Still using 7.10.2-53.1.0 we’re faced with the following kibana issue: users with tenant permissions
SGS_KIBANA_ALL_WRITE and role
SGS_KIBANA_USER can’t save searches in tenant
no permissions for [indices:admin/mapping/auto_put]
Saving Views and Dashboards is fine
April 4, 2023, 6:12am
Does the log provide some more context? Possibly some index information?
[security_exception]: no permissions for [indices:admin/mapping/auto_put] and User fwernli <openid> [requestedTenant=dirac-test]
No cluster-level perm match for User fwernli <openid> [requestedTenant=dirac-test] Resolved [aliases=[*], indices=[*], allIndices=[*], types=[*], originalRequested=, remoteIndices=, localAll=true, indicesOptions=IndicesOptions[ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, expand_wildcards_hidden=true, allow_aliases_to_multiple_indices=true, forbid_closed_indices=false, ignore_aliases=false, ignore_throttled=false]] [Action [cluster:admin:searchguard:authtoken/_own/search]] [RolesChecked [lsst_query_human, active_directory_human, ccin2p3, cta_query_human, egi_fg_dirac_query_human, grafana_admin, diractest_admin, egi_fg_dirac_admin, lsst_admin, SGS_KIBANA_USER, nids_admin, nids_query]]
I just realised the elasticsearch log entry has no connection to the event.
It’s just there because as it happens we don’t give the
SGS_OWN_INDEX permission. So in fact there doesn’t seem to be a log entry in ES
in fact here is the correct log entry:
No index-level perm match for User fwernli <openid> [requestedTenant=dirac-test] Resolved [aliases=, indices=[.kibana_904155696_diractest_2], allIndices=[.kibana_904155696_diractest_2], types=[*], originalRequested=[.kibana_904155696_diractest_2], remoteIndices=, localAll=false, indicesOptions=IndicesOptions[ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, expand_wildcards_hidden=false, allow_aliases_to_multiple_indices=true, forbid_closed_indices=false, ignore_aliases=false, ignore_throttled=false]] [Action [indices:admin/mapping/auto_put]] [RolesChecked [ccin2p3, egi_fg_dirac_query_human, egi_fg_dirac_admin, lsst_admin, SGS_OWN_INDEX, lsst_query_human, active_directory_human, cta_query_human, grafana_admin, diractest_admin, SGS_KIBANA_USER, nids_admin, nids_query]]```
April 12, 2023, 8:02am
Sorry for the delay; just wanted to say that we are still looking into this. Will update you asap.
April 12, 2023, 8:46am
One more question: For what index are you trying to create the saved search?
.kibana_904155696_diractest_2 or another index?
The index name
.kibana_904155696_diractest_2 is a bit confusing as its name does not really fit the pattern of kibana indices (the
_2 suffix does not fit the scheme). Thus, multi-tenancy rules are not effective for that index.
yes, that’s the one. I have no idea why it’s called that as kibana created it.
Also, I worked around the problem by creating the index-pattern using a privileged user. Now the original user can create new index patterns.
April 18, 2023, 11:52am
Just to double check that we are not talking about two different things
Did you want to create a saved search searching the index
.kibana_904155696_diractest_2 or another one?
yes the idea was to create a saved search, sorry for the confusion.
April 18, 2023, 12:42pm
But, when creating the saved search, would you like to search
inside the index
.kibana_904155696_diractest_2 or inside another index?
(Sorry for the repeated questions, but I kind of have the feeling that we are talking about different things
The idea is to create a saved search in
.kibana.* and then to search another index (for which there are no permission problems whatsoever)
April 20, 2023, 6:12am
So far, we have trouble reproducing it. Is this issue occuring for you regularly or just in special cases?
it just happened for this tenant, so I’m guessing this is a corner case - don’t spend too much time on it as we have a workaround
May 11, 2023, 7:09am
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.