Permissions help: tenants can't save (searches/vis./etc)

Search Guard
1

When asking questions, please provide the following information:

  • Search guard 6.2 ES 6.2

  • Enterprise Tenants module in use

  • JVM 1.8, Ubuntu 16 OS

I am having issues letting non-admin users save their searches or visualizations, and probably other things. I hadn’t noticed because my admin users had done most of my testing until now. I am guessing I just don’t know the correct permissiosn to add, but the documentation has me confused. It seems to indcate that sg_kibana_user would give the minimum requirements. Then the kibana module says you don’t need to add things other than the users specific index they need access to (which they can read just fine). Yet I still can’t save anything. The error I get in Kibana is as follows:

Discover: Service Unavailable

Error: Service Unavailable
    at https://dc1kibana1.private.sec:5601/bundles/commons.bundle.js?v=16588:1:303041
    at processQueue (https://dc1kibana1.private.sec:5601/bundles/vendors.bundle.js?v=16588:58:132456)
    at https://dc1kibana1.private.sec:5601/bundles/vendors.bundle.js?v=16588:58:133349
    at Scope.$digest (https://dc1kibana1.private.sec:5601/bundles/vendors.bundle.js?v=16588:58:144239)
    at Scope.$apply (https://dc1kibana1.private.sec:5601/bundles/vendors.bundle.js?v=16588:58:147018)
    at done (https://dc1kibana1.private.sec:5601/bundles/vendors.bundle.js?v=16588:58:100026)
    at completeRequest (https://dc1kibana1.private.sec:5601/bundles/vendors.bundle.js?v=16588:58:104697)
    at XMLHttpRequest.xhr.onload (https://dc1kibana1.private.sec:5601/bundles/vendors.bundle.js?v=16588:58:105435)

Here are the relevant sections as far as I can tell:

sg_kibana_user:

``
readonly: true

cluster:

  • “MONITOR”

  • “CLUSTER_COMPOSITE_OPS”

indices:

‘?kibana’:

‘*’:

  • “MANAGE”

  • “INDEX”

  • “READ”

  • “DELETE”

‘*’:

‘*’:

  • “indices:data/read/field_caps*”

sg_project1:

indices:

p1-*:

‘*’:

  • “READ”

  • “SEARCH”

tenants:

project1: “RW”

sg_project1_admin:

cluster:

  • “UNLIMITED”

indices:

p1-*:

‘*’:

  • “UNLIMITED”

‘*’:

‘*’:

  • “MONITOR”

  • “indices:admin/get”

tenants:

project1: “RW”

So above, as sg_project1_admin user can edit indexes, and has no problems when acting in the tenant to save anything. users who are only in the sg_project1 group get the tenant, and can see the saved objects, but can not make them. I would like to restrict these users from being able to actually edit the indexes they can access, but I assumed they would have write to the .kibana-xxxx-project1 tenant one.

Side note, I have been trying to find debug logs so perhaps I could see what permission is actually being denied. I have set:

logger.action.name = org.elasticsearch.action

logger.action.level = debug

logger.searchguard.name = com.floragunn

logger.searchguard.level = debug

``

and yet when I tail my logs I see search guard logging when it first comes up, but I do not see anything when I attempt this save. Is there something I am missing so I could find out the permission that is needed with out needing to bug you here?

2

Well, I guess I should have posted sooner. I realized that I have upgraded from older versions to the 6.2 version. During that, the defined roles are not updated automatically. I saw that the sg_kibana_server now had more/different permissions in the default configuration than what mine has. I have replaced mine with the following

sg_kibana_server:

readonly: true

cluster:

  • CLUSTER_MONITOR

  • CLUSTER_COMPOSITE_OPS

  • cluster:admin/xpack/monitoring*

  • indices:admin/template*

indices:

‘?kibana’:

‘*’:

  • INDICES_ALL

‘?reporting*’:

‘*’:

  • INDICES_ALL

‘?monitoring*’:

‘*’:

  • INDICES_ALL

``

and now my tenants all work correctly. Somewhat strange, I actually don’t even have them in the sg_kibana_user role, and yet they seem to be working. Not sure if someone could clarify if that is needed for something I haven’t seen yet?

···
3

Somewhat strange, I actually don’t even have them in the sg_kibana_user role, and yet they seem to be working. Not sure if someone could clarify if that is needed for something I haven’t seen yet?

Can you please post alls of your sg_*.yml files which are currently deployed? Than i maybe can clarify this.

···

On Friday, 13 April 2018 15:46:15 UTC+2, Brian Sanders wrote:

Well, I guess I should have posted sooner. I realized that I have upgraded from older versions to the 6.2 version. During that, the defined roles are not updated automatically. I saw that the sg_kibana_server now had more/different permissions in the default configuration than what mine has. I have replaced mine with the following

sg_kibana_server:

readonly: true

cluster:

  • CLUSTER_MONITOR
  • CLUSTER_COMPOSITE_OPS
  • cluster:admin/xpack/monitoring*
  • indices:admin/template*

indices:

‘?kibana’:

‘*’:

  • INDICES_ALL

‘?reporting*’:

‘*’:

  • INDICES_ALL

‘?monitoring*’:

‘*’:

  • INDICES_ALL

``

and now my tenants all work correctly. Somewhat strange, I actually don’t even have them in the sg_kibana_user role, and yet they seem to be working. Not sure if someone could clarify if that is needed for something I haven’t seen yet?