Search Guard icon disappeared from left bar of kibana

Search Guard
1

Dear Community,
One of my colleagues was trying to create a user and role and in this process managed to make the search guard icon on the left side of kibana disappeared. I had duplicated admin, admin role credentials based on which it happened.

Is there a way to get that icon so that I am able to see the admin panel of search guard creating roles and users ?

Following configuration is in place.

When posting in this category, please add:

Elasticsearch docker image floragunncom/sg-elasticsearch:7.1.1-oss-35.0.0

  • Your Search Guard configuration files

sg_internal_users.yaml:

This is the internal user database

The hash value is a bcrypt hash and can be generated with plugins/search-guard-6/tools/hash.sh

For example: $ plugins/search-guard-6/tools/hash.sh -p welcome

#password is: admin
admin:
readonly: true
hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv…TOG
roles:
- admin

#password is: logstash
logstash:
hash: $2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2
roles:
- logstash

#password is: kibanaserver
kibanaserver:
readonly: true
hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H.

#password is: kibanaro
kibanaro:
hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC
roles:
- kibanauser
- readall

#password is: readall
readall:
hash: $2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2
#password is: readall
roles:
- readall

#password is: snapshotrestore
snapshotrestore:
hash: $2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W
roles:
- snapshotrestore

###############

sg_roles.yml:

Allows everything, but no changes to searchguard configuration index

sg_all_access:
readonly: true
cluster:
- UNLIMITED
indices:
':
'’:
- UNLIMITED
tenants:
admin_tenant: RW

Read all, but no write permissions

sg_readall:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
':
'’:
- READ

Read all and monitor, but no write permissions

sg_readall_and_monitor:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
':
'’:
- READ

For users which use kibana, access to indices must be granted separately

sg_kibana_user:
readonly: true
cluster:
- INDICES_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
‘?kibana’:
':
- MANAGE
- INDEX
- READ
- DELETE
‘?kibana-6’:
'’:
- MANAGE
- INDEX
- READ
- DELETE
':
'’:
- indices:data/read/field_caps*

For the kibana server

sg_kibana_server:
readonly: true
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- cluster:admin/xpack/monitoring*
- indices:admin/template*
indices:
‘?kibana’:
':
- INDICES_ALL
‘?kibana-6’:
'’:
- INDICES_ALL
‘?reporting*’:
':
- INDICES_ALL
'?monitoring’:
‘*’:
- INDICES_ALL

For logstash and beats

sg_logstash:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- indices:admin/template/get
- indices:admin/template/put
indices:
‘logstash-':
'’:
- CRUD
- CREATE_INDEX
beat’:
‘*’:
- CRUD
- CREATE_INDEX

Allows adding and modifying repositories and creating and restoring snapshots

sg_manage_snapshots:
cluster:
- MANAGE_SNAPSHOTS
indices:
':
'’:
- “indices:data/write/index”
- “indices:admin/create”

Allows each user to access own named index

sg_own_index:
cluster:
- CLUSTER_COMPOSITE_OPS
indices:
‘${user_name}’:
‘*’:
- INDICES_ALL

############################

sg_roles_mapping.yml:

In this file users, backendroles and hosts can be mapped to Search Guard roles.

Permissions for Search Guard roles are configured in sg_roles.yml

sg_all_access:
readonly: true
backendroles:
- admin

sg_logstash:
backendroles:
- logstash

sg_kibana_server:
readonly: true
users:
- kibanaserver

sg_kibana_user:
backendroles:
- kibanauser

sg_readall:
readonly: true
backendroles:
- readall

sg_manage_snapshots:
readonly: true
backendroles:
- snapshotrestore

sg_own_index:
users:
- ‘*’
####################

  • Your elasticsearch.yml configuration file

elasticsearch.yml

cluster.name: “docker-cluster”
network.host: 0.0.0.0

######## Start Search Guard Demo Configuration ########

WARNING: revise all the lines below before you go into production

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: [“SGS_ALL_ACCESS”]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3
######## End Search Guard Demo Configuration ########

If you are using Kibana, please also add:

  • Your kibana.yml configuration file

kibana.yml:

server.name: kibana server.host: “0” elasticsearch.ssl.verificationMode: none elasticsearch.hosts: [ "https://sg-route-es-wfsr.apps.ocp.wurnet.nl" ] elasticsearch.username: admin elasticsearch.password: admin searchguard.readonly_mode.roles: [“sg_read_only_1”, “sg_read_only_2”, …]

2

From the posted configuration files and the ES version you are using, it seems to me that you use a mix of SG6 and SG7 configuration files, right? So I guess you upgraded from ES/SG6 to ES/SG7, is this correct?

In SG7, we re-worked the built-in SG roles:

If you are still using the role definitions from SG6 (which is also perfectly fine), and you want the SG6 admin role to be able to use the admin GUI, you need to manually grant this role access in elasticsearch.yml.

Now:

Fix:

searchguard.restapi.roles_enabled: [“SGS_ALL_ACCESS”, "sg_all_access"]
4

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.