No permissions for sg_anonymous for cluste:monitor/health

Good evening,

I am having an error when giving permissions for sg_anonymous users to access cluster:monitor/healt. The idea is that all users that are not authenticated match sg_anonymous with sg_anonymou_backendrole and can have access to the resource cluster.monitorhealth.

*In sg_config.yml file, I have allowed anonymous authentication

searchguard:

dynamic:

http:

anonymous_auth_enabled: true

*In sg_roles_mapping.yml file, I have added

sg_anonymous:
backendroles:

  • sg_anonymous_backendrole

*In sg_roles.yml file, I have added

sg_anonymous:
cluster:

  • CLUSTER_MONITOR
  • cluster:monitor/health
    indices:
    ‘public’:
    ‘*’:
  • READ

*In sg_action_groups.yml file, I am referring to

CLUSTER_MONITOR:
readonly: true
permissions:

  • “cluster:monitor/*”

With the configuration shown above, I still get the error when trying to access to the resource https://host_name:9200/_cluster/health

{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [cluster:monitor/health] and User [name=sg_anonymous, roles=[sg_anonymous_backendrole], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [cluster:monitor/health] and User [name=sg_anonymous, roles=[sg_anonymous_backendrole], requestedTenant=null]"},"status":403}

The log error files are the following ones:

[2018-10-11T09:27:28,323][INFO ][c.f.s.c.PrivilegesEvaluator] No cluster-level perm match for User [name=sg_anonymous, roles=[sg_anonymous_backendrole], requestedTenant=null] Resolved [aliases=[*], indices=[*], allIndices=[*], types=[*], isAll()=true, isEmpty()=false] [Action [cluster:monitor/health]] [RolesChecked [sg_own_index]]
[2018-10-11T09:27:28,323][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for [cluster:monitor/health]

Thanks in advance for your help with this issue.

So while the configuration seems fine at first glance, the sg_anonymous user does not get assigned to the sg_anonymous role:

[2018-10-11T09:27:28,323][INFO ][c.f.s.c.PrivilegesEvaluator] No cluster-level perm match for User [name=sg_anonymous, roles=[sg_anonymous_backendrole], requestedTenant=null] Resolved [aliases=[*], indices=[*], allIndices=[*], types=[*], isAll()=true, isEmpty()=false] [Action [cluster:monitor/health]] [RolesChecked [sg_own_index]]

The user does have the backend role sg_anonymous_backendrole:

[name=sg_anonymous, roles=[sg_anonymous_backendrole]


But then the user just has the sg_own_index role:

[RolesChecked [sg_own_index]]

However, your roles mapping looks legit:

sg_anonymous:
backendroles:
- sg_anonymous_backendrole

Can you double check that the configuration has been applied correctly, and that the indentation regarding the roles mapping is correct?


···

On Thursday, October 11, 2018 at 10:11:49 PM UTC+2, Julian Norato wrote:

Good evening,

I am having an error when giving permissions for sg_anonymous users to access cluster:monitor/healt. The idea is that all users that are not authenticated match sg_anonymous with sg_anonymou_backendrole and can have access to the resource cluster.monitorhealth.

*In sg_config.yml file, I have allowed anonymous authentication

searchguard:

dynamic:

http:

anonymous_auth_enabled: true

*In sg_roles_mapping.yml file, I have added

sg_anonymous:
backendroles:

  • sg_anonymous_backendrole

*In sg_roles.yml file, I have added

sg_anonymous:
cluster:

  • CLUSTER_MONITOR
  • cluster:monitor/health
    indices:
    ‘public’:
    ‘*’:
  • READ

*In sg_action_groups.yml file, I am referring to

CLUSTER_MONITOR:
readonly: true
permissions:

  • “cluster:monitor/*”

With the configuration shown above, I still get the error when trying to access to the resource https://host_name:9200/_cluster/health

{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [cluster:monitor/health] and User [name=sg_anonymous, roles=[sg_anonymous_backendrole], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [cluster:monitor/health] and User [name=sg_anonymous, roles=[sg_anonymous_backendrole], requestedTenant=null]"},"status":403}


The log error files are the following ones:


[2018-10-11T09:27:28,323][INFO ][c.f.s.c.PrivilegesEvaluator] No cluster-level perm match for User [name=sg_anonymous, roles=[sg_anonymous_backendrole], requestedTenant=null] Resolved [aliases=[*], indices=[*], allIndices=[*], types=[*], isAll()=true, isEmpty()=false] [Action [cluster:monitor/health]] [RolesChecked [sg_own_index]]
[2018-10-11T09:27:28,323][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for [cluster:monitor/health]

Thanks in advance for your help with this issue.