When asking questions, please provide the following information:
-
Search guard 6.2 ES 6.2
-
Enterprise Tenants module in use
-
JVM 1.8, Ubuntu 16 OS
I am having issues letting non-admin users save their searches or visualizations, and probably other things. I hadn’t noticed because my admin users had done most of my testing until now. I am guessing I just don’t know the correct permissiosn to add, but the documentation has me confused. It seems to indcate that sg_kibana_user would give the minimum requirements. Then the kibana module says you don’t need to add things other than the users specific index they need access to (which they can read just fine). Yet I still can’t save anything. The error I get in Kibana is as follows:
Discover: Service Unavailable
Error: Service Unavailable
at https://dc1kibana1.private.sec:5601/bundles/commons.bundle.js?v=16588:1:303041
at processQueue (https://dc1kibana1.private.sec:5601/bundles/vendors.bundle.js?v=16588:58:132456)
at https://dc1kibana1.private.sec:5601/bundles/vendors.bundle.js?v=16588:58:133349
at Scope.$digest (https://dc1kibana1.private.sec:5601/bundles/vendors.bundle.js?v=16588:58:144239)
at Scope.$apply (https://dc1kibana1.private.sec:5601/bundles/vendors.bundle.js?v=16588:58:147018)
at done (https://dc1kibana1.private.sec:5601/bundles/vendors.bundle.js?v=16588:58:100026)
at completeRequest (https://dc1kibana1.private.sec:5601/bundles/vendors.bundle.js?v=16588:58:104697)
at XMLHttpRequest.xhr.onload (https://dc1kibana1.private.sec:5601/bundles/vendors.bundle.js?v=16588:58:105435)
Here are the relevant sections as far as I can tell:
sg_kibana_user:
``
readonly: true
cluster:
-
“MONITOR”
-
“CLUSTER_COMPOSITE_OPS”
indices:
‘?kibana’:
‘*’:
-
“MANAGE”
-
“INDEX”
-
“READ”
-
“DELETE”
‘*’:
‘*’:
- “indices:data/read/field_caps*”
sg_project1:
indices:
p1-*:
‘*’:
-
“READ”
-
“SEARCH”
tenants:
project1: “RW”
sg_project1_admin:
cluster:
- “UNLIMITED”
indices:
p1-*:
‘*’:
- “UNLIMITED”
‘*’:
‘*’:
-
“MONITOR”
-
“indices:admin/get”
tenants:
project1: “RW”
So above, as sg_project1_admin user can edit indexes, and has no problems when acting in the tenant to save anything. users who are only in the sg_project1 group get the tenant, and can see the saved objects, but can not make them. I would like to restrict these users from being able to actually edit the indexes they can access, but I assumed they would have write to the .kibana-xxxx-project1 tenant one.
Side note, I have been trying to find debug logs so perhaps I could see what permission is actually being denied. I have set:
logger.action.name = org.elasticsearch.action
logger.action.level = debug
logger.searchguard.name = com.floragunn
logger.searchguard.level = debug
``
and yet when I tail my logs I see search guard logging when it first comes up, but I do not see anything when I attempt this save. Is there something I am missing so I could find out the permission that is needed with out needing to bug you here?