Permissions issue for tenant X

Hi again,

Using ES 7.10.2-53.0.0 and Kibana 7.10.2-51.0.0 I’m having a permissions issue.
User has following role:

        X_admin:
          tenant_permissions:
            - tenant_patterns:
              - X
              allowed_actions:
              - SGS_KIBANA_ALL_WRITE
          cluster_permissions:
            - SGS_CLUSTER_COMPOSITE_OPS
          index_permissions:
            - index_patterns:
                - 'X-*'
              allowed_actions:
                - SGS_INDICES_ALL

User can save dashboards and visualisations, but not searches:

And the corresponding server log entry:

No permissions for [cluster:admin:searchguard:authtoken/_own/search

I see there are these two static action_groups that provide this permission: SGS_CREATE_MANAGE_OWN_AUTH_TOKEN and SGS_MANAGE_ALL_AUTH_TOKEN. I’m guessing saving a search requires creating a token somehow under the hood ?

Actually, the auth token feature is completely unrelated to managing searches. I would think that the error message in the logs is just coincidentally logged. Can you check your logs for other items that might be related?

I guess you’re right, there is nothing server side, although I’m not sure on which node the error message ends up.

In the client log (kibana) I see:

GET /api/saved_objects/_find?fields=title&per_page=10&search=%22s%22&search_fields=title&type=search 200 25ms - 9.0B
[security_exception]: no permissions for [indices:admin/mapping/auto_put] and User faxmodem <openid> [requestedTenant=X]
POST /api/saved_objects/search?overwrite=true 403 40ms - 9.0B

The message regarding indices:admin/mapping/auto_put could be an important hint. It seems that Kibana is trying to create a new index here. Just wondering, what index that might be

Could you check the ES logs, whether there is more information?

If not, could you raise the log level for com.floragunn.searchguard.privileges to DEBUG? See here for details in that:

Just one general thought: Does the user have the role SGS_KIBANA_USER? If not, can you try to assign the role to the user?

The user does have the SGS_KIBANA_USER role, as reported by the top-left icon

In the ES logs, I get the initial error pasted above consistently. Here it is again:

{"type": "server", "timestamp": "2022-03-31T14:45:41,795+02:00", "level": "INFO", "component": "c.f.s.p.PrivilegesEvaluator", "cluster.name": "foo", "node.name": "node42", "message": "No index-level perm match for User faxmodem <openid> [requestedTenant=X] Resolved [aliases=[], indices=[.kibana_98832_X_3], allIndices=[.kibana_98832_X_3], types=[*], originalRequested=[.kibana_98832_X_3], remoteIndices=[], localAll=false, indicesOptions=IndicesOptions[ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, expand_wildcards_hidden=false, allow_aliases_to_multiple_indices=true, forbid_closed_indices=false, ignore_aliases=false, ignore_throttled=false]] [Action [indices:admin/mapping/auto_put]] [RolesChecked [long_list_of_roles, SGS_KIBANA_USER, X_admin]]", "cluster.uuid": "EfB5NmrLQWefQYzeb1_Zpg", "node.id": "Qi0Rbj7FQEaZWAEVIr604A"  }
{"type": "server", "timestamp": "2022-03-31T14:45:41,797+02:00", "level": "INFO", "component": "c.f.s.p.PrivilegesEvaluator", "cluster.name": "foo", "node.name": "node42", "message": "No permissions for [indices:admin/mapping/auto_put]", "cluster.uuid": "EfB5NmrLQWefQYzeb1_Zpg", "node.id": "Qi0Rbj7FQEaZWAEVIr604A"  }

there isn’t much activity on the cluster, so I’m pretty sure this error message is indeed caused by trying to save a search in kibana

BTW, saving in the “Global” tenant works as expected

I switched on DEBUG and apart from seeing a big haystack, I didn’t find the needle yet

If you want and if you consider the haystack as not sensitive, please feel free to forward the whole haystack as a private message to me.

Quick update regarding this: I think, we have identified the issue. We are working on a fix and will update you as soon as possible.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.