(search-guard-helm) New user cannot access kibana UI after log in successfully

  • Search Guard and Elasticsearch version (Answer: by default - 6.4.1)

  • Installed and used enterprise modules, if any (Answer: by default of search-guard-helm)

1 Created with search-guard-helm.

2 Works well with admin user

3 Add a new user “pp” as below


<img src='//discourse-cloud-file-uploads.s3.dualstack.us-west-2.amazonaws.com/business5/uploads/search_guard/original/1X/676932eb8a42034f6bbe3742a7d436ab140fab8b.png' width='1033' height='465'>



<details class='elided'>
<summary title='Show trimmed content'>&#183;&#183;&#183;</summary>

------------

### dev1c_pp*

sg_dev1c_pp:

readonly: true

cluster:

- CLUSTER_COMPOSITE_OPS_RO

indices:

'dev1c_pp*':

'*':

- READ

--------------

sg_dev1c_pp:

readonly: true

backendroles:

- dev1c_pp

---------

#password is: password123

pp:

hash: $2y$12$PJOcaB0KNnBnpx51GybEj.lnEqj9ey1HLRW.u5d3cF9fEJrlkhfZy

roles:

- kibanauser

- dev1c_pp

4 Run sgadmin_update.sh successfully


[root@inclined-ostrich-sg-helm-sgadmin-5b455c8d6b-vbqsn ~]# /root/sgadmin_update.sh

... ...

Will update 'sg/actiongroups' with /root/sgconfig/sg_action_groups.yml

SUCC: Configuration for 'actiongroups' created or updated

Done with success

5 Log in kibana with new user pp successfully

6 However, the tab of kibana show empty.

7 Click other link (Discover/ Visualize/ Dashboard/ Timelion/ Dev Tools/ Management/), all is empty or not work.

kibana.png

It seems that the sgadmin_update.sh script does not update all the config files:

[root@inclined-ostrich-sg-helm-sgadmin-5b455c8d6b-vbqsn ~]# /root/sgadmin_update.sh

… …
Will update ‘sg/actiongroups’ with /root/sgconfig/sg_action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Done with success

``

Usually, you would see all 5 configs being updated. Or did you just trim the output of sgadmin?

Can you please check the output of the authinfo endpoint with your newly created pp user:

https://sgssl-0.example.com:9200/_searchguard/authinfo

``

Please post the output here. Pay attention to the sg_roles field in the JSON that this endpoint returns. Does it contain the sg_kibana_user role?

···

On Thursday, November 29, 2018 at 1:45:18 PM UTC+1, johnzhengaz@gmail.com wrote:

  • Search Guard and Elasticsearch version (Answer: by default - 6.4.1)
  • Installed and used enterprise modules, if any (Answer: by default of search-guard-helm)

1 Created with search-guard-helm.

2 Works well with admin user

3 Add a new user “pp” as below


dev1c_pp*

sg_dev1c_pp:

readonly: true

cluster:

  • CLUSTER_COMPOSITE_OPS_RO

indices:

‘dev1c_pp*’:

‘*’:

  • READ

sg_dev1c_pp:

readonly: true

backendroles:

  • dev1c_pp

#password is: password123

pp:

hash: $2y$12$PJOcaB0KNnBnpx51GybEj.lnEqj9ey1HLRW.u5d3cF9fEJrlkhfZy

roles:

  • kibanauser
  • dev1c_pp

4 Run sgadmin_update.sh successfully

[root@inclined-ostrich-sg-helm-sgadmin-5b455c8d6b-vbqsn ~]# /root/sgadmin_update.sh

… …

Will update ‘sg/actiongroups’ with /root/sgconfig/sg_action_groups.yml

SUCC: Configuration for ‘actiongroups’ created or updated

Done with success

5 Log in kibana with new user pp successfully

6 However, the tab of kibana show empty.

7 Click other link (Discover/ Visualize/ Dashboard/ Timelion/ Dev Tools/ Management/), all is empty or not work.

I guess that the the kibanauser role is not mapped to the appropriate permissions because either the rolemapping is missing or the sg_kibana_user role is missing.
In our helmcharts they are not included! To make a long story short: I think is solely a permission misconfiguration and not k8s related.

Best way to find this out is to dump the current configuration with "sgadmin -r" and post the files.

···

Am 29.11.2018 um 16:22 schrieb Jochen Kressin <jkressin@floragunn.com>:

It seems that the sgadmin_update.sh script does not update all the config files:

[root@inclined-ostrich-sg-helm-sgadmin-5b455c8d6b-vbqsn ~]# /root/sgadmin_update.sh

... ...
Will update 'sg/actiongroups' with /root/sgconfig/sg_action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated
Done with success

Usually, you would see all 5 configs being updated. Or did you just trim the output of sgadmin?

Can you please check the output of the authinfo endpoint with your newly created pp user:

https://sgssl-0.example.com:9200/_searchguard/authinfo

Please post the output here. Pay attention to the sg_roles field in the JSON that this endpoint returns. Does it contain the sg_kibana_user role?

On Thursday, November 29, 2018 at 1:45:18 PM UTC+1, johnzhengaz@gmail.com wrote:
* Search Guard and Elasticsearch version (Answer: by default - 6.4.1)
* Installed and used enterprise modules, if any (Answer: by default of search-guard-helm)

1 Created with search-guard-helm.
2 Works well with admin user
3 Add a new user "pp" as below

------------
    ### dev1c_pp*
    sg_dev1c_pp:
      readonly: true
      cluster:
        - CLUSTER_COMPOSITE_OPS_RO
      indices:
        'dev1c_pp*':
          '*':
            - READ
			
--------------			
    sg_dev1c_pp:
      readonly: true
      backendroles:
        - dev1c_pp		

---------
    #password is: password123
    pp:
      hash: $2y$12$PJOcaB0KNnBnpx51GybEj.lnEqj9ey1HLRW.u5d3cF9fEJrlkhfZy
      roles:
        - kibanauser
        - dev1c_pp		

4 Run sgadmin_update.sh successfully

[root@inclined-ostrich-sg-helm-sgadmin-5b455c8d6b-vbqsn ~]# /root/sgadmin_update.sh
... ...
Will update 'sg/actiongroups' with /root/sgconfig/sg_action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Done with success

5 Log in kibana with new user pp successfully

6 However, the tab of kibana show empty.

7 Click other link (Discover/ Visualize/ Dashboard/ Timelion/ Dev Tools/ Management/), all is empty or not work.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cf556cc8-9f13-49e8-ad99-8708d94edb0b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Resolved!

***Change below: ***

dev1c_pp*

sg_dev1c_pp:

readonly: true

cluster:

  • CLUSTER_COMPOSITE_OPS_RO

indices:

‘dev1c_pp*’:

‘*’:

  • READ

To:

dev1c_pp*

sg_dev1c_pp:

readonly: true

cluster:

  • CLUSTER_COMPOSITE_OPS_RO

indices:

‘dev1c_pp*’:

‘*’:

  • READ

‘?kibana’:

‘*’:

  • INDICES_ALL

‘?kibana-6’:

‘*’:

  • INDICES_ALL

‘?reporting*’:

‘*’:

  • INDICES_ALL

‘?monitoring*’:

‘*’:

  • INDICES_ALL