Am 16.11.2017 um 14:14 schrieb MASG <twitter@rise-it.co.uk>:
Hi all,
Any help ?
Did I miss something on index types based permissions ?
On Wednesday, November 15, 2017 at 11:51:19 AM UTC+1, MASG wrote:
When I filter _type=api in Discover panel, Kibana issues this request :
POST https://kibana/elasticsearch/_msearch
{
"index": ["idx-esb-*"],
"ignore_unavailable": true,
"preference": 1510740229217
}{
"version": true,
"size": 500,
"sort": [{
"@timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}],
"query": {
"bool": {
"must": [{
"query_string": {
"query": "_type:api",
"analyze_wildcard": true
}
},
{
"range": {
"@timestamp": {
"gte": 1510700400000,
"lte": 1510786799999,
"format": "epoch_millis"
}
}
}],
"must_not":
}
},
"_source": {
"excludes":
},
"aggs": {
"2": {
"date_histogram": {
"field": "@timestamp",
"interval": "30m",
"time_zone": "Europe/Berlin",
"min_doc_count": 1
}
}
},
"stored_fields": ["*"],
"script_fields": {
},
"docvalue_fields": ["@timestamp",
"elapsed_timestamp_start"],
"highlight": {
"pre_tags": ["@kibana-highlighted-field@"],
"post_tags": ["@/kibana-highlighted-field@"],
"fields": {
"*": {
"highlight_query": {
"bool": {
"must": [{
"query_string": {
"query": "_type:api",
"analyze_wildcard": true,
"all_fields": true
}
},
{
"range": {
"@timestamp": {
"gte": 1510700400000,
"lte": 1510786799999,
"format": "epoch_millis"
}
}
}],
"must_not":
}
}
}
},
"fragment_size": 2147483647
}
}
Response code : 200 OK
Response body :
{
"responses": [{
"error": {
"root_cause": [{
"type": "security_exception",
"reason": "no permissions for indices:data/read/search"
}],
"type": "security_exception",
"reason": "no permissions for indices:data/read/search"
},
"status": 403
}]
}
On Wednesday, November 15, 2017 at 11:21:43 AM UTC+1, MASG wrote:
Hi Jochen,
Thank you for your reply. You seem to understand my issue
The dashboard objects use 'idx-esb-*' index pattern, however the search and visualizations contained in that dashboard have filter on _type field
Without going into the complexity of a dashboard : In Discovery Panel when I select idx-esb-* index pattern, I get the error bellow (screenshot attached) even when I apply a filter on _type field '_type:api'. My question is why Kibana doesn't retrieve documents with api _type knowing that my user has READ rights on that _type.
Why does it need 'index-level perm' and is there a way to retrieve that data without giving the role READ access on ALL index documents and types
On Tuesday, November 14, 2017 at 8:27:15 PM UTC+1, Jochen Kressin wrote:
Just to make sure I understood the problem completely:
* The user has access to the index, but only to one specific doc type
* The Dashboard contains visualizations from more than one doc type
* Expectation would be that the data from the accessible doc type is visualized
* And the other Visualizations which contain data from unaccessible document types are empty due to missing privileges
But, the Dashboard fails to load in its entirety with the said error message.
Is this correct? And, do you have Visualizations that contain data from more than one doc type? Means, accessible and unaccessible data in one Visualization?
On Tuesday, November 14, 2017 at 5:17:34 PM UTC+1, MASG wrote:
Hi Everyone
* ES 5.4.0 and SG 5-5.4.0-12
* Modules : SSL, Multitenancy, LDAP
* openjdk version "1.8.0_131"
We have configured different roles that have read permissions on different types of one index
On indices idx-esb-* we have defined several document _types : api, proxy, etc
We defined one role that has read permissions on only one type of the index :
DATAREADER_API:
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
'idx-esb-*':
'api':
- READ
We get this error when opening Kibana Dashbord that has visualizations on all data of idx-esb-* , no data is loaded even data from ''_type = api' (user datareader_api having role DATAREADER_API) :
Error: Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for indices:data/read/search"}],"type":"security_exception","reason":"no permissions for indices:data/read/search"},"status":403}
Request issued by Kibana : POST https://kibana/elasticsearch/_msearch retrieves status code 200 OK with response body :
• error:{root_cause: [{type: "security_exception", reason: "no permissions for indices:data/read/search"}],…}
• reason:"no permissions for indices:data/read/search"
• root_cause:[{type: "security_exception", reason: "no permissions for indices:data/read/search"}]
• type:"security_exception"
• status:403
In Elasticsearch we get this error :
[INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=datareader_api, roles=] [IndexType [index=idx-esb-2017-s2, type=*]] [Action [indices:data/read/search]] [RolesChecked [DATAREADER_API]]
The user has read permissions only on api _type but the dashboad fails to load data with this _type whereas we have enabled : searchguard.dynamic.kibana.do_not_fail_on_forbidden : true
Is there a way to retrieve data from document types on which the user has role permissions without giving him data read access to the wole index ?
Thank you for your help
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e63ab75d-0b9e-4643-8cdb-adf4f2197586%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.
