[security_exception]

  • Search Guard and Elasticsearch version 6.2.4

  • Enterrpise trial

  • Win10

When I login into Kibana via JWToken on admin account & try to see SearchGaurd’s configuration for roles I receive following error:

Error 403 Forbidden: [security_exception] no permissions for [indices:admin/mappings/fields/get] and User [name=admin, roles=, requestedTenant=admin_tenant]

``

My SG config for admin is:

sg_internbal_users.yml

admin:
username: Administrator

readonly: true

hash: $2a$12$Vcszdcsa…UGns5JDymv…TOG
roles:
- admin

``

sg_roles_mapping.yml

sg_all_access:
readonly: true
backendroles:
- admin

sg_kibana_user:
backendroles:
- kibanauser
users:
- admin

``

sg_roles:

sg_all_access:
readonly: true
cluster:
- UNLIMITED
indices:
’:
'
’:
- UNLIMITED
tenants:
admin_tenant: RW

sg_kibana_user:

readonly: true

cluster:
- MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
‘?kibana’:
’:
- MANAGE
- INDEX
- READ
- DELETE
'
’:
'’:
- indices:data/read/field_caps

- indices:data/read/search
- indices:admin/mappings/field/get
tenants:
admin_tenant: RW

``

I’ve another 2 internal users with more restricted priviliges, but error is the same.

Any fix to prevent see that error? Not to hide only, but remove it for good :slight_smile:

The question here is what your JWT looks like. The sg_internal_users.yml is irrelevant when you use JWT. You only use it when you want to store users in the SG index itself. JSON web tokens are self-contained, means all information for auth/auth is in the token, so there’s no need for the internal user database.

This log entry here:

Error 403 Forbidden: [security_exception] no permissions for [indices:admin/mappings/fields/get] and User [name=admin, roles**=**, requestedTenant=admin_tenant]

means that you have a user with name “admin” but no backend roles could be extracted from the JWT. Since you use role names for assigning SG roles in roles_mapping.yml this fails, because there are no roles to map.

You have two choices here. You can either use usernames for the mapping, like:

sg_all_access:
users:
- admin

Or you need to tell Search Guard where it can find the user’s roles in the JWT claims:

jwt_auth_domain:

enabled: true

order: 1

http_authenticator:

type: jwt

challenge: false

config:

signing_key: “…”

jwt_header: “…”

roles_key: roles

subject_key: username

``

This is most probably also the cause of your Kibana problem.

···

On Monday, August 13, 2018 at 3:05:50 PM UTC+2, Lech Szczecinski wrote:

  • Search Guard and Elasticsearch version 6.2.4
  • Enterrpise trial
  • Win10

When I login into Kibana via JWToken on admin account & try to see SearchGaurd’s configuration for roles I receive following error:

Error 403 Forbidden: [security_exception] no permissions for [indices:admin/mappings/fields/get] and User [name=admin, roles=, requestedTenant=admin_tenant]

``

My SG config for admin is:

sg_internbal_users.yml

admin:
username: Administrator

readonly: true

hash: $2a$12$Vcszdcsa…UGns5JDymv…TOG
roles:
- admin

``

sg_roles_mapping.yml

sg_all_access:
readonly: true
backendroles:
- admin

sg_kibana_user:
backendroles:
- kibanauser
users:
- admin

``

sg_roles:

sg_all_access:
readonly: true
cluster:
- UNLIMITED
indices:
’:
'
’:
- UNLIMITED
tenants:
admin_tenant: RW

sg_kibana_user:

readonly: true

cluster:
- MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
‘?kibana’:
’:
- MANAGE
- INDEX
- READ
- DELETE
'
’:
'’:
- indices:data/read/field_caps

- indices:data/read/search
- indices:admin/mappings/field/get
tenants:
admin_tenant: RW

``

I’ve another 2 internal users with more restricted priviliges, but error is the same.

Any fix to prevent see that error? Not to hide only, but remove it for good :slight_smile: