Query regarding scroll and clear permission

Elasticsearch version:
7.8.0
SearchGuard Version is 7.8.0-43.0.0.
Server OS version:
Centos 7/8

Describe the issue:
We have got a issue for scroll permission.
{“type”:“error”,"@timestamp":“2020-09-18T08:19:56Z”,“tags”:[“error”,“Stream error”],“pid”:10,“level”:“error”,“error”:{“message”:"[security_exception] no permissions for [indices:data/read/scroll/clear] and User [name=appdev01, backend_roles=[pt-ns], requestedTenant=null]",“name”:“Error”,“stack”:"Error: [security_exception] no permissions for [indices:data/read/scroll/clear] and User [name=appdev01, backend_roles=[pt-ns], requestedTenant=null]\n at respond

It got resolved after adding indices:data/read/scroll/clear under cluster_permissions .

We have already data/read permission for indices.

Query is, can’t we give only scroll/clear permission as we don’t want to give read permission to a user for all indices.

Surprisingly “indices:scroll/clear” did not work under cluster_permissions.

Do we have any other alternative for this scenario.

Hi.
To provide read-only access on the cluster level, use SGS_CLUSTER_COMPOSITE_OPS_RO action group. Because Search Guards updates the group regularly to add the required permissions which are subject to change.

can’t we give only scroll/clear permission as we don’t want to give read permission to a user for all indices.

Add the scroll permission in a role in index_permissions.allowed_actions.

sg_roles.yml

<role_name>:
  cluster_permissions:
    - '<action group or single permission>'
    - ...
  index_permissions:
    - index_patterns:
      - <index pattern the allowed actions should be applied to>
      - ...      
      allowed_actions:
        - 'indices:data/read/scroll/clear'
...

This doesn,t worked for us.
sg_roles.yml

    sg_pt-ns_role:
      index_permissions:
      - allowed_actions:
        - SGS_INDICES_ALL
        - 'indices:data/read/scroll/clear'
        index_patterns:
        - pt-ns-*

We got below error.

{"type":"error","@timestamp":"2020-12-22T09:37:07Z","tags":["error","Stream error"],"pid":10,"level":"error","error":{"message":"[security_exception] no permissions for [indices:data/read/scroll/clear] and User [name=appdev01, backend_roles=[pt-ns], requestedTenant=null]","name":"Error","stack":"Error: [security_exception] no permissions for [indices:data/read/scroll/clear] and User [name=appdev01, backend_roles=[pt-ns], requestedTenant=null]\n    at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:349:15)\n    at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:306:7)\n    at HttpConnector.<anonymous> (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)\n    at IncomingMessage.wrapper (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/lodash.js:4929:19)\n    at IncomingMessage.emit (events.js:203:15)\n    at endReadableNT (_stream_readable.js:1145:12)\n    at process._tickCallback (internal/process/next_tick.js:63:19)"},"message":"[security_exception] no permissions for [indices:data/read/scroll/clear] and User [name=appdev01, backend_roles=[pt-ns], requestedTenant=null]"}
{"type":"log","@timestamp":"2020-12-22T09:37:07Z","tags":["connection","client","error"],"pid":10,"message":"Stream Closed : [security_exception] no permissions for [indices:data/read/scroll/clear] and User [name=appdev01, backend_roles=[pt-ns], requestedTenant=null] :: {\"path\":\"/_search/scroll\",\"query\":{},\"body\":\"{\\\"scroll_id\\\":\\\"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFFdzN1BpWFlCQWl4Q2NUZThObGNvAAAAAAAAAHIWbExaV0Jnb0dRZnlneDVmcXh0S25YZw==\\\"}\",\"statusCode\":403,\"response\":\"{\\\"error\\\":{\\\"root_cause\\\":[{\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"no permissions for [indices:data/read/scroll/clear] and User [name=appdev01, backend_roles=[pt-ns], requestedTenant=null]\\\"}],\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"no permissions for [indices:data/read/scroll/clear] and User [name=appdev01, backend_roles=[pt-ns], requestedTenant=null]\\\"},\\\"status\\\":403}\"}"}
{"type":"request","@timestamp":"2020-12-22T09:37:07Z","tags":["info","Stream Close"],"pid":10,"message":"request ended/disconnected"}

This is expected behaviour indeed.

Index privileges only apply for action requests which carry index names. The clear scroll API does not carry index names, but only cursor IDs (see https://www.elastic.co/guide/en/elasticsearch/reference/current/clear-scroll-api.html ).

Thus, despite its name, indices:data/read/scroll/clear needs to be considered as a cluster action.

But why do we need to provide data/read permission under cluster_permissions as data/read permission has already under index_permissions.

@srgbnd Please respond to this query.

Hi @SarthakSahu
Please be patient, the forum is not intended for the commercial support. If you need the commercial support, you can get it here Contact the Search Guard team - get in touch with us

Do you mean a role like the following one doesn’t work for you? It works for me.

{
  "cluster_permissions": [
    "indices:data/read/scroll/clear"
  ],
  "index_permissions": [
    {
      "index_patterns": [
        "kibana_sample_data_flights"
      ]
    }
  ]
}

@srgbnd Your mentioned role works for us too. But below role doesn’t work.

Note: We don’t want to provide data/read permission under cluster_permissions as data/read permission has already under index_permissions .

{
  "cluster_permissions": [
    "indices:scroll/clear"
  ],
  "index_permissions": [
    {
      "allowed_actions": [
        "SGS_INDICES_ALL"
       ],
      "index_patterns": [
        "kibana_sample_data_flights"
      ]
    }
  ]
}

@SarthakSahu Where did you get the permission indices:scroll/clear from? Such a thing does not exist. Thus, it does not work.

Please note that indices:data/read/scroll/clear is something different than indices:data/read. If you grant the permission indices:data/read/scroll/clear, you won’t grant the permission for indices:data/read. Such a thing would be only achieved using wildcards.

So, as said before, we are strongly recommending just to put the action group SGS_CLUSTER_COMPOSITE_OPS_RO into the cluster_permissions. This action group is maintained by Search Guard and will provide access to special functionality of ES (like scrolling) without granting additional access to data (which is only governed by the index_permissions).

1 Like

Hi @nils

Below configuration with “SGS_CLUSTER_COMPOSITE_OPS_RO” did not work. Is my configuration is correct ?

{
  "cluster_permissions": [
    "SGS_CLUSTER_COMPOSITE_OPS_RO"
  ],
  "index_permissions": [
    {
      "allowed_actions": [
        "SGS_INDICES_ALL"
       ],
      "index_patterns": [
        "kibana_sample_data_flights"
      ]
    }
  ]
}

In what way does it not work? Do you get an error? If so, what is the error message?

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.