Search Guard and Elasticsearch version: search-guard-6:6.5.4-24.0
JVM version and operating system version: 9
Search Guard configuration files
Hi. I would like to create custom user which will be able to read the logs only from 1 index. I tried a lot of permissions but when i run curl http://localhost:9200 --user user:, i got:
{
“error”: {
“reason”: “no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]”,
“root_cause”: [
{
“reason”: “no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]”,
“type”: “security_exception”
}
],
“type”: “security_exception”
},
“status”: 403
}
Can you tell me what is wrong with my configuration, please. Here are my sg_*.yml files.
The problem comes with the user “user” and the role “sg_user”
Am 18.03.2019 um 16:42 schrieb k.zhelyazkov@sap.com:
Search Guard Admin v6
Will connect to master-svc:9300 ... done
Elasticsearch Version: 6.5.4
Search Guard Version: 6.5.4-24.0
Connected as CN=master-svc
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: shoot--i355448--shoot-elasticsearch-logging
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
searchguard index already exists, so we do not need to create one.
Populate config from /root/sgconfig/
Will update 'sg/config' with /root/sgconfig/sg_config.yml
SUCC: Configuration for 'config' created or updated
Will update 'sg/roles' with /root/sgconfig/sg_roles.yml
SUCC: Configuration for 'roles' created or updated
Will update 'sg/rolesmapping' with /root/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update 'sg/internalusers' with /root/sgconfig/sg_internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update 'sg/actiongroups' with /root/sgconfig/sg_action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Done with success
On Monday, March 18, 2019 at 5:42:16 PM UTC+2, Search Guard wrote:
Did you run sgadmin after altering sg_roles.yml?
> Am 18.03.2019 um 16:40 schrieb k.zhel...@sap.com:
>
> Still the same message
>
> On Monday, March 18, 2019 at 5:27:32 PM UTC+2, Search Guard wrote:
> In sg_roles.yml try
>
> sg_user:
> cluster:
> - CLUSTER_MONITOR
> - CLUSTER_COMPOSITE_OPS_RO
> indices:
> '*logstash-normal*':
> '*':
> - READ
> readonly: true
>
> > Am 18.03.2019 um 16:21 schrieb k.zhel...@sap.com:
> >
> > * Search Guard and Elasticsearch version: search-guard-6:6.5.4-24.0
> > * JVM version and operating system version: 9
> > * Search Guard configuration files
> >
> > Hi. I would like to create custom user which will be able to read the logs only from 1 index. I tried a lot of permissions but when i run curl http://localhost:9200 --user user:<password>, i got:
> >
> > {
> > "error": {
> > "reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]",
> > "root_cause": [
> > {
> > "reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]",
> > "type": "security_exception"
> > }
> > ],
> > "type": "security_exception"
> > },
> > "status": 403
> > }
> >
> > Can you tell me what is wrong with my configuration, please. Here are my sg_*.yml files.
> >
> > The problem comes with the user "user" and the role "sg_user"
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> > To post to this group, send email to search...@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/80313767-322a-4fbd-976f-59e1b91e3f9c%40googlegroups.com\.
> > For more options, visit https://groups.google.com/d/optout\.
> > <sg_action_group.yml><sg_config.yml><sg_internal_users.yml><sg_roles_mapping.yml><sg_roles.yml>
>
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/066cdea2-0c68-4970-baa4-c3e4c7c4b166%40googlegroups.com\.
> For more options, visit https://groups.google.com/d/optout\.
Maybe you need to adjust the time filter on the right upper corner.
And make sure you have the correct index pattern selected.
And be sure that there are really log entries exists in the index.
···
Am 18.03.2019 um 17:23 schrieb k.zhelyazkov@sap.com:
When i log in in Kibana with this User, I do not see any logs.
so, I am using elastic’s official elastic search image to run elastcsearch version 6.7.2 and installing search guard plugin version com.floragunn:search-guard-6:6.7.2-25.1 in the Dockerfile. Now the very same thing works when I tried it all with elasticsearch version 7.0.1 but getting below error If I run that docker image which runs the version 6.7.2
Dockerfile can be found at
{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "no permissions for [cluster:monitor/main] and User [name=admin, roles=[], requestedTenant=null]"
}
],
"type": "security_exception",
"reason": "no permissions for [cluster:monitor/main] and User [name=admin, roles=[], requestedTenant=null]"
},
"status": 403
}
I tried to change the sg_roles_mapping.yml with mentioned values but agadmin failed with below error sg_roles_mapping.yml
sg_user:
users:
- admin:
readall: true
sgadmin.sh error
Will update 'sg/rolesmapping' with ../sgconfig/sg_roles_mapping.yml
FAIL: Configuration for 'rolesmapping' failed because of com.fasterxml.jackson.dataformat.yaml.snakeyaml.error.MarkedYAMLException: while parsing a block collection
in 'reader', line 37, column 5:
- admin:
^
expected <block end>, but found Key
in 'reader', line 38, column 5:
readall: true
^
It looks like an issue with the format in which I am making the the entry , but I was not able to resolve that.
Once more thing, do I actually need to do this, because I dont get any error if try to do the same thing and install it on my ubuntu machine and not in docker.
Any help is appreciated.
and ran sgadmin.bat but getting the same error even after that I mean while accessing the elasitc seatch cluster.
Again, I have the same question things are working exactly as expected if I do the same thing with elastic search version 7.0.2. So is there something wrong that I am doing and because of that I have to change the role_mapping manually.
I am doing everything inside a docker container so I am changing the configuration file and then running the sgadmin.bat file from inside the container only.
I have uploaded all the files here, but I would just like to highlight once again that
everything works if I install elastic search 6.7.2 and respective search guard plugin drectly on my ubuntu machine and not on docker.
If you want to look at the Dockerfile I have mentioned the github repo in my previous comment, the one in 6.7 branch.
Thanks for helping me out with this.
So, I somehow got elastic search version 6.5.1 working with the respective search guard version i.e. com.floragunn:search-guard-6:6.5.1-24.3.
But now the issue that I have is I think I can not provide the password as environment variable while running docker image if elastic search is being run as docker image. Because that functionality is available after search guard version 25 as mentioned here in this thread.
Is there a way to achieve the same in this version of search-guard or its not possible to do in versions below that 25.
So, here is the problem now if i run elastic search version less than 6.6, respective search guard version would be less than 25 and providing the password while running docker images wont be possible and if I run elastic search version 6.6 or 6.7 and respective search guard plugin I get issue that is mentioned here