Need help with setup of a new readall user

Hello,

this is the second time I’m posting this topic, I think the Headline of the original post was misleading.

The needed info:

Versions: Elasticsearch & Kibana in 6.3.2 , Search Guard in 6.2.3-22.0

Modules: None

Java: 1.8.0.0_161

OS: CentOs 7.4.1708

Plugins: just searchguard for elasticsearch and kibana

I’m trying to set up new users that have read access to every index, just like “readall” from the demo. Right now I have a user with 3 roles assigned to it:

:

username: k.just

hash: $2y$12$2r7l2vN2rf3ghAVwrqGvy.jkY4Q1mGOFGhXxV8IYiScv3vxS5GK/m

roles:

  • readall

  • kibanauser

  • ti_read

``

the roles are:

  • readall, as it is defined through the demo

  • kibanauser, since it is recommended in the search guard docs

  • ti_read, a role defined by myself, that has exactly the same “rights” like readall(the ti_read info is attached at the end)

I updated the configuration with sgadmin, as one is supposed to do and gave it a try. What I’m observing now is that if I’m logging in with readall, I’m able to see/“read” every index without a problem. If I’m doing the login with k.just (my new test user) I’m not able to see anything, as an example you can see here the discover site:

I also tried to give “k.just” just the readall role, it never worked like I supposed. What I’m expecting is, that I would be able to see/“read” everything just like “readall”. My Questions:

  • Am I doing anything wrong?

  • Did I understand anything in the wrong way?

  • Is there something missing?

  • And if one of these things or anything that I didn’t consider since yet is true, could you please guide me in the right direction?

Regards,
Kevin

ti_read info, role mapping:

sg_ti_read:
readonly: true
backendroles:
- ti_read

``

role:

sg_ti_read:
readonly: true
cluster:
-CLUSTER_COMPOSITE_POS_PRO
indices:
’:
'
’:
-READ

``

By the time I tested some things and found finally a configuration that is working.
I deleted the “readonly” tags from the sg_ti_read configs. That magically lead k.just to be able to see things in Kibana, but not to read index data. The error message said, that there was no role assigned. Finally, I tried to make a new user in a normal fashioned way:

ti_read:
hash:blablabla
roles:
-ti_read

``

And for this Account, it was no Problem from the start on, to see and access everything. So if someone is running into a similar Problem, don’t try to be fancy and put special characters into your name, making it in a normal fashioned way is what makes you succeed.

Hi Kevin,

sorry for the late reply. Yes, dots in usernames can lead to problems. The configuration is yaml and a dot in a key will lead to a wrong entry in the final SG index. If you need to have dots in the username, you can use the “username” attribute as described in the docs:

···

On Thursday, May 24, 2018 at 6:01:16 PM UTC+2, Kevin Just wrote:

By the time I tested some things and found finally a configuration that is working.
I deleted the “readonly” tags from the sg_ti_read configs. That magically lead k.just to be able to see things in Kibana, but not to read index data. The error message said, that there was no role assigned. Finally, I tried to make a new user in a normal fashioned way:

ti_read:
hash:blablabla
roles:
-ti_read

``

And for this Account, it was no Problem from the start on, to see and access everything. So if someone is running into a similar Problem, don’t try to be fancy and put special characters into your name, making it in a normal fashioned way is what makes you succeed.