Permissions by index _type

Hi Everyone

  • ES 5.4.0 and SG 5-5.4.0-12

  • Modules : SSL, Multitenancy, LDAP

  • openjdk version “1.8.0_131”

We have configured different roles that have read permissions on different types of one index

On indices idx-esb-* we have defined several document _types : api, proxy, etc

We defined one role that has read permissions on only one type of the index :

DATAREADER_API:

cluster:

- CLUSTER_COMPOSITE_OPS_RO

indices:

'idx-esb-*':
  'api':
    - READ

We get this error when opening Kibana Dashbord that has visualizations on all data of idx-esb-* , no data is loaded even data from ‘’_type = api’ (user datareader_api having role DATAREADER_API) :

Error: Request to Elasticsearch failed: {“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for indices:data/read/search”}],“type”:“security_exception”,“reason”:“no permissions for indices:data/read/search”},“status”:403}

Request issued by Kibana : POST https://kibana/elasticsearch/_msearch retrieves status code 200 OK with response body :

  1. error:{root_cause: [{type: “security_exception”, reason: “no permissions for indices:data/read/search”}],…}
  2. reason:“no permissions for indices:data/read/search”
  3. root_cause:[{type: “security_exception”, reason: “no permissions for indices:data/read/search”}]
  4. type:“security_exception”
  5. status:403

In Elasticsearch we get this error :

[INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=datareader_api, roles=] [IndexType [index=idx-esb-2017-s2, type=*]] [Action [indices:data/read/search]] [RolesChecked [DATAREADER_API]]

The user has read permissions only on api _type but the dashboad fails to load data with this _type whereas we have enabled : searchguard.dynamic.kibana.do_not_fail_on_forbidden : true

Is there a way to retrieve data from document types on which the user has role permissions without giving him data read access to the wole index ?

Thank you for your help

Just to make sure I understood the problem completely:

  • The user has access to the index, but only to one specific doc type

  • The Dashboard contains visualizations from more than one doc type

  • Expectation would be that the data from the accessible doc type is visualized

  • And the other Visualizations which contain data from unaccessible document types are empty due to missing privileges

But, the Dashboard fails to load in its entirety with the said error message.

Is this correct? And, do you have Visualizations that contain data from more than one doc type? Means, accessible and unaccessible data in one Visualization?

···

On Tuesday, November 14, 2017 at 5:17:34 PM UTC+1, MASG wrote:

Hi Everyone

  • ES 5.4.0 and SG 5-5.4.0-12
  • Modules : SSL, Multitenancy, LDAP
  • openjdk version “1.8.0_131”

We have configured different roles that have read permissions on different types of one index

On indices idx-esb-* we have defined several document _types : api, proxy, etc

We defined one role that has read permissions on only one type of the index :

DATAREADER_API:

cluster:

- CLUSTER_COMPOSITE_OPS_RO

indices:

'idx-esb-*':
  'api':
    - READ

We get this error when opening Kibana Dashbord that has visualizations on all data of idx-esb-* , no data is loaded even data from ‘’_type = api’ (user datareader_api having role DATAREADER_API) :

Error: Request to Elasticsearch failed: {“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for indices:data/read/search”}],“type”:“security_exception”,“reason”:“no permissions for indices:data/read/search”},“status”:403}

Request issued by Kibana : POST https://kibana/elasticsearch/_msearch retrieves status code 200 OK with response body :

  1. error:{root_cause: [{type: “security_exception”, reason: “no permissions for indices:data/read/search”}],…}
  2. reason:“no permissions for indices:data/read/search”
  3. root_cause:[{type: “security_exception”, reason: “no permissions for indices:data/read/search”}]
  4. type:“security_exception”
  5. status:403

In Elasticsearch we get this error :

[INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=datareader_api, roles=] [IndexType [index=idx-esb-2017-s2, type=*]] [Action [indices:data/read/search]] [RolesChecked [DATAREADER_API]]

The user has read permissions only on api _type but the dashboad fails to load data with this _type whereas we have enabled : searchguard.dynamic.kibana.do_not_fail_on_forbidden : true

Is there a way to retrieve data from document types on which the user has role permissions without giving him data read access to the wole index ?

Thank you for your help

Hi Jochen,

Thank you for your reply. You seem to understand my issue

The dashboard objects use ‘idx-esb-*’ index pattern, however the search and visualizations contained in that dashboard have filter on _type field

Without going into the complexity of a dashboard : In Discovery Panel when I select idx-esb-* index pattern, I get the error bellow (screenshot attached) even when I apply a filter on _type field ‘_type:api’. My question is why Kibana doesn’t retrieve documents with api _type knowing that my user has READ rights on that _type.

Why does it need ‘index-level perm’ and is there a way to retrieve that data without giving the role READ access on ALL index documents and types

···

On Tuesday, November 14, 2017 at 8:27:15 PM UTC+1, Jochen Kressin wrote:

Just to make sure I understood the problem completely:

  • The user has access to the index, but only to one specific doc type
  • The Dashboard contains visualizations from more than one doc type
  • Expectation would be that the data from the accessible doc type is visualized
  • And the other Visualizations which contain data from unaccessible document types are empty due to missing privileges

But, the Dashboard fails to load in its entirety with the said error message.

Is this correct? And, do you have Visualizations that contain data from more than one doc type? Means, accessible and unaccessible data in one Visualization?

On Tuesday, November 14, 2017 at 5:17:34 PM UTC+1, MASG wrote:

Hi Everyone

  • ES 5.4.0 and SG 5-5.4.0-12
  • Modules : SSL, Multitenancy, LDAP
  • openjdk version “1.8.0_131”

We have configured different roles that have read permissions on different types of one index

On indices idx-esb-* we have defined several document _types : api, proxy, etc

We defined one role that has read permissions on only one type of the index :

DATAREADER_API:

cluster:

- CLUSTER_COMPOSITE_OPS_RO

indices:

'idx-esb-*':
  'api':
    - READ

We get this error when opening Kibana Dashbord that has visualizations on all data of idx-esb-* , no data is loaded even data from ‘’_type = api’ (user datareader_api having role DATAREADER_API) :

Error: Request to Elasticsearch failed: {“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for indices:data/read/search”}],“type”:“security_exception”,“reason”:“no permissions for indices:data/read/search”},“status”:403}

Request issued by Kibana : POST https://kibana/elasticsearch/_msearch retrieves status code 200 OK with response body :

  1. error:{root_cause: [{type: “security_exception”, reason: “no permissions for indices:data/read/search”}],…}
  2. reason:“no permissions for indices:data/read/search”
  3. root_cause:[{type: “security_exception”, reason: “no permissions for indices:data/read/search”}]
  4. type:“security_exception”
  5. status:403

In Elasticsearch we get this error :

[INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=datareader_api, roles=] [IndexType [index=idx-esb-2017-s2, type=*]] [Action [indices:data/read/search]] [RolesChecked [DATAREADER_API]]

The user has read permissions only on api _type but the dashboad fails to load data with this _type whereas we have enabled : searchguard.dynamic.kibana.do_not_fail_on_forbidden : true

Is there a way to retrieve data from document types on which the user has role permissions without giving him data read access to the wole index ?

Thank you for your help

When I filter _type=api in Discover panel, Kibana issues this request :

POST https://kibana/elasticsearch/_msearch

{
“index”: [“idx-esb-"],
“ignore_unavailable”: true,
“preference”: 1510740229217
}{
“version”: true,
“size”: 500,
“sort”: [{
@timestamp”: {
“order”: “desc”,
“unmapped_type”: “boolean”
}
}],
“query”: {
“bool”: {
“must”: [{
“query_string”: {
“query”: “_type:api”,
“analyze_wildcard”: true
}
},
{
“range”: {
@timestamp”: {
“gte”: 1510700400000,
“lte”: 1510786799999,
“format”: “epoch_millis”
}
}
}],
“must_not”: []
}
},
“_source”: {
“excludes”: []
},
“aggs”: {
“2”: {
“date_histogram”: {
“field”: “@timestamp”,
“interval”: “30m”,
“time_zone”: “Europe/Berlin”,
“min_doc_count”: 1
}
}
},
“stored_fields”: ["
”],
“script_fields”: {

},
"docvalue_fields": ["@timestamp",
"elapsed_timestamp_start"],
"highlight": {
    "pre_tags": ["@kibana-highlighted-field@"],
    "post_tags": ["@/kibana-highlighted-field@"],
    "fields": {
        "*": {
            "highlight_query": {
                "bool": {
                    "must": [{
                        "query_string": {
                            "query": "_type:api",
                            "analyze_wildcard": true,
                            "all_fields": true
                        }
                    },
                    {
                        "range": {
                            "@timestamp": {
                                "gte": 1510700400000,
                                "lte": 1510786799999,
                                "format": "epoch_millis"
                            }
                        }
                    }],
                    "must_not": []
                }
            }
        }
    },
    "fragment_size": 2147483647
} 

}

Response code : 200 OK

Response body :

{
“responses”: [{
“error”: {
“root_cause”: [{
“type”: “security_exception”,
“reason”: “no permissions for indices:data/read/search”
}],
“type”: “security_exception”,
“reason”: “no permissions for indices:data/read/search”
},
“status”: 403
}]
}

···

On Wednesday, November 15, 2017 at 11:21:43 AM UTC+1, MASG wrote:

Hi Jochen,

Thank you for your reply. You seem to understand my issue

The dashboard objects use ‘idx-esb-*’ index pattern, however the search and visualizations contained in that dashboard have filter on _type field

Without going into the complexity of a dashboard : In Discovery Panel when I select idx-esb-* index pattern, I get the error bellow (screenshot attached) even when I apply a filter on _type field ‘_type:api’. My question is why Kibana doesn’t retrieve documents with api _type knowing that my user has READ rights on that _type.

Why does it need ‘index-level perm’ and is there a way to retrieve that data without giving the role READ access on ALL index documents and types

On Tuesday, November 14, 2017 at 8:27:15 PM UTC+1, Jochen Kressin wrote:

Just to make sure I understood the problem completely:

  • The user has access to the index, but only to one specific doc type
  • The Dashboard contains visualizations from more than one doc type
  • Expectation would be that the data from the accessible doc type is visualized
  • And the other Visualizations which contain data from unaccessible document types are empty due to missing privileges

But, the Dashboard fails to load in its entirety with the said error message.

Is this correct? And, do you have Visualizations that contain data from more than one doc type? Means, accessible and unaccessible data in one Visualization?

On Tuesday, November 14, 2017 at 5:17:34 PM UTC+1, MASG wrote:

Hi Everyone

  • ES 5.4.0 and SG 5-5.4.0-12
  • Modules : SSL, Multitenancy, LDAP
  • openjdk version “1.8.0_131”

We have configured different roles that have read permissions on different types of one index

On indices idx-esb-* we have defined several document _types : api, proxy, etc

We defined one role that has read permissions on only one type of the index :

DATAREADER_API:

cluster:

- CLUSTER_COMPOSITE_OPS_RO

indices:

'idx-esb-*':
  'api':
    - READ

We get this error when opening Kibana Dashbord that has visualizations on all data of idx-esb-* , no data is loaded even data from ‘’_type = api’ (user datareader_api having role DATAREADER_API) :

Error: Request to Elasticsearch failed: {“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for indices:data/read/search”}],“type”:“security_exception”,“reason”:“no permissions for indices:data/read/search”},“status”:403}

Request issued by Kibana : POST https://kibana/elasticsearch/_msearch retrieves status code 200 OK with response body :

  1. error:{root_cause: [{type: “security_exception”, reason: “no permissions for indices:data/read/search”}],…}
  2. reason:“no permissions for indices:data/read/search”
  3. root_cause:[{type: “security_exception”, reason: “no permissions for indices:data/read/search”}]
  4. type:“security_exception”
  5. status:403

In Elasticsearch we get this error :

[INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=datareader_api, roles=] [IndexType [index=idx-esb-2017-s2, type=*]] [Action [indices:data/read/search]] [RolesChecked [DATAREADER_API]]

The user has read permissions only on api _type but the dashboad fails to load data with this _type whereas we have enabled : searchguard.dynamic.kibana.do_not_fail_on_forbidden : true

Is there a way to retrieve data from document types on which the user has role permissions without giving him data read access to the wole index ?

Thank you for your help

Hi all,

Any help ?

Did I miss something on index types based permissions ?

:slight_smile:

···

On Wednesday, November 15, 2017 at 11:51:19 AM UTC+1, MASG wrote:

When I filter _type=api in Discover panel, Kibana issues this request :

POST https://kibana/elasticsearch/_msearch

{
“index”: [“idx-esb-"],
“ignore_unavailable”: true,
“preference”: 1510740229217
}{
“version”: true,
“size”: 500,
“sort”: [{
@timestamp”: {
“order”: “desc”,
“unmapped_type”: “boolean”
}
}],
“query”: {
“bool”: {
“must”: [{
“query_string”: {
“query”: “_type:api”,
“analyze_wildcard”: true
}
},
{
“range”: {
@timestamp”: {
“gte”: 1510700400000,
“lte”: 1510786799999,
“format”: “epoch_millis”
}
}
}],
“must_not”: []
}
},
“_source”: {
“excludes”: []
},
“aggs”: {
“2”: {
“date_histogram”: {
“field”: “@timestamp”,
“interval”: “30m”,
“time_zone”: “Europe/Berlin”,
“min_doc_count”: 1
}
}
},
“stored_fields”: ["
”],
“script_fields”: {

},
"docvalue_fields": ["@timestamp",
"elapsed_timestamp_start"],
"highlight": {
    "pre_tags": ["@kibana-highlighted-field@"],
    "post_tags": ["@/kibana-highlighted-field@"],
    "fields": {
        "*": {
            "highlight_query": {
                "bool": {
                    "must": [{
                        "query_string": {
                            "query": "_type:api",
                            "analyze_wildcard": true,
                            "all_fields": true
                        }
                    },
                    {
                        "range": {
                            "@timestamp": {
                                "gte": 1510700400000,
                                "lte": 1510786799999,
                                "format": "epoch_millis"
                            }
                        }
                    }],
                    "must_not": []
                }
            }
        }
    },
    "fragment_size": 2147483647
} 

}

Response code : 200 OK

Response body :

{
“responses”: [{
“error”: {
“root_cause”: [{
“type”: “security_exception”,
“reason”: “no permissions for indices:data/read/search”
}],
“type”: “security_exception”,
“reason”: “no permissions for indices:data/read/search”
},
“status”: 403
}]
}

On Wednesday, November 15, 2017 at 11:21:43 AM UTC+1, MASG wrote:

Hi Jochen,

Thank you for your reply. You seem to understand my issue

The dashboard objects use ‘idx-esb-*’ index pattern, however the search and visualizations contained in that dashboard have filter on _type field

Without going into the complexity of a dashboard : In Discovery Panel when I select idx-esb-* index pattern, I get the error bellow (screenshot attached) even when I apply a filter on _type field ‘_type:api’. My question is why Kibana doesn’t retrieve documents with api _type knowing that my user has READ rights on that _type.

Why does it need ‘index-level perm’ and is there a way to retrieve that data without giving the role READ access on ALL index documents and types

On Tuesday, November 14, 2017 at 8:27:15 PM UTC+1, Jochen Kressin wrote:

Just to make sure I understood the problem completely:

  • The user has access to the index, but only to one specific doc type
  • The Dashboard contains visualizations from more than one doc type
  • Expectation would be that the data from the accessible doc type is visualized
  • And the other Visualizations which contain data from unaccessible document types are empty due to missing privileges

But, the Dashboard fails to load in its entirety with the said error message.

Is this correct? And, do you have Visualizations that contain data from more than one doc type? Means, accessible and unaccessible data in one Visualization?

On Tuesday, November 14, 2017 at 5:17:34 PM UTC+1, MASG wrote:

Hi Everyone

  • ES 5.4.0 and SG 5-5.4.0-12
  • Modules : SSL, Multitenancy, LDAP
  • openjdk version “1.8.0_131”

We have configured different roles that have read permissions on different types of one index

On indices idx-esb-* we have defined several document _types : api, proxy, etc

We defined one role that has read permissions on only one type of the index :

DATAREADER_API:

cluster:

- CLUSTER_COMPOSITE_OPS_RO

indices:

'idx-esb-*':
  'api':
    - READ

We get this error when opening Kibana Dashbord that has visualizations on all data of idx-esb-* , no data is loaded even data from ‘’_type = api’ (user datareader_api having role DATAREADER_API) :

Error: Request to Elasticsearch failed: {“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for indices:data/read/search”}],“type”:“security_exception”,“reason”:“no permissions for indices:data/read/search”},“status”:403}

Request issued by Kibana : POST https://kibana/elasticsearch/_msearch retrieves status code 200 OK with response body :

  1. error:{root_cause: [{type: “security_exception”, reason: “no permissions for indices:data/read/search”}],…}
  2. reason:“no permissions for indices:data/read/search”
  3. root_cause:[{type: “security_exception”, reason: “no permissions for indices:data/read/search”}]
  4. type:“security_exception”
  5. status:403

In Elasticsearch we get this error :

[INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=datareader_api, roles=] [IndexType [index=idx-esb-2017-s2, type=*]] [Action [indices:data/read/search]] [RolesChecked [DATAREADER_API]]

The user has read permissions only on api _type but the dashboad fails to load data with this _type whereas we have enabled : searchguard.dynamic.kibana.do_not_fail_on_forbidden : true

Is there a way to retrieve data from document types on which the user has role permissions without giving him data read access to the wole index ?

Thank you for your help

I will into this, pls. stay tuned

···

Am 16.11.2017 um 14:14 schrieb MASG <twitter@rise-it.co.uk>:

Hi all,

Any help ?
Did I miss something on index types based permissions ?

:slight_smile:

On Wednesday, November 15, 2017 at 11:51:19 AM UTC+1, MASG wrote:
When I filter _type=api in Discover panel, Kibana issues this request :

POST https://kibana/elasticsearch/_msearch
{

"index": ["idx-esb-*"],

"ignore_unavailable": true,

"preference": 1510740229217
}{

"version": true,

"size": 500,

"sort": [{

"@timestamp": {

"order": "desc",

"unmapped_type": "boolean"

}

}],

"query": {

"bool": {

"must": [{

"query_string": {

"query": "_type:api",

"analyze_wildcard": true

}

},

{

"range": {

"@timestamp": {

"gte": 1510700400000,

"lte": 1510786799999,

"format": "epoch_millis"

}

}

}],

"must_not":

}

},

"_source": {

"excludes":

},

"aggs": {

"2": {

"date_histogram": {

"field": "@timestamp",

"interval": "30m",

"time_zone": "Europe/Berlin",

"min_doc_count": 1

}

}

},

"stored_fields": ["*"],

"script_fields": {

},

"docvalue_fields": ["@timestamp",

"elapsed_timestamp_start"],

"highlight": {

"pre_tags": ["@kibana-highlighted-field@"],

"post_tags": ["@/kibana-highlighted-field@"],

"fields": {

"*": {

"highlight_query": {

"bool": {

"must": [{

"query_string": {

"query": "_type:api",

"analyze_wildcard": true,

"all_fields": true

}

},

{

"range": {

"@timestamp": {

"gte": 1510700400000,

"lte": 1510786799999,

"format": "epoch_millis"

}

}

}],

"must_not":

}

}

}

},

"fragment_size": 2147483647

}
}

Response code : 200 OK
Response body :
{

"responses": [{

"error": {

"root_cause": [{

"type": "security_exception",

"reason": "no permissions for indices:data/read/search"

}],

"type": "security_exception",

"reason": "no permissions for indices:data/read/search"

},

"status": 403

}]
}

On Wednesday, November 15, 2017 at 11:21:43 AM UTC+1, MASG wrote:
Hi Jochen,

Thank you for your reply. You seem to understand my issue

The dashboard objects use 'idx-esb-*' index pattern, however the search and visualizations contained in that dashboard have filter on _type field

Without going into the complexity of a dashboard : In Discovery Panel when I select idx-esb-* index pattern, I get the error bellow (screenshot attached) even when I apply a filter on _type field '_type:api'. My question is why Kibana doesn't retrieve documents with api _type knowing that my user has READ rights on that _type.

Why does it need 'index-level perm' and is there a way to retrieve that data without giving the role READ access on ALL index documents and types

On Tuesday, November 14, 2017 at 8:27:15 PM UTC+1, Jochen Kressin wrote:
Just to make sure I understood the problem completely:

* The user has access to the index, but only to one specific doc type
* The Dashboard contains visualizations from more than one doc type
* Expectation would be that the data from the accessible doc type is visualized
* And the other Visualizations which contain data from unaccessible document types are empty due to missing privileges

But, the Dashboard fails to load in its entirety with the said error message.

Is this correct? And, do you have Visualizations that contain data from more than one doc type? Means, accessible and unaccessible data in one Visualization?

On Tuesday, November 14, 2017 at 5:17:34 PM UTC+1, MASG wrote:

Hi Everyone

* ES 5.4.0 and SG 5-5.4.0-12
* Modules : SSL, Multitenancy, LDAP
* openjdk version "1.8.0_131"

We have configured different roles that have read permissions on different types of one index

On indices idx-esb-* we have defined several document _types : api, proxy, etc
We defined one role that has read permissions on only one type of the index :

DATAREADER_API:
  cluster:
    - CLUSTER_COMPOSITE_OPS_RO
  indices:
    'idx-esb-*':
      'api':
        - READ

We get this error when opening Kibana Dashbord that has visualizations on all data of idx-esb-* , no data is loaded even data from ''_type = api' (user datareader_api having role DATAREADER_API) :

Error: Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for indices:data/read/search"}],"type":"security_exception","reason":"no permissions for indices:data/read/search"},"status":403}

Request issued by Kibana : POST https://kibana/elasticsearch/_msearch retrieves status code 200 OK with response body :
  • error:{root_cause: [{type: "security_exception", reason: "no permissions for indices:data/read/search"}],…}
    • reason:"no permissions for indices:data/read/search"
    • root_cause:[{type: "security_exception", reason: "no permissions for indices:data/read/search"}]
    • type:"security_exception"
  • status:403
In Elasticsearch we get this error :

[INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=datareader_api, roles=] [IndexType [index=idx-esb-2017-s2, type=*]] [Action [indices:data/read/search]] [RolesChecked [DATAREADER_API]]

The user has read permissions only on api _type but the dashboad fails to load data with this _type whereas we have enabled : searchguard.dynamic.kibana.do_not_fail_on_forbidden : true

Is there a way to retrieve data from document types on which the user has role permissions without giving him data read access to the wole index ?

Thank you for your help

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e63ab75d-0b9e-4643-8cdb-adf4f2197586%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hi Team,

Even I have the same issue when user tries to access timelion plugin. The users are restricted based on the doc type. When I checked the audit-log for the users I could see missing privileges for “indices:data/read/get” and “indices:data/read/search”.

But the permission are enabled for the user for both ?kibana* and elasticsearch index.

I experience this issue only when I access timilion but discover and other visualization are working.

ES : 5.5

SG 5.5

Kibana multi-tenancy enabled.

Hello,

I have exactly the same problem. Did you fix the issue please?

···

Le jeudi 16 novembre 2017 18:10:57 UTC+1, Search Guard a écrit :

I will into this, pls. stay tuned

Am 16.11.2017 um 14:14 schrieb MASG twi...@rise-it.co.uk:

Hi all,

Any help ?

Did I miss something on index types based permissions ?

:slight_smile:

On Wednesday, November 15, 2017 at 11:51:19 AM UTC+1, MASG wrote:

When I filter _type=api in Discover panel, Kibana issues this request :

POST https://kibana/elasticsearch/_msearch

{

“index”: [“idx-esb-*”],

“ignore_unavailable”: true,

“preference”: 1510740229217

}{

“version”: true,

“size”: 500,

“sort”: [{

@timestamp”: {

“order”: “desc”,

“unmapped_type”: “boolean”

}

}],

“query”: {

“bool”: {

“must”: [{

“query_string”: {

“query”: “_type:api”,

“analyze_wildcard”: true

}

},

{

“range”: {

@timestamp”: {

“gte”: 1510700400000,

“lte”: 1510786799999,

“format”: “epoch_millis”

}

}

}],

“must_not”:

}

},

“_source”: {

“excludes”:

},

“aggs”: {

“2”: {

“date_histogram”: {

“field”: “@timestamp”,

“interval”: “30m”,

“time_zone”: “Europe/Berlin”,

“min_doc_count”: 1

}

}

},

“stored_fields”: ["*"],

“script_fields”: {

},

“docvalue_fields”: ["@timestamp",

“elapsed_timestamp_start”],

“highlight”: {

“pre_tags”: ["@kibana-highlighted-field@"],

“post_tags”: ["@/kibana-highlighted-field@"],

“fields”: {

“*”: {

“highlight_query”: {

“bool”: {

“must”: [{

“query_string”: {

“query”: “_type:api”,

“analyze_wildcard”: true,

“all_fields”: true

}

},

{

“range”: {

@timestamp”: {

“gte”: 1510700400000,

“lte”: 1510786799999,

“format”: “epoch_millis”

}

}

}],

“must_not”:

}

}

}

},

“fragment_size”: 2147483647

}
}

Response code : 200 OK

Response body :

{

“responses”: [{

“error”: {

“root_cause”: [{

“type”: “security_exception”,

“reason”: “no permissions for indices:data/read/search”

}],

“type”: “security_exception”,

“reason”: “no permissions for indices:data/read/search”

},

“status”: 403

}]

}

On Wednesday, November 15, 2017 at 11:21:43 AM UTC+1, MASG wrote:

Hi Jochen,

Thank you for your reply. You seem to understand my issue

The dashboard objects use ‘idx-esb-*’ index pattern, however the search and visualizations contained in that dashboard have filter on _type field

Without going into the complexity of a dashboard : In Discovery Panel when I select idx-esb-* index pattern, I get the error bellow (screenshot attached) even when I apply a filter on _type field ‘_type:api’. My question is why Kibana doesn’t retrieve documents with api _type knowing that my user has READ rights on that _type.

Why does it need ‘index-level perm’ and is there a way to retrieve that data without giving the role READ access on ALL index documents and types

On Tuesday, November 14, 2017 at 8:27:15 PM UTC+1, Jochen Kressin wrote:

Just to make sure I understood the problem completely:

  • The user has access to the index, but only to one specific doc type
  • The Dashboard contains visualizations from more than one doc type
  • Expectation would be that the data from the accessible doc type is visualized
  • And the other Visualizations which contain data from unaccessible document types are empty due to missing privileges

But, the Dashboard fails to load in its entirety with the said error message.

Is this correct? And, do you have Visualizations that contain data from more than one doc type? Means, accessible and unaccessible data in one Visualization?

On Tuesday, November 14, 2017 at 5:17:34 PM UTC+1, MASG wrote:

Hi Everyone

  • ES 5.4.0 and SG 5-5.4.0-12
  • Modules : SSL, Multitenancy, LDAP
  • openjdk version “1.8.0_131”

We have configured different roles that have read permissions on different types of one index

On indices idx-esb-* we have defined several document _types : api, proxy, etc

We defined one role that has read permissions on only one type of the index :

DATAREADER_API:

cluster:

- CLUSTER_COMPOSITE_OPS_RO

indices:

'idx-esb-*':
  'api':
    - READ

We get this error when opening Kibana Dashbord that has visualizations on all data of idx-esb-* , no data is loaded even data from ‘’_type = api’ (user datareader_api having role DATAREADER_API) :

Error: Request to Elasticsearch failed: {“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for indices:data/read/search”}],“type”:“security_exception”,“reason”:“no permissions for indices:data/read/search”},“status”:403}

Request issued by Kibana : POST https://kibana/elasticsearch/_msearch retrieves status code 200 OK with response body :

    • error:{root_cause: [{type: "security_exception", reason: "no permissions for indices:data/read/search"}],…}
            • reason:"no permissions for indices:data/read/search"
            • root_cause:[{type: "security_exception", reason: "no permissions for indices:data/read/search"}]
            • type:"security_exception"
    • status:403

In Elasticsearch we get this error :

[INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=datareader_api, roles=] [IndexType [index=idx-esb-2017-s2, type=*]] [Action [indices:data/read/search]] [RolesChecked [DATAREADER_API]]

The user has read permissions only on api _type but the dashboad fails to load data with this _type whereas we have enabled : searchguard.dynamic.kibana.do_not_fail_on_forbidden : true

Is there a way to retrieve data from document types on which the user has role permissions without giving him data read access to the wole index ?

Thank you for your help


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e63ab75d-0b9e-4643-8cdb-adf4f2197586%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.