Not enough permissions for saving visualizations

Kosmonafft · November 10, 2020, 10:27am

Hi,

my question is related to this post: Grant Users Permission to Save Visualizations

What are the exact permission settings to enable my users to save their visualizations?

My Role is:

{
  "description": "test_role",
  "cluster_permissions": [
    "SGS_CLUSTER_ALL",
    "SGS_CLUSTER_COMPOSITE_OPS",
    "SGS_CLUSTER_COMPOSITE_OPS_RO",
    "SGS_CLUSTER_MONITOR",
    "cluster:monitor/main\""
  ],
  "index_permissions": [
    {
      "index_patterns": [
        "index-**"
      ],
      "fls": [],
      "masked_fields": [],
      "allowed_actions": [
        "SGS_INDICES_ALL",
        "SGS_INDICES_MONITOR",
        "SGS_READ",
        "SGS_SEARCH",
        "SGS_UNLIMITED",
        "SGS_WRITE",
        "indices:data/write/index"
      ]
    }
  ],
  "tenant_permissions": [
    {
      "allowed_actions": [
        "SGS_SIGNALS_ALL"
      ],
      "tenant_patterns": [
        "SGS_GLOBAL_TENANT"
      ]
    }
  ]
}

as you see I ended up granting all permissions available, but still the user is not able to save visualization. My testuser is mapped to the role test_role and SGS_KIBANA_USER

{ message: "no permissions for [indices:data/write/index] and User [name=testuser, backend_roles=[], requestedTenant=null]: [security_exception] no permissions for [indices:data/write/index] and User [name=testuser, backend_roles=[], requestedTenant=null]", statusCode: 403, error: "Forbidden" }

What am I doing wrong?

Thank you

Kosmonafft · November 10, 2020, 11:09am

Ok after I have added SGS_KIBANA_ALL_WRITE to my role’s tennant permissions it works now

{
  "description": "test_role",
  "cluster_permissions": [
    "SGS_CLUSTER_COMPOSITE_OPS",
    "SGS_CLUSTER_COMPOSITE_OPS_RO",
    "SGS_CLUSTER_MONITOR",
    "cluster:monitor/main\""
  ],
  "index_permissions": [
    {
      "index_patterns": [
        "index-*"
      ],
      "fls": [],
      "masked_fields": [],
      "allowed_actions": [
        "SGS_INDICES_MONITOR",
        "SGS_READ",
        "SGS_SEARCH",
        "SGS_UNLIMITED",
        "SGS_WRITE"
      ]
    }
  ],
  "tenant_permissions": [
    {
      "allowed_actions": [
        "SGS_KIBANA_ALL_WRITE",
        "SGS_SIGNALS_ALL"
      ],
      "tenant_patterns": [
        "SGS_GLOBAL_TENANT"
      ]
    }
  ]
}

Why do I need to configure tennant permissions if I did not activated the usage of tennant in the searchguard config?

srgbnd · November 10, 2020, 11:42am

Hi. The multitenancy is always there, even if you have it disabled. If you have it disabled, you have the default tenant context _main for all. That’s why adding the SGS_KIBANA_ALL_WRITE action group worked for you.

To save a visualization, you need access to the kibana.index which has the default value .kibana. Because Kibana saves its objects there. Put .kibana* in the index_permissions.index_patterns.

You can see all the single permissions assigned to an action group in the Search Guard configuration UI.

system · December 1, 2020, 11:42am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grant Users Permission to Save Visualizations Search Guard	3	906	July 9, 2019
Permissions for saving a search Search Guard	8	402	October 30, 2023
Permissions issue for tenant X Search Guard	12	524	April 25, 2022
how to create a user with a role that can access all indices and make his own dashboards in private Search Guard	1	618	June 15, 2018
Potential risks with giving indices:data/read/scroll* permission to all Search Guard	2	1281	February 4, 2019

Not enough permissions for saving visualizations

Related topics