Potential risks with giving indices:data/read/scroll* permission to all

Hi,

  • Search Guard version: 6:6.3.1-22.3

  • Elasticsearch version: 6.3.1

I have currently given default readall/readall access to all users of kibana as I don’t want them to make any changes to the visualizations.

Unfortunately, this user does not have the required permission to generate reports.

I read here that I need to “add “indices:data/read/scroll*” to cluster level permissions:”

sg_roles.yml:

Read all, but no write permissions

sg_readall:

readonly: true

cluster:

  • CLUSTER_COMPOSITE_OPS_RO

  • “indices:data/read/scroll*”

indices:

‘*’:

‘*’:

  • READ

  • indices:data/read/scroll/clear

Wanted to understand what all the users will be able to do with above permissions?

As I understand from this, this should not give ‘write’ access so users will not be able to tamper with the data. But just want to be sure about that.

-Thanks

Nikhil

Your "sg_readall" role does not give write access, so no risk that anyone who has solely this role can tamper with data.

···

Am 04.02.2019 um 10:40 schrieb Nikhil Utane <nikhil.subscribed@gmail.com>:

Hi,

* Search Guard version: 6:6.3.1-22.3
* Elasticsearch version: 6.3.1

I have currently given default readall/readall access to all users of kibana as I don't want them to make any changes to the visualizations.
Unfortunately, this user does not have the required permission to generate reports.
I read here that I need to "add "indices:data/read/scroll*" to cluster level permissions:"

sg_roles.yml:
# Read all, but no write permissions
sg_readall:
  readonly: true
  cluster:
    - CLUSTER_COMPOSITE_OPS_RO
    - "indices:data/read/scroll*"
  indices:
    '*':
      '*':
        - READ
        - indices:data/read/scroll/clear

Wanted to understand what all the users will be able to do with above permissions?
As I understand from this, this should not give 'write' access so users will not be able to tamper with the data. But just want to be sure about that.

-Thanks
Nikhil

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8c1040b7-b6f6-4542-90b9-e513872c1832%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Thank you for quick response.

···

On Mon, Feb 4, 2019 at 3:20 PM SG info@search-guard.com wrote:

Your “sg_readall” role does not give write access, so no risk that anyone who has solely this role can tamper with data.

Am 04.02.2019 um 10:40 schrieb Nikhil Utane nikhil.subscribed@gmail.com:

Hi,

  • Search Guard version: 6:6.3.1-22.3
  • Elasticsearch version: 6.3.1

I have currently given default readall/readall access to all users of kibana as I don’t want them to make any changes to the visualizations.

Unfortunately, this user does not have the required permission to generate reports.

I read here that I need to “add “indices:data/read/scroll*” to cluster level permissions:”

sg_roles.yml:

Read all, but no write permissions

sg_readall:

readonly: true

cluster:

- CLUSTER_COMPOSITE_OPS_RO
- "indices:data/read/scroll*"

indices:

'*':
  '*':
    - READ
    - indices:data/read/scroll/clear

Wanted to understand what all the users will be able to do with above permissions?

As I understand from this, this should not give ‘write’ access so users will not be able to tamper with the data. But just want to be sure about that.

-Thanks

Nikhil

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8c1040b7-b6f6-4542-90b9-e513872c1832%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/35D341B1-553F-4A7C-AAD5-AE61A06AB9F5%40search-guard.com.

For more options, visit https://groups.google.com/d/optout.