Hi,
Still using 7.10.2-53.1.0 we’re faced with the following kibana issue: users with tenant permissions SGS_KIBANA_ALL_WRITE
and role SGS_KIBANA_USER
can’t save searches in tenant X
:
no permissions for [indices:admin/mapping/auto_put]
Saving Views and Dashboards is fine
nils
April 4, 2023, 6:12am
2
Does the log provide some more context? Possibly some index information?
Kibana log:
[security_exception]: no permissions for [indices:admin/mapping/auto_put] and User fwernli <openid> [requestedTenant=dirac-test]
Kibana UI:
Elasticsearch log:
No cluster-level perm match for User fwernli <openid> [requestedTenant=dirac-test] Resolved [aliases=[*], indices=[*], allIndices=[*], types=[*], originalRequested=[], remoteIndices=[], localAll=true, indicesOptions=IndicesOptions[ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, expand_wildcards_hidden=true, allow_aliases_to_multiple_indices=true, forbid_closed_indices=false, ignore_aliases=false, ignore_throttled=false]] [Action [cluster:admin:searchguard:authtoken/_own/search]] [RolesChecked [lsst_query_human, active_directory_human, ccin2p3, cta_query_human, egi_fg_dirac_query_human, grafana_admin, diractest_admin, egi_fg_dirac_admin, lsst_admin, SGS_KIBANA_USER, nids_admin, nids_query]]
I just realised the elasticsearch log entry has no connection to the event.
It’s just there because as it happens we don’t give the SGS_OWN_INDEX
permission. So in fact there doesn’t seem to be a log entry in ES
in fact here is the correct log entry:
No index-level perm match for User fwernli <openid> [requestedTenant=dirac-test] Resolved [aliases=[], indices=[.kibana_904155696_diractest_2], allIndices=[.kibana_904155696_diractest_2], types=[*], originalRequested=[.kibana_904155696_diractest_2], remoteIndices=[], localAll=false, indicesOptions=IndicesOptions[ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, expand_wildcards_hidden=false, allow_aliases_to_multiple_indices=true, forbid_closed_indices=false, ignore_aliases=false, ignore_throttled=false]] [Action [indices:admin/mapping/auto_put]] [RolesChecked [ccin2p3, egi_fg_dirac_query_human, egi_fg_dirac_admin, lsst_admin, SGS_OWN_INDEX, lsst_query_human, active_directory_human, cta_query_human, grafana_admin, diractest_admin, SGS_KIBANA_USER, nids_admin, nids_query]]```
nils
April 12, 2023, 8:02am
6
Sorry for the delay; just wanted to say that we are still looking into this. Will update you asap.
nils
April 12, 2023, 8:46am
7
One more question: For what index are you trying to create the saved search?
Is it .kibana_904155696_diractest_2
or another index?
The index name .kibana_904155696_diractest_2
is a bit confusing as its name does not really fit the pattern of kibana indices (the _2
suffix does not fit the scheme). Thus, multi-tenancy rules are not effective for that index.
yes, that’s the one. I have no idea why it’s called that as kibana created it.
Also, I worked around the problem by creating the index-pattern using a privileged user. Now the original user can create new index patterns.
nils
April 18, 2023, 11:52am
9
Just to double check that we are not talking about two different things
Did you want to create a saved search searching the index .kibana_904155696_diractest_2
or another one?
yes the idea was to create a saved search, sorry for the confusion.
nils
April 18, 2023, 12:42pm
11
But, when creating the saved search, would you like to search inside the index .kibana_904155696_diractest_2
or inside another index?
(Sorry for the repeated questions, but I kind of have the feeling that we are talking about different things
The idea is to create a saved search in .kibana.*
and then to search another index (for which there are no permission problems whatsoever)
nils
April 20, 2023, 6:12am
13
So far, we have trouble reproducing it. Is this issue occuring for you regularly or just in special cases?
it just happened for this tenant, so I’m guessing this is a corner case - don’t spend too much time on it as we have a workaround
system
Closed
May 11, 2023, 7:09am
15
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.