indices:
‘logstash-’:
'
’:
- KIBANA_USER
‘?kibana*’:
’:
- KIBANA_SERVER
- SEARCH
'
’:
‘*’:
- SEARCH

``

Any ideas how to solve this?

Thanks for your help! :slight_smile:

This is a known issue, and we have already prepared a fix for it. We’re currently testing, you can expect it to be released within the next couple of days. Thanks for reporting!

···

On Friday, 23 September 2016 14:20:55 UTC+2, Samuel Bufe wrote:

Hello,

when I log into kibana with a non full access user I i get the following error:

Error: [security_exception] no permissions for indices:data/read/msearch
ErrorAbstract@http://example.net:5601/bundles/kibana.bundle.js?v=10000:77051:20
StatusCodeError@http://example.net:5601/bundles/kibana.bundle.js?v=10000:77213:6
respond@http://example.net:5601/bundles/kibana.bundle.js?v=10000:78418:16
checkRespForFailure@http://example.net:5601/bundles/kibana.bundle.js?v=10000:78381:8
[24]</AngularConnector.prototype.request/<@http://example.net:5601/bundles/kibana.bundle.js?v=10000:76999:8
processQueue@http://example.net:5601/bundles/commons.bundle.js?v=10000:42404:29
scheduleProcessQueue/<@http://example:5601/bundles/commons.bundle.js?v=10000:42420:28
$RootScopeProvider/this.$get</Scope.prototype.$eval@http://example.net:5601/bundles/commons.bundle.js?v=10000:43648:17
$RootScopeProvider/this.$get</Scope.prototype.$digest@http://example.net:5601/bundles/commons.bundle.js?v=10000:43459:16
$RootScopeProvider/this.$get</Scope.prototype.$apply@http://example.net:5601/bundles/commons.bundle.js?v=10000:43756:14
done@http://example.net:5601/bundles/commons.bundle.js?v=10000:38205:37
completeRequest@http://example.net:5601/bundles/commons.bundle.js?v=10000:38403:8
requestLoaded@http://example.net:5601/bundles/commons.bundle.js?v=10000:38344:10

``

I run the following setup:

  • elasticsearch 2.3.5
  • JVM 1.8.0_102
  • kibana 4.5.4

And run the following config (omitting irrelevant stuff):

sg_internal_users.yaml

admin:
hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv…TOG
kibanaserver:
hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H.
syslog:
hash: $2a$12$AeVBSy6KBDXX6mh517woUOVb6Wet2S2GoQKcOTHO7IGWOkDxttveG

``

sg_roles_mapping.yml
sg_kibana4_server:
users:
- kibanaserver

sg_all_access:
users:
- admin
- adm

sg_public:
users:
- ‘*’

sg_syslog:
users:
- syslog

sg_roles.yml
sg_all_access:
cluster:
- ‘
indices:
'
’:
’:
- '

sg_transport_client:

cluster:
- cluster:monitor/nodes/liveness
- cluster:monitor/state

sg_kibana4:
indices:
’:
'
’:
- READ
- indices:admin/mappings/fields/get*
- indices:admin/validate/query*
- indices:admin/get*
‘?kibana’:
'’:
- indices:admin/exists

- indices:admin/mapping/put*
- indices:admin/mappings/fields/get*
- indices:admin/refresh*
- indices:admin/validate/query*
- indices:data/read/get*
- indices:data/read/mget*
- indices:data/read/search*
- indices:data/write/delete*
- indices:data/write/index*
- indices:data/write/update*

sg_kibana4_server:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
‘?kibana’:
‘*’:
- ALL

sg_logstash:
cluster:
- indices:admin/template/get
- indices:admin/template/put
indices:
‘logstash-’:
'
’:
- CRUD
- CREATE_INDEX
beat’:
‘*’:
- CRUD
- CREATE_INDEX

sg_syslog:
indices:
‘logstash-’:
'
’:
- KIBANA_USER
‘?kibana’:
‘*’:
- KIBANA_SERVER

``

sg_action_groups:

ALL:

  • “indices:*”
    MANAGE:
  • “indices:monitor/*”
  • “indices:admin/*”
    CREATE_INDEX:
  • “indices:admin/create”
    MANAGE_ALIASES:
  • “indices:admin/aliases*”
    MONITOR:
  • “indices:monitor/*”
    DATA_ACCESS:
  • “indices:data/*”
    WRITE:
  • “indices:data/write*”
    READ:
  • “indices:data/read*”
    DELETE:
  • “indices:data/write/delete*”
    CRUD:
  • READ
  • WRITE
    SEARCH:
  • “indices:data/read/search*”
  • “indices:data/read/msearch*”
  • SUGGEST
    SUGGEST:
  • “indices:data/read/suggest*”
    INDEX:
  • “indices:data/write/index*”
  • “indices:data/write/update*”
    GET:
  • “indices:data/read/get*”
  • “indices:data/read/mget*”

CLUSTER

CLUSTER_ALL:

  • cluster:*
    CLUSTER_MONITOR:
  • cluster:monitor/*

KIBANA_SERVER:

  • indices:admin/exists*
  • indices:admin/mapping/put*
  • indices:admin/mappings/fields/get*
  • indices:admin/refresh*
  • indices:admin/validate/query*
  • indices:data/read/get*
  • indices:data/read/mget*
  • indices:data/read/search*
  • indices:data/write/delete*
  • indices:data/write/index*
  • indices:data/write/update*

KIBANA_USER:

  • indices:data/read*
  • indices:admin/mappings/fields/get*
  • indices:admin/validate/query*
  • indices:admin/get*

``

When I login as admin everything is fine, but as syslog I get the mentioned error.

I sniffed the query that failed and it looks like this:

POST /_msearch?timeout=0&ignore_unavailable=true&preference=1474538667976 HTTP/1.1

``

and the posted json like this:

{
“index”:[
“.kibana-devnull”
],
“ignore_unavailable”:true
}{
“size”:500,
“sort”:[
{
@timestamp”:{
“order”:“desc”,
“unmapped_type”:“boolean”
}
}
],
“highlight”:{
“pre_tags”:[
@kibana-highlighted-field@”
],
“post_tags”:[
“@/kibana-highlighted-field@”
],
“fields”:{
":{
}
},
“require_field_match”:false,
“fragment_size”:2147483647
},
“aggs”:{
“2”:{
“date_histogram”:{
“field”:"@timestamp",
“interval”:“30s”,
“time_zone”:“Europe/Berlin”,
“min_doc_count”:0,
“extended_bounds”:{
“min”:1474537793635,
“max”:1474538693635
}
}
}
},
“query”:{
“filtered”:{
“query”:{
“match_all”:{
}
},
“filter”:{
“bool”:{
“must”:[
{
“range”:{
@timestamp”:{
“gte”:1474537793636,
“lte”:1474538693636,
“format”:“epoch_millis”
}
}
}
],
“must_not”:[
]
}
}
}
},
“fields”:[
"
”,
“_source”
],
“script_fields”:{
},
“fielddata_fields”:[
@timestamp
]
}

``

since the targeted index is .kibana-devnull I tried the following setting but it won’t work:

sg_syslog:
indices:
‘logstash-’:
'
’:
- KIBANA_USER
‘?kibana-devnull’:
‘*’:
- ALL

``

what seems to work is this, but it isn’t a secure solution:

sg_syslog:
indices:
‘logstash-’:
'
’:
- KIBANA_USER
‘?kibana*’:
’:
- KIBANA_SERVER
- SEARCH
'
’:
‘*’:
- SEARCH

``

Any ideas how to solve this?

Thanks for your help! :slight_smile: