no permissions for [cluster:monitor/main]

  • Search Guard and Elasticsearch version: search-guard-6:6.5.4-24.0

  • JVM version and operating system version: 9

  • Search Guard configuration files

Hi. I would like to create custom user which will be able to read the logs only from 1 index. I tried a lot of permissions but when i run curl http://localhost:9200 --user user:, i got:

{

“error”: {

“reason”: “no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]”,

“root_cause”: [

{

“reason”: “no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]”,

“type”: “security_exception”

}

],

“type”: “security_exception”

},

“status”: 403

}

Can you tell me what is wrong with my configuration, please. Here are my sg_*.yml files.

The problem comes with the user “user” and the role “sg_user”

sg_action_group.yml (2.31 KB)

sg_config.yml (463 Bytes)

sg_internal_users.yml (391 Bytes)

sg_roles_mapping.yml (300 Bytes)

sg_roles.yml (2.12 KB)

In sg_roles.yml try

sg_user:
  cluster:
  - CLUSTER_MONITOR
  - CLUSTER_COMPOSITE_OPS_RO
  indices:
    '*logstash-normal*':
      '*':
      - READ
  readonly: true

···

Am 18.03.2019 um 16:21 schrieb k.zhelyazkov@sap.com:

* Search Guard and Elasticsearch version: search-guard-6:6.5.4-24.0
* JVM version and operating system version: 9
* Search Guard configuration files

Hi. I would like to create custom user which will be able to read the logs only from 1 index. I tried a lot of permissions but when i run curl http://localhost:9200 --user user:<password>, i got:

{
  "error": {
    "reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]",
    "root_cause": [
      {
        "reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]",
        "type": "security_exception"
      }
    ],
    "type": "security_exception"
  },
  "status": 403
}

Can you tell me what is wrong with my configuration, please. Here are my sg_*.yml files.

The problem comes with the user "user" and the role "sg_user"

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/80313767-322a-4fbd-976f-59e1b91e3f9c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
<sg_action_group.yml><sg_config.yml><sg_internal_users.yml><sg_roles_mapping.yml><sg_roles.yml>

Still the same message

Did you run sgadmin after altering sg_roles.yml?

···

Am 18.03.2019 um 16:40 schrieb k.zhelyazkov@sap.com:

Still the same message

On Monday, March 18, 2019 at 5:27:32 PM UTC+2, Search Guard wrote:
In sg_roles.yml try

sg_user:
  cluster:
  - CLUSTER_MONITOR
  - CLUSTER_COMPOSITE_OPS_RO
  indices:
    '*logstash-normal*':
      '*':
      - READ
  readonly: true

> Am 18.03.2019 um 16:21 schrieb k.zhel...@sap.com:
>
> * Search Guard and Elasticsearch version: search-guard-6:6.5.4-24.0
> * JVM version and operating system version: 9
> * Search Guard configuration files
>
> Hi. I would like to create custom user which will be able to read the logs only from 1 index. I tried a lot of permissions but when i run curl http://localhost:9200 --user user:<password>, i got:
>
> {
> "error": {
> "reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]",
> "root_cause": [
> {
> "reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]",
> "type": "security_exception"
> }
> ],
> "type": "security_exception"
> },
> "status": 403
> }
>
> Can you tell me what is wrong with my configuration, please. Here are my sg_*.yml files.
>
> The problem comes with the user "user" and the role "sg_user"
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/80313767-322a-4fbd-976f-59e1b91e3f9c%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> <sg_action_group.yml><sg_config.yml><sg_internal_users.yml><sg_roles_mapping.yml><sg_roles.yml>

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/066cdea2-0c68-4970-baa4-c3e4c7c4b166%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Search Guard Admin v6

Will connect to master-svc:9300 … done

Elasticsearch Version: 6.5.4

Search Guard Version: 6.5.4-24.0

Connected as CN=master-svc

Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …

Clustername: shoot–i355448–shoot-elasticsearch-logging

Clusterstate: GREEN

Number of nodes: 1

Number of data nodes: 1

searchguard index already exists, so we do not need to create one.

Populate config from /root/sgconfig/

Will update ‘sg/config’ with /root/sgconfig/sg_config.yml

SUCC: Configuration for ‘config’ created or updated

Will update ‘sg/roles’ with /root/sgconfig/sg_roles.yml

SUCC: Configuration for ‘roles’ created or updated

Will update ‘sg/rolesmapping’ with /root/sgconfig/sg_roles_mapping.yml

SUCC: Configuration for ‘rolesmapping’ created or updated

Will update ‘sg/internalusers’ with /root/sgconfig/sg_internal_users.yml

SUCC: Configuration for ‘internalusers’ created or updated

Will update ‘sg/actiongroups’ with /root/sgconfig/sg_action_groups.yml

SUCC: Configuration for ‘actiongroups’ created or updated

Done with success

···

On Monday, March 18, 2019 at 5:42:16 PM UTC+2, Search Guard wrote:

Did you run sgadmin after altering sg_roles.yml?

Am 18.03.2019 um 16:40 schrieb k.zhel...@sap.com:

Still the same message

On Monday, March 18, 2019 at 5:27:32 PM UTC+2, Search Guard wrote:

In sg_roles.yml try

sg_user:
cluster:

  • CLUSTER_MONITOR
  • CLUSTER_COMPOSITE_OPS_RO
    indices:
    logstash-normal’:
    ‘*’:
    • READ
      readonly: true

Am 18.03.2019 um 16:21 schrieb k.zhel...@sap.com:

  • Search Guard and Elasticsearch version: search-guard-6:6.5.4-24.0
  • JVM version and operating system version: 9
  • Search Guard configuration files

Hi. I would like to create custom user which will be able to read the logs only from 1 index. I tried a lot of permissions but when i run curl http://localhost:9200 --user user:, i got:

{
“error”: {
“reason”: “no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]”,
“root_cause”: [
{
“reason”: “no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]”,
“type”: “security_exception”
}
],
“type”: “security_exception”
},
“status”: 403
}

Can you tell me what is wrong with my configuration, please. Here are my sg_*.yml files.

The problem comes with the user “user” and the role “sg_user”


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/80313767-322a-4fbd-976f-59e1b91e3f9c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
<sg_action_group.yml><sg_config.yml><sg_internal_users.yml><sg_roles_mapping.yml><sg_roles.yml>


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/066cdea2-0c68-4970-baa4-c3e4c7c4b166%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

in internal users yml:

user:
  hash: $2a$12$Sg4DNnD44579g8D.RJPQtuBacbLH817eVVlOPmHuYx5MS4Heay8TK

aynd in roles mapping yml

sg_user:
  users:
  - user
  readall: true

Mind the additional indirection between "backendroles" and "Search Guard roles" as explained here:

- https://docs.search-guard.com/latest/mapping-users-roles
- https://docs.search-guard.com/latest/role-mapping-modes

···

Am 18.03.2019 um 16:42 schrieb k.zhelyazkov@sap.com:

Search Guard Admin v6
Will connect to master-svc:9300 ... done
Elasticsearch Version: 6.5.4
Search Guard Version: 6.5.4-24.0
Connected as CN=master-svc
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: shoot--i355448--shoot-elasticsearch-logging
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
searchguard index already exists, so we do not need to create one.
Populate config from /root/sgconfig/
Will update 'sg/config' with /root/sgconfig/sg_config.yml
   SUCC: Configuration for 'config' created or updated
Will update 'sg/roles' with /root/sgconfig/sg_roles.yml
   SUCC: Configuration for 'roles' created or updated
Will update 'sg/rolesmapping' with /root/sgconfig/sg_roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
Will update 'sg/internalusers' with /root/sgconfig/sg_internal_users.yml
   SUCC: Configuration for 'internalusers' created or updated
Will update 'sg/actiongroups' with /root/sgconfig/sg_action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated
Done with success

On Monday, March 18, 2019 at 5:42:16 PM UTC+2, Search Guard wrote:
Did you run sgadmin after altering sg_roles.yml?

> Am 18.03.2019 um 16:40 schrieb k.zhel...@sap.com:
>
> Still the same message
>
> On Monday, March 18, 2019 at 5:27:32 PM UTC+2, Search Guard wrote:
> In sg_roles.yml try
>
> sg_user:
> cluster:
> - CLUSTER_MONITOR
> - CLUSTER_COMPOSITE_OPS_RO
> indices:
> '*logstash-normal*':
> '*':
> - READ
> readonly: true
>
> > Am 18.03.2019 um 16:21 schrieb k.zhel...@sap.com:
> >
> > * Search Guard and Elasticsearch version: search-guard-6:6.5.4-24.0
> > * JVM version and operating system version: 9
> > * Search Guard configuration files
> >
> > Hi. I would like to create custom user which will be able to read the logs only from 1 index. I tried a lot of permissions but when i run curl http://localhost:9200 --user user:<password>, i got:
> >
> > {
> > "error": {
> > "reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]",
> > "root_cause": [
> > {
> > "reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]",
> > "type": "security_exception"
> > }
> > ],
> > "type": "security_exception"
> > },
> > "status": 403
> > }
> >
> > Can you tell me what is wrong with my configuration, please. Here are my sg_*.yml files.
> >
> > The problem comes with the user "user" and the role "sg_user"
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> > To post to this group, send email to search...@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/80313767-322a-4fbd-976f-59e1b91e3f9c%40googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
> > <sg_action_group.yml><sg_config.yml><sg_internal_users.yml><sg_roles_mapping.yml><sg_roles.yml>
>
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/066cdea2-0c68-4970-baa4-c3e4c7c4b166%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4334b2ae-14d9-495b-bf76-a6c803730f10%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Thanks a lot, it works.

Can you assist me with one more thing.

My index is called “logstash-normal-2019.03.18”

Why i do not get any logs when my role is:

roles:

sg_user:

readonly: true

cluster:

  • CLUSTER_MONITOR

  • CLUSTER_COMPOSITE_OPS_RO

indices:

logstash-normal’:

‘*’:

  • READ

Maybe i do not have enough permissions to read logs from the Index?

Im trying to read them from Kibana

Your role definition looks good so far.

Any error message? What do you mean with “Why i do not get any logs …”

···

On Monday, 18 March 2019 17:16:04 UTC+1, k.zhe…@…com wrote:

Maybe i do not have enough permissions to read logs from the Index?

Im trying to read them from Kibana

When i log in in Kibana with this User, I do not see any logs.

Maybe you need to adjust the time filter on the right upper corner.
And make sure you have the correct index pattern selected.
And be sure that there are really log entries exists in the index.

···

Am 18.03.2019 um 17:23 schrieb k.zhelyazkov@sap.com:

When i log in in Kibana with this User, I do not see any logs.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e8175527-cbb4-41e5-94ab-ecabffeb2445%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

I do not have any checkbox, filters and so on in Kibana. So maybe Kibana requires additional permissions i think

Add the sg_kibana_user role to all users which should be able to use Kibana.

See https://docs.search-guard.com/latest/kibana-plugin-installation#configuring-elasticsearch-adding-kibana-users

···

On Monday, 18 March 2019 17:30:54 UTC+1, k…@…com… wrote:

With this update i got the following error in Kibana:

Discover: no permissions for [indices:data/read/search] and user [name=user, roles, requestedTenant=null]

Make sure you have access to all indices matching your index pattern.
Can you attach a screenshot?

···

Am 18.03.2019 um 18:00 schrieb k.zhelyazkov@sap.com:

With this update i got the following error in Kibana:

Discover: no permissions for [indices:data/read/search] and user [name=user, roles, requestedTenant=null]

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/db8c3ca1-69c1-4dba-a3db-425e63c8b992%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

I found that it works by adding "- indices:data/read/scroll " in the clusters permissions. Thanks for the help :slight_smile:

so, I am using elastic’s official elastic search image to run elastcsearch version 6.7.2 and installing search guard plugin version com.floragunn:search-guard-6:6.7.2-25.1 in the Dockerfile. Now the very same thing works when I tried it all with elasticsearch version 7.0.1 but getting below error If I run that docker image which runs the version 6.7.2
Dockerfile can be found at

{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "no permissions for [cluster:monitor/main] and User [name=admin, roles=[], requestedTenant=null]"
}
],
"type": "security_exception",
"reason": "no permissions for [cluster:monitor/main] and User [name=admin, roles=[], requestedTenant=null]"
},
"status": 403
}

I tried to change the sg_roles_mapping.yml with mentioned values but agadmin failed with below error
sg_roles_mapping.yml

sg_user:
  users:
    - admin:
    readall: true

sgadmin.sh error

Will update 'sg/rolesmapping' with ../sgconfig/sg_roles_mapping.yml 
   FAIL: Configuration for 'rolesmapping' failed because of com.fasterxml.jackson.dataformat.yaml.snakeyaml.error.MarkedYAMLException: while parsing a block collection
 in 'reader', line 37, column 5:
        - admin:
        ^
expected <block end>, but found Key
 in 'reader', line 38, column 5:
        readall: true  
        ^

It looks like an issue with the format in which I am making the the entry , but I was not able to resolve that.
Once more thing, do I actually need to do this, because I dont get any error if try to do the same thing and install it on my ubuntu machine and not in docker.
Any help is appreciated.

The indentation of your roles_mapping.yml is not correct. Keep in mind that the yaml format is picky about the correct indentation:

sg_user:
  users:
    - admin:
    readall: true

The readall config key is is not allowed in the roles mapping, only users, backendroles and hosts.

So either remove this entry and also the colon after admin:

sg_user:
  users:
    - admin

Or if you want to make the role mapping readonly, then it should read:

sg_user:
  readonly: true 
  users:
    - admin

So, I used the first format that is

sg_user:
  users:
    - admin

and ran sgadmin.bat but getting the same error even after that I mean while accessing the elasitc seatch cluster.
Again, I have the same question things are working exactly as expected if I do the same thing with elastic search version 7.0.2. So is there something wrong that I am doing and because of that I have to change the role_mapping manually.

I am doing everything inside a docker container so I am changing the configuration file and then running the sgadmin.bat file from inside the container only.