-
Search Guard and Elasticsearch version: search-guard-6:6.5.4-24.0
-
JVM version and operating system version: 9
-
Search Guard configuration files
Hi. I would like to create custom user which will be able to read the logs only from 1 index. I tried a lot of permissions but when i run curl http://localhost:9200 --user user:, i got:
{
“error”: {
“reason”: “no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]”,
“root_cause”: [
{
“reason”: “no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]”,
“type”: “security_exception”
}
],
“type”: “security_exception”
},
“status”: 403
}
Can you tell me what is wrong with my configuration, please. Here are my sg_*.yml files.
The problem comes with the user “user” and the role “sg_user”
sg_action_group.yml (2.31 KB)
sg_config.yml (463 Bytes)
sg_internal_users.yml (391 Bytes)
sg_roles_mapping.yml (300 Bytes)
sg_roles.yml (2.12 KB)
In sg_roles.yml try
sg_user:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
'*logstash-normal*':
'*':
- READ
readonly: true
···
Am 18.03.2019 um 16:21 schrieb k.zhelyazkov@sap.com:
* Search Guard and Elasticsearch version: search-guard-6:6.5.4-24.0
* JVM version and operating system version: 9
* Search Guard configuration files
Hi. I would like to create custom user which will be able to read the logs only from 1 index. I tried a lot of permissions but when i run curl http://localhost:9200 --user user:<password>, i got:
{
"error": {
"reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]",
"root_cause": [
{
"reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]",
"type": "security_exception"
}
],
"type": "security_exception"
},
"status": 403
}
Can you tell me what is wrong with my configuration, please. Here are my sg_*.yml files.
The problem comes with the user "user" and the role "sg_user"
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/80313767-322a-4fbd-976f-59e1b91e3f9c%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.
<sg_action_group.yml><sg_config.yml><sg_internal_users.yml><sg_roles_mapping.yml><sg_roles.yml>
Did you run sgadmin after altering sg_roles.yml?
···
Am 18.03.2019 um 16:40 schrieb k.zhelyazkov@sap.com:
Still the same message
On Monday, March 18, 2019 at 5:27:32 PM UTC+2, Search Guard wrote:
In sg_roles.yml try
sg_user:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
'*logstash-normal*':
'*':
- READ
readonly: true
> Am 18.03.2019 um 16:21 schrieb k.zhel...@sap.com:
>
> * Search Guard and Elasticsearch version: search-guard-6:6.5.4-24.0
> * JVM version and operating system version: 9
> * Search Guard configuration files
>
> Hi. I would like to create custom user which will be able to read the logs only from 1 index. I tried a lot of permissions but when i run curl http://localhost:9200 --user user:<password>, i got:
>
> {
> "error": {
> "reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]",
> "root_cause": [
> {
> "reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]",
> "type": "security_exception"
> }
> ],
> "type": "security_exception"
> },
> "status": 403
> }
>
> Can you tell me what is wrong with my configuration, please. Here are my sg_*.yml files.
>
> The problem comes with the user "user" and the role "sg_user"
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/80313767-322a-4fbd-976f-59e1b91e3f9c%40googlegroups.com\.
> For more options, visit https://groups.google.com/d/optout\.
> <sg_action_group.yml><sg_config.yml><sg_internal_users.yml><sg_roles_mapping.yml><sg_roles.yml>
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/066cdea2-0c68-4970-baa4-c3e4c7c4b166%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.
Search Guard Admin v6
Will connect to master-svc:9300 … done
Elasticsearch Version: 6.5.4
Search Guard Version: 6.5.4-24.0
Connected as CN=master-svc
Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …
Clustername: shoot–i355448–shoot-elasticsearch-logging
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
searchguard index already exists, so we do not need to create one.
Populate config from /root/sgconfig/
Will update ‘sg/config’ with /root/sgconfig/sg_config.yml
SUCC: Configuration for ‘config’ created or updated
Will update ‘sg/roles’ with /root/sgconfig/sg_roles.yml
SUCC: Configuration for ‘roles’ created or updated
Will update ‘sg/rolesmapping’ with /root/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘sg/internalusers’ with /root/sgconfig/sg_internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘sg/actiongroups’ with /root/sgconfig/sg_action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Done with success
···
On Monday, March 18, 2019 at 5:42:16 PM UTC+2, Search Guard wrote:
Did you run sgadmin after altering sg_roles.yml?
Am 18.03.2019 um 16:40 schrieb k.zhel...@sap.com:
Still the same message
On Monday, March 18, 2019 at 5:27:32 PM UTC+2, Search Guard wrote:
In sg_roles.yml try
sg_user:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘logstash-normal’:
‘*’:
Am 18.03.2019 um 16:21 schrieb k.zhel...@sap.com:
- Search Guard and Elasticsearch version: search-guard-6:6.5.4-24.0
- JVM version and operating system version: 9
- Search Guard configuration files
Hi. I would like to create custom user which will be able to read the logs only from 1 index. I tried a lot of permissions but when i run curl http://localhost:9200 --user user:, i got:
{
“error”: {
“reason”: “no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]”,
“root_cause”: [
{
“reason”: “no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]”,
“type”: “security_exception”
}
],
“type”: “security_exception”
},
“status”: 403
}
Can you tell me what is wrong with my configuration, please. Here are my sg_*.yml files.
The problem comes with the user “user” and the role “sg_user”
–
You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/80313767-322a-4fbd-976f-59e1b91e3f9c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
<sg_action_group.yml><sg_config.yml><sg_internal_users.yml><sg_roles_mapping.yml><sg_roles.yml>
–
You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/066cdea2-0c68-4970-baa4-c3e4c7c4b166%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
in internal users yml:
user:
hash: $2a$12$Sg4DNnD44579g8D.RJPQtuBacbLH817eVVlOPmHuYx5MS4Heay8TK
aynd in roles mapping yml
sg_user:
users:
- user
readall: true
Mind the additional indirection between "backendroles" and "Search Guard roles" as explained here:
- Mapping users to Search Guard roles | Security for Elasticsearch | Search Guard
- Role mapping modes | Security for Elasticsearch | Search Guard
···
Am 18.03.2019 um 16:42 schrieb k.zhelyazkov@sap.com:
Search Guard Admin v6
Will connect to master-svc:9300 ... done
Elasticsearch Version: 6.5.4
Search Guard Version: 6.5.4-24.0
Connected as CN=master-svc
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: shoot--i355448--shoot-elasticsearch-logging
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
searchguard index already exists, so we do not need to create one.
Populate config from /root/sgconfig/
Will update 'sg/config' with /root/sgconfig/sg_config.yml
SUCC: Configuration for 'config' created or updated
Will update 'sg/roles' with /root/sgconfig/sg_roles.yml
SUCC: Configuration for 'roles' created or updated
Will update 'sg/rolesmapping' with /root/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update 'sg/internalusers' with /root/sgconfig/sg_internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update 'sg/actiongroups' with /root/sgconfig/sg_action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Done with success
On Monday, March 18, 2019 at 5:42:16 PM UTC+2, Search Guard wrote:
Did you run sgadmin after altering sg_roles.yml?
> Am 18.03.2019 um 16:40 schrieb k.zhel...@sap.com:
>
> Still the same message
>
> On Monday, March 18, 2019 at 5:27:32 PM UTC+2, Search Guard wrote:
> In sg_roles.yml try
>
> sg_user:
> cluster:
> - CLUSTER_MONITOR
> - CLUSTER_COMPOSITE_OPS_RO
> indices:
> '*logstash-normal*':
> '*':
> - READ
> readonly: true
>
> > Am 18.03.2019 um 16:21 schrieb k.zhel...@sap.com:
> >
> > * Search Guard and Elasticsearch version: search-guard-6:6.5.4-24.0
> > * JVM version and operating system version: 9
> > * Search Guard configuration files
> >
> > Hi. I would like to create custom user which will be able to read the logs only from 1 index. I tried a lot of permissions but when i run curl http://localhost:9200 --user user:<password>, i got:
> >
> > {
> > "error": {
> > "reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]",
> > "root_cause": [
> > {
> > "reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]",
> > "type": "security_exception"
> > }
> > ],
> > "type": "security_exception"
> > },
> > "status": 403
> > }
> >
> > Can you tell me what is wrong with my configuration, please. Here are my sg_*.yml files.
> >
> > The problem comes with the user "user" and the role "sg_user"
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> > To post to this group, send email to search...@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/80313767-322a-4fbd-976f-59e1b91e3f9c%40googlegroups.com\.
> > For more options, visit https://groups.google.com/d/optout\.
> > <sg_action_group.yml><sg_config.yml><sg_internal_users.yml><sg_roles_mapping.yml><sg_roles.yml>
>
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/066cdea2-0c68-4970-baa4-c3e4c7c4b166%40googlegroups.com\.
> For more options, visit https://groups.google.com/d/optout\.
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4334b2ae-14d9-495b-bf76-a6c803730f10%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.
Thanks a lot, it works.
Can you assist me with one more thing.
My index is called “logstash-normal-2019.03.18”
Why i do not get any logs when my role is:
roles:
sg_user:
readonly: true
cluster:
-
CLUSTER_MONITOR
-
CLUSTER_COMPOSITE_OPS_RO
indices:
‘logstash-normal’:
‘*’:
Maybe i do not have enough permissions to read logs from the Index?
Im trying to read them from Kibana
Your role definition looks good so far.
Any error message? What do you mean with “Why i do not get any logs …”
···
On Monday, 18 March 2019 17:16:04 UTC+1, k.zhe…@…com wrote:
Maybe i do not have enough permissions to read logs from the Index?
Im trying to read them from Kibana
When i log in in Kibana with this User, I do not see any logs.
Maybe you need to adjust the time filter on the right upper corner.
And make sure you have the correct index pattern selected.
And be sure that there are really log entries exists in the index.
···
Am 18.03.2019 um 17:23 schrieb k.zhelyazkov@sap.com:
When i log in in Kibana with this User, I do not see any logs.
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e8175527-cbb4-41e5-94ab-ecabffeb2445%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.
I do not have any checkbox, filters and so on in Kibana. So maybe Kibana requires additional permissions i think
Add the sg_kibana_user role to all users which should be able to use Kibana.
See Installing the Search Guard Kibana Plugin | Security for Elasticsearch | Search Guard
···
On Monday, 18 March 2019 17:30:54 UTC+1, k…@…com… wrote:
With this update i got the following error in Kibana:
Discover: no permissions for [indices:data/read/search] and user [name=user, roles, requestedTenant=null]
Make sure you have access to all indices matching your index pattern.
Can you attach a screenshot?
···
Am 18.03.2019 um 18:00 schrieb k.zhelyazkov@sap.com:
With this update i got the following error in Kibana:
Discover: no permissions for [indices:data/read/search] and user [name=user, roles, requestedTenant=null]
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/db8c3ca1-69c1-4dba-a3db-425e63c8b992%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.
I found that it works by adding "- indices:data/read/scroll " in the clusters permissions. Thanks for the help 
so, I am using elastic’s official elastic search image to run elastcsearch version 6.7.2 and installing search guard plugin version com.floragunn:search-guard-6:6.7.2-25.1 in the Dockerfile. Now the very same thing works when I tried it all with elasticsearch version 7.0.1 but getting below error If I run that docker image which runs the version 6.7.2
Dockerfile can be found at
{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "no permissions for [cluster:monitor/main] and User [name=admin, roles=[], requestedTenant=null]"
}
],
"type": "security_exception",
"reason": "no permissions for [cluster:monitor/main] and User [name=admin, roles=[], requestedTenant=null]"
},
"status": 403
}
I tried to change the sg_roles_mapping.yml with mentioned values but agadmin failed with below error
sg_roles_mapping.yml
sg_user:
users:
- admin:
readall: true
sgadmin.sh error
Will update 'sg/rolesmapping' with ../sgconfig/sg_roles_mapping.yml
FAIL: Configuration for 'rolesmapping' failed because of com.fasterxml.jackson.dataformat.yaml.snakeyaml.error.MarkedYAMLException: while parsing a block collection
in 'reader', line 37, column 5:
- admin:
^
expected <block end>, but found Key
in 'reader', line 38, column 5:
readall: true
^
It looks like an issue with the format in which I am making the the entry , but I was not able to resolve that.
Once more thing, do I actually need to do this, because I dont get any error if try to do the same thing and install it on my ubuntu machine and not in docker.
Any help is appreciated.
The indentation of your roles_mapping.yml is not correct. Keep in mind that the yaml format is picky about the correct indentation:
sg_user:
users:
- admin:
readall: true
The readall config key is is not allowed in the roles mapping, only users, backendroles and hosts.
So either remove this entry and also the colon after admin:
sg_user:
users:
- admin
Or if you want to make the role mapping readonly, then it should read:
sg_user:
readonly: true
users:
- admin
So, I used the first format that is
sg_user:
users:
- admin
and ran sgadmin.bat but getting the same error even after that I mean while accessing the elasitc seatch cluster.
Again, I have the same question things are working exactly as expected if I do the same thing with elastic search version 7.0.2. So is there something wrong that I am doing and because of that I have to change the role_mapping manually.
I am doing everything inside a docker container so I am changing the configuration file and then running the sgadmin.bat file from inside the container only.
