When I login into Kibana via JWToken on admin account & try to see SearchGaurd’s configuration for roles I receive following error:
Error 403 Forbidden: [security_exception] no permissions for [indices:admin/mappings/fields/get] and User [name=admin, roles=, requestedTenant=admin_tenant]
``
My SG config for admin is:
sg_internbal_users.yml
admin:
username: Administrator
readonly: true
hash: $2a$12$Vcszdcsa…UGns5JDymv…TOG
roles:
- admin
``
sg_roles_mapping.yml
sg_all_access:
readonly: true
backendroles:
- admin
sg_kibana_user:
backendroles:
- kibanauser
users:
- admin
``
sg_roles:
sg_all_access:
readonly: true
cluster:
- UNLIMITED
indices:
‘':
'’:
- UNLIMITED
tenants:
admin_tenant: RW
sg_kibana_user:
readonly: true
cluster:
- MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
‘?kibana’:
‘':
- MANAGE
- INDEX
- READ
- DELETE
'’:
'':
- indices:data/read/field_caps
- indices:data/read/search
- indices:admin/mappings/field/get
tenants:
admin_tenant: RW
``
I’ve another 2 internal users with more restricted priviliges, but error is the same.
Any fix to prevent see that error? Not to hide only, but remove it for good 
The question here is what your JWT looks like. The sg_internal_users.yml is irrelevant when you use JWT. You only use it when you want to store users in the SG index itself. JSON web tokens are self-contained, means all information for auth/auth is in the token, so there’s no need for the internal user database.
This log entry here:
Error 403 Forbidden: [security_exception] no permissions for [indices:admin/mappings/fields/get] and User [name=admin, roles**=**, requestedTenant=admin_tenant]
means that you have a user with name “admin” but no backend roles could be extracted from the JWT. Since you use role names for assigning SG roles in roles_mapping.yml this fails, because there are no roles to map.
You have two choices here. You can either use usernames for the mapping, like:
sg_all_access:
users:
- admin
Or you need to tell Search Guard where it can find the user’s roles in the JWT claims:
jwt_auth_domain:
enabled: true
order: 1
http_authenticator:
type: jwt
challenge: false
config:
signing_key: “…”
jwt_header: “…”
roles_key: roles
subject_key: username
``
This is most probably also the cause of your Kibana problem.
···
On Monday, August 13, 2018 at 3:05:50 PM UTC+2, Lech Szczecinski wrote:
- Search Guard and Elasticsearch version 6.2.4
When I login into Kibana via JWToken on admin account & try to see SearchGaurd’s configuration for roles I receive following error:
Error 403 Forbidden: [security_exception] no permissions for [indices:admin/mappings/fields/get] and User [name=admin, roles=, requestedTenant=admin_tenant]
``
My SG config for admin is:
sg_internbal_users.yml
admin:
username: Administrator
readonly: true
hash: $2a$12$Vcszdcsa…UGns5JDymv…TOG
roles:
- admin
``
sg_roles_mapping.yml
sg_all_access:
readonly: true
backendroles:
- admin
sg_kibana_user:
backendroles:
- kibanauser
users:
- admin
``
sg_roles:
sg_all_access:
readonly: true
cluster:
- UNLIMITED
indices:
‘':
'’:
- UNLIMITED
tenants:
admin_tenant: RW
sg_kibana_user:
readonly: true
cluster:
- MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
‘?kibana’:
‘':
- MANAGE
- INDEX
- READ
- DELETE
'’:
'':
- indices:data/read/field_caps
- indices:data/read/search
- indices:admin/mappings/field/get
tenants:
admin_tenant: RW
``
I’ve another 2 internal users with more restricted priviliges, but error is the same.
Any fix to prevent see that error? Not to hide only, but remove it for good