Permissions issue for tenant X

Hi again,

Using ES 7.10.2-53.0.0 and Kibana 7.10.2-51.0.0 I’m having a permissions issue.
User has following role:

            - tenant_patterns:
              - X
              - SGS_KIBANA_ALL_WRITE
            - index_patterns:
                - 'X-*'
                - SGS_INDICES_ALL

User can save dashboards and visualisations, but not searches:


And the corresponding server log entry:

No permissions for [cluster:admin:searchguard:authtoken/_own/search

I see there are these two static action_groups that provide this permission: SGS_CREATE_MANAGE_OWN_AUTH_TOKEN and SGS_MANAGE_ALL_AUTH_TOKEN. I’m guessing saving a search requires creating a token somehow under the hood ?

Actually, the auth token feature is completely unrelated to managing searches. I would think that the error message in the logs is just coincidentally logged. Can you check your logs for other items that might be related?

I guess you’re right, there is nothing server side, although I’m not sure on which node the error message ends up.

In the client log (kibana) I see:

GET /api/saved_objects/_find?fields=title&per_page=10&search=%22s%22&search_fields=title&type=search 200 25ms - 9.0B
[security_exception]: no permissions for [indices:admin/mapping/auto_put] and User faxmodem <openid> [requestedTenant=X]
POST /api/saved_objects/search?overwrite=true 403 40ms - 9.0B

The message regarding indices:admin/mapping/auto_put could be an important hint. It seems that Kibana is trying to create a new index here. Just wondering, what index that might be :thinking:

Could you check the ES logs, whether there is more information?

If not, could you raise the log level for com.floragunn.searchguard.privileges to DEBUG? See here for details in that:

Just one general thought: Does the user have the role SGS_KIBANA_USER? If not, can you try to assign the role to the user?

The user does have the SGS_KIBANA_USER role, as reported by the top-left icon

In the ES logs, I get the initial error pasted above consistently. Here it is again:

{"type": "server", "timestamp": "2022-03-31T14:45:41,795+02:00", "level": "INFO", "component": "c.f.s.p.PrivilegesEvaluator", "": "foo", "": "node42", "message": "No index-level perm match for User faxmodem <openid> [requestedTenant=X] Resolved [aliases=[], indices=[.kibana_98832_X_3], allIndices=[.kibana_98832_X_3], types=[*], originalRequested=[.kibana_98832_X_3], remoteIndices=[], localAll=false, indicesOptions=IndicesOptions[ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, expand_wildcards_hidden=false, allow_aliases_to_multiple_indices=true, forbid_closed_indices=false, ignore_aliases=false, ignore_throttled=false]] [Action [indices:admin/mapping/auto_put]] [RolesChecked [long_list_of_roles, SGS_KIBANA_USER, X_admin]]", "cluster.uuid": "EfB5NmrLQWefQYzeb1_Zpg", "": "Qi0Rbj7FQEaZWAEVIr604A"  }
{"type": "server", "timestamp": "2022-03-31T14:45:41,797+02:00", "level": "INFO", "component": "c.f.s.p.PrivilegesEvaluator", "": "foo", "": "node42", "message": "No permissions for [indices:admin/mapping/auto_put]", "cluster.uuid": "EfB5NmrLQWefQYzeb1_Zpg", "": "Qi0Rbj7FQEaZWAEVIr604A"  }

there isn’t much activity on the cluster, so I’m pretty sure this error message is indeed caused by trying to save a search in kibana

BTW, saving in the “Global” tenant works as expected

I switched on DEBUG and apart from seeing a big haystack, I didn’t find the needle yet

If you want and if you consider the haystack as not sensitive, please feel free to forward the whole haystack as a private message to me.

Quick update regarding this: I think, we have identified the issue. We are working on a fix and will update you as soon as possible.

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.