Hello,
I’ve got an issue getting my roles/permission setup working and I’m wondering if you can provide some pointers as to the cause:
We’ve setup JWT backendroles mapped to SG roles, each role grants permissions to a set of indices, the idea being that the more roles the user is assigned to the more indices they can access data wise. When executing a query against Elasticsearch we are not seeing the results we’d expect.
When I issue the following query using the Kibana Dev Tools for a user with JWT roles kibana, public, data-authoriser and data-search I’d expect to see the provenance index listed:
Query:
POST /_search
{
“size”: 0,
“aggs”: {
“suggestions”: {
“terms”: {
“field”: “_index”,
“include”: “.*”
}
}
}
}
``
Results:
{
“took”: 16,
“timed_out”: false,
“_shards”: {
“total”: 20,
“successful”: 20,
“skipped”: 0,
“failed”: 0
},
“hits”: {
“total”: 60,
“max_score”: 0,
“hits”:
},
“aggregations”: {
“suggestions”: {
“doc_count_error_upper_bound”: 0,
“sum_other_doc_count”: 0,
“buckets”: [
{
“key”: “notification-tracking”,
“doc_count”: 34
},
{
“key”: “ingest_tracking”,
“doc_count”: 22
},
{
“key”: “investigation”,
“doc_count”: 3
},
{
“key”: “operations”,
“doc_count”: 1
}
]
}
}
}
``
However, if I modify the sg_cdp_public role to also include the provenance index then it is returned in the above results. Second to that, if I run the following query:
Get /provenance/_search
``
I can access the data in the provenance index.
I’ve attached a tail of the Elasticsearch logs for further information.
Versions / Logs:
-
Search Guard and Elasticsearch version - ES / Kibana: 6.3.0, Search Guard: 6.3.0-22.3
-
Installed and used enterprise modules, if any - JWT
-
JVM version and operating system version - OpenJDK build 1.8.0_171-b10
-
Search Guard configuration files
sg_roles_mapping.yml
sg_all_access:
users:
- admin
- lambdaingester
backendroles:
- 'sg_all_access'
sg_logstash:
users:
- logstash
sg_kibana_server:
users:
- kibanaserver
sg_kibana_user:
backendroles:
- kibanarole
- kibana
sg_monitor:
backendroles:
- kibanarole
sg_alerting:
backendroles:
- kibanarole
sg_public:
users:
- '*'
sg_readall:
users:
- readall
sg_own_index:
users:
- '*'
sg_data_authoriser:
backendroles:
- data-authoriser
- kibana
sg_data_search:
backendroles:
- data-search
sg_cdp_public:
backendroles:
- public
``
sg_roles.yml
sg_all_access:
readonly: true
cluster:
- UNLIMITED
indices:
'*':
'*':
- UNLIMITED
tenants:
admin_tenant: RW
Read all, but no write permissions
sg_readall:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
'*':
'*':
- READ
Read all and monitor, but no write permissions
sg_readall_and_monitor:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
'*':
'*':
- READ
For users which use kibana, access to indices must be granted separately
sg_kibana_user:
readonly: true
cluster:
- INDICES_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
'?kibana':
'*':
- MANAGE
- INDEX
- READ
- DELETE
'?kibana-6':
'*':
- MANAGE
- INDEX
- READ
- DELETE
'*':
'*':
- indices:data/read/field_caps*
For the kibana server
sg_kibana_server:
readonly: true
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- cluster:admin/xpack/monitoring*
- indices:admin/template*
indices:
'?kibana':
'*':
- INDICES_ALL
'?kibana-6':
'*':
- INDICES_ALL
'?reporting*':
'*':
- INDICES_ALL
'?monitoring*':
'*':
- INDICES_ALL
For logstash and beats
sg_logstash:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- indices:admin/template/get
- indices:admin/template/put
indices:
'logstash-*':
'*':
- CRUD
- CREATE_INDEX
'*beat*':
'*':
- CRUD
- CREATE_INDEX
Allows adding and modifying repositories and creating and restoring snapshots
sg_manage_snapshots:
cluster:
- MANAGE_SNAPSHOTS
indices:
'*':
'*':
- "indices:data/write/index"
- "indices:admin/create"
Allows each user to access own named index
sg_own_index:
cluster:
- CLUSTER_COMPOSITE_OPS
indices:
'${user_name}':
'*':
- INDICES_ALL
X-Pack COMPATIBILITY
sg_xp_monitoring:
readonly: true
indices:
'?monitor*':
'*':
- INDICES_ALL
sg_xp_alerting:
readonly: true
cluster:
- indices:data/read/scroll
- cluster:admin/xpack/watcher*
- cluster:monitor/xpack/watcher*
indices:
'?watches*':
'*':
- INDICES_ALL
'?watcher-history-*':
'*':
- INDICES_ALL
'?triggered_watches':
'*':
- INDICES_ALL
'*':
'*':
- READ
- indices:admin/aliases/get
sg_xp_machine_learning:
readonly: true
cluster:
- cluster:admin/persistent*
- cluster:internal/xpack/ml*
- indices:data/read/scroll*
- cluster:admin/xpack/ml*
- cluster:monitor/xpack/ml*
indices:
'*':
'*':
- READ
- indices:admin/get*
'?ml-*':
'*':
- "*"
sg_data_authoriser:
cluster:
- CLUSTER_ALL
- UNLIMITED
- CLUSTER_COMPOSITE_OPS
- indices:admin/mappings/get
- indices:admin/get
indices:
provenance:
'*':
- INDICES_ALL
operations:
'*':
- INDICES_ALL
ingest_authorise:
'*':
- INDICES_ALL
sg_data_search:
cluster:
- CLUSTER_COMPOSITE_OPS
indices:
'raw_*':
'*':
- INDICES_ALL
'obj_*':
'*':
- INDICES_ALL
sg_cdp_public:
cluster:
- CLUSTER_ALL
indices:
'*':
'*':
- indices:admin/get
- indices:admin/mappings/get
- indices:admin/validate/query
operations:
'*':
- READ
'investigation*':
'*':
- INDICES_ALL
notification-tracking:
'*':
- INDICES_ALL
disclosure:
'*':
- INDICES_ALL
ingest_tracking:
'*':
- INDICES_ALL
``
log.txt (162 KB)