no permissions for [cluster:monitor/main]

Search Guard Admin v6

Will connect to master-svc:9300 … done

Elasticsearch Version: 6.5.4

Search Guard Version: 6.5.4-24.0

Connected as CN=master-svc

Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …

Clustername: shoot–i355448–shoot-elasticsearch-logging

Clusterstate: GREEN

Number of nodes: 1

Number of data nodes: 1

searchguard index already exists, so we do not need to create one.

Populate config from /root/sgconfig/

Will update ‘sg/config’ with /root/sgconfig/sg_config.yml

SUCC: Configuration for ‘config’ created or updated

Will update ‘sg/roles’ with /root/sgconfig/sg_roles.yml

SUCC: Configuration for ‘roles’ created or updated

Will update ‘sg/rolesmapping’ with /root/sgconfig/sg_roles_mapping.yml

SUCC: Configuration for ‘rolesmapping’ created or updated

Will update ‘sg/internalusers’ with /root/sgconfig/sg_internal_users.yml

SUCC: Configuration for ‘internalusers’ created or updated

Will update ‘sg/actiongroups’ with /root/sgconfig/sg_action_groups.yml

SUCC: Configuration for ‘actiongroups’ created or updated

Done with success

···

On Monday, March 18, 2019 at 5:42:16 PM UTC+2, Search Guard wrote:

Did you run sgadmin after altering sg_roles.yml?

Am 18.03.2019 um 16:40 schrieb k.zhel...@sap.com:

Still the same message

On Monday, March 18, 2019 at 5:27:32 PM UTC+2, Search Guard wrote:

In sg_roles.yml try

sg_user:
cluster:

  • CLUSTER_MONITOR
  • CLUSTER_COMPOSITE_OPS_RO
    indices:
    logstash-normal’:
    ‘*’:
    • READ
      readonly: true

Am 18.03.2019 um 16:21 schrieb k.zhel...@sap.com:

  • Search Guard and Elasticsearch version: search-guard-6:6.5.4-24.0
  • JVM version and operating system version: 9
  • Search Guard configuration files

Hi. I would like to create custom user which will be able to read the logs only from 1 index. I tried a lot of permissions but when i run curl http://localhost:9200 --user user:, i got:

{
“error”: {
“reason”: “no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]”,
“root_cause”: [
{
“reason”: “no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]”,
“type”: “security_exception”
}
],
“type”: “security_exception”
},
“status”: 403
}

Can you tell me what is wrong with my configuration, please. Here are my sg_*.yml files.

The problem comes with the user “user” and the role “sg_user”


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/80313767-322a-4fbd-976f-59e1b91e3f9c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
<sg_action_group.yml><sg_config.yml><sg_internal_users.yml><sg_roles_mapping.yml><sg_roles.yml>


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/066cdea2-0c68-4970-baa4-c3e4c7c4b166%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

in internal users yml:

user:
  hash: $2a$12$Sg4DNnD44579g8D.RJPQtuBacbLH817eVVlOPmHuYx5MS4Heay8TK

aynd in roles mapping yml

sg_user:
  users:
  - user
  readall: true

Mind the additional indirection between "backendroles" and "Search Guard roles" as explained here:

- Mapping users to Search Guard roles | Security for Elasticsearch | Search Guard
- Role mapping modes | Security for Elasticsearch | Search Guard

···

Am 18.03.2019 um 16:42 schrieb k.zhelyazkov@sap.com:

Search Guard Admin v6
Will connect to master-svc:9300 ... done
Elasticsearch Version: 6.5.4
Search Guard Version: 6.5.4-24.0
Connected as CN=master-svc
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: shoot--i355448--shoot-elasticsearch-logging
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
searchguard index already exists, so we do not need to create one.
Populate config from /root/sgconfig/
Will update 'sg/config' with /root/sgconfig/sg_config.yml
   SUCC: Configuration for 'config' created or updated
Will update 'sg/roles' with /root/sgconfig/sg_roles.yml
   SUCC: Configuration for 'roles' created or updated
Will update 'sg/rolesmapping' with /root/sgconfig/sg_roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
Will update 'sg/internalusers' with /root/sgconfig/sg_internal_users.yml
   SUCC: Configuration for 'internalusers' created or updated
Will update 'sg/actiongroups' with /root/sgconfig/sg_action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated
Done with success

On Monday, March 18, 2019 at 5:42:16 PM UTC+2, Search Guard wrote:
Did you run sgadmin after altering sg_roles.yml?

> Am 18.03.2019 um 16:40 schrieb k.zhel...@sap.com:
>
> Still the same message
>
> On Monday, March 18, 2019 at 5:27:32 PM UTC+2, Search Guard wrote:
> In sg_roles.yml try
>
> sg_user:
> cluster:
> - CLUSTER_MONITOR
> - CLUSTER_COMPOSITE_OPS_RO
> indices:
> '*logstash-normal*':
> '*':
> - READ
> readonly: true
>
> > Am 18.03.2019 um 16:21 schrieb k.zhel...@sap.com:
> >
> > * Search Guard and Elasticsearch version: search-guard-6:6.5.4-24.0
> > * JVM version and operating system version: 9
> > * Search Guard configuration files
> >
> > Hi. I would like to create custom user which will be able to read the logs only from 1 index. I tried a lot of permissions but when i run curl http://localhost:9200 --user user:<password>, i got:
> >
> > {
> > "error": {
> > "reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]",
> > "root_cause": [
> > {
> > "reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]",
> > "type": "security_exception"
> > }
> > ],
> > "type": "security_exception"
> > },
> > "status": 403
> > }
> >
> > Can you tell me what is wrong with my configuration, please. Here are my sg_*.yml files.
> >
> > The problem comes with the user "user" and the role "sg_user"
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> > To post to this group, send email to search...@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/80313767-322a-4fbd-976f-59e1b91e3f9c%40googlegroups.com\.
> > For more options, visit https://groups.google.com/d/optout\.
> > <sg_action_group.yml><sg_config.yml><sg_internal_users.yml><sg_roles_mapping.yml><sg_roles.yml>
>
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/066cdea2-0c68-4970-baa4-c3e4c7c4b166%40googlegroups.com\.
> For more options, visit https://groups.google.com/d/optout\.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4334b2ae-14d9-495b-bf76-a6c803730f10%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

Thanks a lot, it works.

Can you assist me with one more thing.

My index is called “logstash-normal-2019.03.18”

Why i do not get any logs when my role is:

roles:

sg_user:

readonly: true

cluster:

  • CLUSTER_MONITOR

  • CLUSTER_COMPOSITE_OPS_RO

indices:

logstash-normal’:

‘*’:

  • READ

Maybe i do not have enough permissions to read logs from the Index?

Im trying to read them from Kibana

Your role definition looks good so far.

Any error message? What do you mean with “Why i do not get any logs …”

···

On Monday, 18 March 2019 17:16:04 UTC+1, k.zhe…@…com wrote:

Maybe i do not have enough permissions to read logs from the Index?

Im trying to read them from Kibana

When i log in in Kibana with this User, I do not see any logs.

Maybe you need to adjust the time filter on the right upper corner.
And make sure you have the correct index pattern selected.
And be sure that there are really log entries exists in the index.

···

Am 18.03.2019 um 17:23 schrieb k.zhelyazkov@sap.com:

When i log in in Kibana with this User, I do not see any logs.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e8175527-cbb4-41e5-94ab-ecabffeb2445%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

I do not have any checkbox, filters and so on in Kibana. So maybe Kibana requires additional permissions i think

Add the sg_kibana_user role to all users which should be able to use Kibana.

See Installing the Search Guard Kibana Plugin | Security for Elasticsearch | Search Guard

···

On Monday, 18 March 2019 17:30:54 UTC+1, k…@…com… wrote:

With this update i got the following error in Kibana:

Discover: no permissions for [indices:data/read/search] and user [name=user, roles, requestedTenant=null]

Make sure you have access to all indices matching your index pattern.
Can you attach a screenshot?

···

Am 18.03.2019 um 18:00 schrieb k.zhelyazkov@sap.com:

With this update i got the following error in Kibana:

Discover: no permissions for [indices:data/read/search] and user [name=user, roles, requestedTenant=null]

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/db8c3ca1-69c1-4dba-a3db-425e63c8b992%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

I found that it works by adding "- indices:data/read/scroll " in the clusters permissions. Thanks for the help :slight_smile:

so, I am using elastic’s official elastic search image to run elastcsearch version 6.7.2 and installing search guard plugin version com.floragunn:search-guard-6:6.7.2-25.1 in the Dockerfile. Now the very same thing works when I tried it all with elasticsearch version 7.0.1 but getting below error If I run that docker image which runs the version 6.7.2
Dockerfile can be found at

{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "no permissions for [cluster:monitor/main] and User [name=admin, roles=[], requestedTenant=null]"
}
],
"type": "security_exception",
"reason": "no permissions for [cluster:monitor/main] and User [name=admin, roles=[], requestedTenant=null]"
},
"status": 403
}

I tried to change the sg_roles_mapping.yml with mentioned values but agadmin failed with below error
sg_roles_mapping.yml

sg_user:
  users:
    - admin:
    readall: true

sgadmin.sh error

Will update 'sg/rolesmapping' with ../sgconfig/sg_roles_mapping.yml 
   FAIL: Configuration for 'rolesmapping' failed because of com.fasterxml.jackson.dataformat.yaml.snakeyaml.error.MarkedYAMLException: while parsing a block collection
 in 'reader', line 37, column 5:
        - admin:
        ^
expected <block end>, but found Key
 in 'reader', line 38, column 5:
        readall: true  
        ^

It looks like an issue with the format in which I am making the the entry , but I was not able to resolve that.
Once more thing, do I actually need to do this, because I dont get any error if try to do the same thing and install it on my ubuntu machine and not in docker.
Any help is appreciated.

The indentation of your roles_mapping.yml is not correct. Keep in mind that the yaml format is picky about the correct indentation:

sg_user:
  users:
    - admin:
    readall: true

The readall config key is is not allowed in the roles mapping, only users, backendroles and hosts.

So either remove this entry and also the colon after admin:

sg_user:
  users:
    - admin

Or if you want to make the role mapping readonly, then it should read:

sg_user:
  readonly: true 
  users:
    - admin

So, I used the first format that is

sg_user:
  users:
    - admin

and ran sgadmin.bat but getting the same error even after that I mean while accessing the elasitc seatch cluster.
Again, I have the same question things are working exactly as expected if I do the same thing with elastic search version 7.0.2. So is there something wrong that I am doing and because of that I have to change the role_mapping manually.

I am doing everything inside a docker container so I am changing the configuration file and then running the sgadmin.bat file from inside the container only.

Can you please post your Search Guard config files?

I have uploaded all the files here, but I would just like to highlight once again that

everything works if I install elastic search 6.7.2 and respective search guard plugin drectly on my ubuntu machine and not on docker.

If you want to look at the Dockerfile I have mentioned the github repo in my previous comment, the one in 6.7 branch.
Thanks for helping me out with this.

sg_roles_mapping.yml (548 Bytes) sg_roles.yml (7.0 KB) sg_config.yml (11.2 KB) sg_action_groups.yml (2.3 KB) elasticsearch.yml.example (9.3 KB) sg_internal_users.yml (407 Bytes)

So, I somehow got elastic search version 6.5.1 working with the respective search guard version i.e. com.floragunn:search-guard-6:6.5.1-24.3.
But now the issue that I have is I think I can not provide the password as environment variable while running docker image if elastic search is being run as docker image. Because that functionality is available after search guard version 25 as mentioned here in this thread.

Is there a way to achieve the same in this version of search-guard or its not possible to do in versions below that 25.

So, here is the problem now if i run elastic search version less than 6.6, respective search guard version would be less than 25 and providing the password while running docker images wont be possible and if I run elastic search version 6.6 or 6.7 and respective search guard plugin I get issue that is mentioned here