Greetings everyone,
We are facing below issues while configuring SearchGaurd.
Environment details:
OS: Ubuntu:14.04
Java; 1.8
ES: 5.6.8
SearchGaurd: 5-5.6.8-19
Cerebro: 0.7.3
Use-case:
Indexes : client1 & client2
Users: user1/2/3/4 and admin
We want to assign below permissions:
user1 can have an access only to client1 index (both read/write)
user2 can have an access only to client2 index (both read/write)
user3 can have an access only to client1 index (only read)
user4 can have an access only to client2 index (only read)
admin user can have an access to both the indexes (both read/write)
Below are the entries we have made:
file: sg_internal_users.yml
user1:
hash: $2a$12$i9OlhTub5HYc3sgUJD24QeEQPXPCr1CHz8EGB4KEHKZdaq4fWE8iW
#password is: demo1
roles:
- sg_client1_read
- sg_client1_write
user2:
hash: $2a$12$Hrzo.FfsyXx6KxhqLZhlPeB62rKlTeBorWnzJCzp7c5HjeLTq07Yy
#password is: demo2
roles:
- sg_client2_read
- sg_client2_write
user3:
hash: $2a$12$3Sg2KO3FyWVU/KZQ8oSVS.B10J2It0ffWFTMgUQ/Y0OsWN8BWueiq
#password is: demo3
roles:
- sg_client1_read
user4:
hash: $2a$12$3Sg2KO3FyWVU/KZQ8oSVS.B10J2It0ffWFTMgUQ/Y0OsWN8BWueiq
#password is: demo4
roles:
- sg_client2_read
admin:
hash: $2a$12$3Sg2KO3FyWVU/KZQ8oSVS.B10J2It0ffWFTMgUQ/Y0OsWN8BWueiq
#password is: admin
roles:
- sg_client1_read
- sg_client1_write
- sg_client2_read
- sg_client2_write
···
###########################
file: sg_roles.yml
Read/Monitor/CRUD on all the indices and cluster wide
sg_our_admin:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘*’:
- CRUD
#Read client1 indices only
sg_client1_read:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
- INDICES_MONITOR
indices:
‘?monitor*’:
‘':
- INDICES_ALL
client1:
'’:
- INDICES_MONITOR
- INDICES_ALL
- RO
#Read client2 indices only
sg_client2_read:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
- INDICES_MONITOR
indices:
‘?monitor*’:
‘':
- INDICES_ALL
client2:
'’:
- INDICES_MONITOR
- INDICES_ALL
- RO
#Write client1 indices only
sg_client1_write:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
- INDICES_MONITOR
indices:
‘?monitor*’:
‘':
- INDICES_ALL
client1:
'’:
- INDICES_MONITOR
- INDICES_ALL
- WRITE
#Write client2 indices only
sg_client2_write:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
- INDICES_MONITOR
indices:
‘?monitor*’:
‘':
- INDICES_ALL
client2:
'’:
- INDICES_MONITOR
- INDICES_ALL
- WRITE
#############################
file: sg_roles_mapping.yml
Role Mappings
sg_our_admin:
users:
- admin
sg_client1_read:
users:
- user1
- user3
sg_client2_read:
users:
- user2
- user4
sg_client1_write:
users:
- user1
sg_client2_write:
users:
- user2
We reload the SearchGaurd config using sgadmin.sh script and it is loading all the roles and mappings successfully. But the moment we try to curl the specific index with respective username and password we are getting an error as:
type":“security_exception”,“reason”:"no permissions for [indices:monitor/stats]
Though we have provided the roles related to monitor (CLUSTER_MONITOR and INDICES_MONITOR). We are not clear how to achieve this.
Can one illuminate us on this and enlighten us if we are approaching it in wrong manner?
We have couple of doubts that:
- Is there a convention to assign roles with ‘sg_’ as prefix or we can go by any name?
- What is tenant for and what is its role?
Thank you in adcance!