No permissions for [indices:admin/mapping/auto_put]


Still using 7.10.2-53.1.0 we’re faced with the following kibana issue: users with tenant permissions SGS_KIBANA_ALL_WRITE and role SGS_KIBANA_USER can’t save searches in tenant X:

no permissions for [indices:admin/mapping/auto_put]

Saving Views and Dashboards is fine

Does the log provide some more context? Possibly some index information?

Kibana log:

[security_exception]: no permissions for [indices:admin/mapping/auto_put] and User fwernli <openid> [requestedTenant=dirac-test]

Kibana UI:

Elasticsearch log:

No cluster-level perm match for User fwernli <openid> [requestedTenant=dirac-test] Resolved [aliases=[*], indices=[*], allIndices=[*], types=[*], originalRequested=[], remoteIndices=[], localAll=true, indicesOptions=IndicesOptions[ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, expand_wildcards_hidden=true, allow_aliases_to_multiple_indices=true, forbid_closed_indices=false, ignore_aliases=false, ignore_throttled=false]] [Action [cluster:admin:searchguard:authtoken/_own/search]] [RolesChecked [lsst_query_human, active_directory_human, ccin2p3, cta_query_human, egi_fg_dirac_query_human, grafana_admin, diractest_admin, egi_fg_dirac_admin, lsst_admin, SGS_KIBANA_USER, nids_admin, nids_query]]

I just realised the elasticsearch log entry has no connection to the event.
It’s just there because as it happens we don’t give the SGS_OWN_INDEX permission. So in fact there doesn’t seem to be a log entry in ES

in fact here is the correct log entry:

No index-level perm match for User fwernli <openid> [requestedTenant=dirac-test] Resolved [aliases=[], indices=[.kibana_904155696_diractest_2], allIndices=[.kibana_904155696_diractest_2], types=[*], originalRequested=[.kibana_904155696_diractest_2], remoteIndices=[], localAll=false, indicesOptions=IndicesOptions[ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, expand_wildcards_hidden=false, allow_aliases_to_multiple_indices=true, forbid_closed_indices=false, ignore_aliases=false, ignore_throttled=false]] [Action [indices:admin/mapping/auto_put]] [RolesChecked [ccin2p3, egi_fg_dirac_query_human, egi_fg_dirac_admin, lsst_admin, SGS_OWN_INDEX, lsst_query_human, active_directory_human, cta_query_human, grafana_admin, diractest_admin, SGS_KIBANA_USER, nids_admin, nids_query]]```

Sorry for the delay; just wanted to say that we are still looking into this. Will update you asap.

One more question: For what index are you trying to create the saved search?

Is it .kibana_904155696_diractest_2 or another index?

The index name .kibana_904155696_diractest_2 is a bit confusing as its name does not really fit the pattern of kibana indices (the _2 suffix does not fit the scheme). Thus, multi-tenancy rules are not effective for that index.

yes, that’s the one. I have no idea why it’s called that as kibana created it.
Also, I worked around the problem by creating the index-pattern using a privileged user. Now the original user can create new index patterns.

Just to double check that we are not talking about two different things :slight_smile:

Did you want to create a saved search searching the index .kibana_904155696_diractest_2 or another one?

yes the idea was to create a saved search, sorry for the confusion.

But, when creating the saved search, would you like to search inside the index .kibana_904155696_diractest_2 or inside another index?

(Sorry for the repeated questions, but I kind of have the feeling that we are talking about different things :slight_smile:

The idea is to create a saved search in .kibana.* and then to search another index (for which there are no permission problems whatsoever)

So far, we have trouble reproducing it. Is this issue occuring for you regularly or just in special cases?

it just happened for this tenant, so I’m guessing this is a corner case - don’t spend too much time on it as we have a workaround

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.