no permissions for indices

i am using

search-guard-6:6.4.2-23.1

Elasticsearch 6.4.2

kibana 6.4.2

search-guard-kibana-plugin 6.4.2-15

OS centos7.5

i install searchguard demo configuration as stated in this link, i follow the link thoroughly.

https://sematext.com/blog/elasticsearch-kibana-security-search-guard/

when i login to kibana using the searchguard with kibanaserver user and try to use the dev tools and search like below

GET _search
{
“query”: {
“match_all”: {}
}
}

``

i receive the following error

{
“error”: {
“root_cause”: [
{
“type”: “security_exception”,
“reason”: “no permissions for [indices:data/read/search] and User [name=kibanaserver, roles=, requestedTenant=null]”
}
],
“type”: “security_exception”,
“reason”: “no permissions for [indices:data/read/search] and User [name=kibanaserver, roles=, requestedTenant=null]”
},
“status”: 403
}

``

even i cannot create any index

PUT myindex

``

and result is below

{
“error”: {
“root_cause”: [
{
“type”: “security_exception”,
“reason”: “no permissions for [indices:admin/create] and User [name=kibanaserver, roles=, requestedTenant=null]”
}
],
“type”: “security_exception”,
“reason”: “no permissions for [indices:admin/create] and User [name=kibanaserver, roles=, requestedTenant=null]”
},
“status”: 403
}

``

the strange thing is that even if i login as admin/admin, i would see the same error mentioning
[name=kibanaserver, roles=[]

``

what
is the problem? how can i assign proper permissions? i thought the default demo configurations will do that for me. can somebody guide me please?

the last some lines from elasticsearch.log file are below

[2018-10-10T15:21:36,048][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for [indices:admin/mappings/get]
[2018-10-10T15:21:36,052][INFO
][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] Resolved [aliases=[], indices=[], allIndices=[], types=[], isAll()=true, isEmpty()=false] [Action [indices:admin/get]] [RolesChecked [sg_own_index, sg_kibana_server]]
[2018-10-10T15:21:36,052][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for [indices:admin/get]
[2018-10-10T15:22:36,762][INFO
][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] Resolved [aliases=[], indices=[], allIndices=[], types=[], isAll()=true, isEmpty()=false] [Action [indices:admin/get]] [RolesChecked [sg_own_index, sg_kibana_server]]
[2018-10-10T15:22:36,763][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for [indices:admin/get]
[2018-10-10T15:22:36,766][INFO
][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] Resolved [aliases=[], indices=[], allIndices=[], types=[], isAll()=true, isEmpty()=false] [Action [indices:admin/mappings/get]] [RolesChecked [sg_own_index, sg_kibana_server]]
[2018-10-10T15:22:36,766][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for [indices:admin/mappings/get]
[2018-10-10T15:23:10,637][INFO
][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=, requestedTenant=null] Resolved [aliases=, indices=[myindex], allIndices=[myindex], types=[], isAll()=false, isEmpty()=false] [Action [indices:admin/create]] [RolesChecked [sg_own_index, sg_kibana_server]]
[2018-10-10T15:23:10,637][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for [indices:admin/create]
[2018-10-10T15:23:37,312][INFO
][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=[], requestedTenant=null] Resolved [aliases=[], indices=[], allIndices=[], types=[], isAll()=true, isEmpty()=false] [Action [indices:admin/mappings/get]] [RolesChecked [sg_own_index, sg_kibana_server]]
[2018-10-10T15:23:37,313][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for [indices:admin/mappings/get]
[2018-10-10T15:23:37,313][INFO
][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=[], requestedTenant=null] Resolved [aliases=[], indices=[], allIndices=[], types=[], isAll()=true, isEmpty()=false] [Action [indices:admin/get]] [RolesChecked [sg_own_index, sg_kibana_server]]
[2018-10-10T15:23:37,314][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for [indices:admin/get]
[2018-10-10T15:24:38,014][INFO
][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=[], requestedTenant=null] Resolved [aliases=[], indices=[], allIndices=[], types=[], isAll()=true, isEmpty()=false] [Action [indices:admin/mappings/get]] [RolesChecked [sg_own_index, sg_kibana_server]]
[2018-10-10T15:24:38,015][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for [indices:admin/mappings/get]
[2018-10-10T15:24:38,015][INFO
][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=[], requestedTenant=null] Resolved [aliases=[], indices=[], allIndices=[], types=[*], isAll()=true, isEmpty()=false] [Action [indices:admin/get]] [RolesChecked [sg_own_index, sg_kibana_server]]
[2018-10-10T15:24:38,015][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for [indices:admin/get]

sg_action_groups.yml (2.31 KB)

sg_config.yml (9.4 KB)

sg_internal_users.yml (1.05 KB)

sg_roles.yml (6.33 KB)

sg_roles_mapping.yml (548 Bytes)

Are you using the kibanaserver user for logging in to Kibana? If so - that is not the correct. The kibanaserver user is only there for Kibana to make health check and maintenance requests. This is a Kibana built-in functionality.

If you want to set up a Kibana user (as opposed to the Kibana server user), you need to:

a) assign the built-in sg_kibana_user role to this user. This will grant the minimum permission set for the user to access Kibana

b) assign permissions to indices the user should have access to. For example, the built-in sg_readall role will grant read-only access to all indices

Finally, for Kibana usage you should set the “don’t fail on forbidden” flag to true in sg_config.yml:

searchguard:
dynamic:
kibana:
do_not_fail_on_forbidden: true

``

This makes sure that in case a user does not have access to all indices for a given request, only the accessible indices/results are returned.