No permissions for [indices:data/read/field_caps] and User [name=kibanaserver, roles=[], requestedT]

  • Search Guard 6.0.0 + Elasticsearch 6.0.0

  • openjdk 1.8.0 and CentOS 6.8

  • Search Guard configuration files

cluster.name: my-es

node.name: node-0

path.data: /data/es

path.logs: /data/es/logs

bootstrap.memory_lock: false

bootstrap.system_call_filter: false

network.host: 127.0.0.1

http.port: 9200

discovery.type: single-node

discovery.zen.ping.unicast.hosts: [“127.0.0.1”]

discovery.zen.minimum_master_nodes: 1

searchguard.ssl.transport.enabled: true

searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks

searchguard.ssl.transport.keystore_password: mypass

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: mypass

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: node-0-keystore.jks

searchguard.ssl.http.keystore_password: mypass

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: mypass

searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=Test, C=de
  • Elasticsearch log messages on debug level

[INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null, attributes={}] [IndexType [index=logstash-, type=]] [Action [[indices:data/read/field_caps]]] [RolesChecked [sg_kibana_server, sg_own_index]]

[INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_own_index=[IndexType [index=logstash-, type=]], sg_kibana_server=[IndexType [index=logstash-, type=]]}

···

I can login in Kibana with search guard. I use kibanaserver to login. However, the red bar on the top shows

I tried to find any related answers about it. But no luck…that’s why i am asking around here. Wish to hear some good leads…thanks…

The kibanaserver user/role is not suitable for regular Kibana user. It’s used by Kibana “under the hood” to perform management tasks / health checks etc.

Regular Kibana users should have the role sg_kibana_user, this role has the required field_caps permissions set. In addition to this role, also assign permissions to the indices the user should have access to.

See also section “Configuring Elasticsearch: Adding Kibana users” in http://docs.search-guard.com/latest/kibana-plugin-installation

···

On Thursday, December 7, 2017 at 4:49:46 PM UTC+1, CuriousOne wrote:

  • Search Guard 6.0.0 + Elasticsearch 6.0.0
  • openjdk 1.8.0 and CentOS 6.8
  • Search Guard configuration files

cluster.name: my-es

node.name: node-0

path.data: /data/es

path.logs: /data/es/logs

bootstrap.memory_lock: false

bootstrap.system_call_filter: false

network.host: 127.0.0.1

http.port: 9200

discovery.type: single-node

discovery.zen.ping.unicast.hosts: [“127.0.0.1”]

discovery.zen.minimum_master_nodes: 1

searchguard.ssl.transport.enabled: true

searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks

searchguard.ssl.transport.keystore_password: mypass

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: mypass

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: node-0-keystore.jks

searchguard.ssl.http.keystore_password: mypass

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: mypass

searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=Test, C=de
  • Elasticsearch log messages on debug level

[INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null, attributes={}] [IndexType [index=logstash-, type=]] [Action [[indices:data/read/field_caps]]] [RolesChecked [sg_kibana_server, sg_own_index]]

[INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_own_index=[IndexType [index=logstash-, type=]], sg_kibana_server=[IndexType [index=logstash-, type=]]}


I can login in Kibana with search guard. I use kibanaserver to login. However, the red bar on the top shows

I tried to find any related answers about it. But no luck…that’s why i am asking around here. Wish to hear some good leads…thanks…