Sg_kibana_user role doesn't let users use Kibana

search-guard-6-6.8.4-25.5.zip
search-guard-kibana-plugin-6.8.4-18.5.zip

Install Demo per Demo Installer (Linux/Mac) | Elasticsearch Security | Search Guard

Define user alice in sg_internal_users.yml

alice:
  readonly: true
  hash: $2y$12$xGK4NJredact
  roles:
    - sg_kibana_user

sg_kibana_user role is as provided by demo installer:

sg_kibana_user:
  readonly: true
  cluster:
    - INDICES_MONITOR
    - CLUSTER_COMPOSITE_OPS
  indices:
    '?kibana':
      '*':
        - MANAGE
        - INDEX
        - READ
        - DELETE
    '?kibana-6':
      '*':
        - MANAGE
        - INDEX
        - READ
        - DELETE
    '?kibana_*':
      '*':
        - MANAGE
        - INDEX
        - READ
        - DELETE
    '?tasks':
      '*':
        - INDICES_ALL
    '?management-beats':
      '*':
        - INDICES_ALL
    '*':
      '*':
        - indices:data/read/field_caps*
        - indices:data/read/xpack/rollup*
        - indices:admin/mappings/get*
        - indices:admin/get

Log in to Kibana as alice and all that is displayed is this:

{"message":"no permissions for [indices:data/read/search] and User [name=alice, roles=[sg_kibana_user], requestedTenant=null]: [security_exception] no permissions for [indices:data/read/search] and User [name=alice, roles=[sg_kibana_user], requestedTenant=null]","statusCode":403,"error":"Forbidden"}

In /var/log/elasticsearch/searchguard_demo.log is

[2019-11-07T17:33:55,502][INFO ][c.f.s.p.PrivilegesEvaluator] [P053Uyn] No index-level perm match for User [name=alice, roles=[sg_kibana_user], requestedTenant=null] Resolved [aliases=[.kibana], indices=[], allIndices=[.kibana_1], types=[*], originalRequested=[.kibana], remoteIndices=[]] [Action [indices:data/read/search]] [RolesChecked [sg_own_index]]
[2019-11-07T17:33:55,502][INFO ][c.f.s.p.PrivilegesEvaluator] [P053Uyn] No permissions for [indices:data/read/search]

If I give alice the admin role then Kibana works fine. I’ve tried explicitly adding indices:data/read/search to the sg_kibana_user role but it doesn’t help. (Nor would I expect it to given what READ expands to.)

Please refer to Roles mapping | Security for Elasticsearch | Search Guard and try

alice:
  readonly: true
  hash: $2y$12$xGK4NJredact
  roles:
    - kibanauser

Your example is inconsistent with the webpage you cite

where the examples show an attribute called backend_roles not roles. But that webpage is for a different version of Search Guard than I said I’m using. The equivalent page for the version I’m using is

and your example is also inconsistent with that as it shows defining an attribute called backendroles. But I think that webpage is wrong because

shows defining an attribute called roles.

Anyway, all that confusing inconsistency and possibly wrongness aside, I already got things working as after making this post but left it open to see what was suggested as a solution. The way I’ve done it doesn’t involve specifying any roles or backendroles or backend_roles as part of the user definition.

In sg_internal_users.yml

bob:
  readonly: true
  hash: $2y$12$redact

alice:
  readonly: true
  hash: $2y$12$redact

harold:
  readonly: true
  hash: $2y$12$redact

In sg_roles_mapping.yml

sg_kibana_user:
  backendroles:
    - kibanauser
  users:
    - alice
    - bob

sg_readall:
  readonly: true
  backendroles:
    - readall
    - alice
    - bob


this_is_red_team_role:
  users:
    - bob
    - alice

this_is_blue_team_role:
  users:
    - harold
    - alice

In sg_roles.yml

this_is_blue_team_role:
  readonly: true
  cluster:
    - INDICES_MONITOR
    - CLUSTER_COMPOSITE_OPS
    - indices:data/read/search
  indices:
    '?kibana':
      '*':
        - MANAGE
        - INDEX
        - READ
        - DELETE
    '?kibana-6':
      '*':
        - MANAGE
        - INDEX
        - READ
        - DELETE
    '?kibana_*':
      '*':
        - MANAGE
        - INDEX
        - READ
        - DELETE
    '?tasks':
      '*':
        - INDICES_ALL
    '?management-beats':
      '*':
        - INDICES_ALL
    '*':
      '*':
        - indices:data/read/field_caps*
        - indices:data/read/xpack/rollup*
        - indices:admin/mappings/get*
        - indices:admin/get
    'kibana_sample_data_logs':
      '*':
        - READ
  tenants:
    blue_team: "RW"
                           

this_is_red_team_role:
  readonly: true
  cluster:
    - INDICES_MONITOR
    - CLUSTER_COMPOSITE_OPS
    - indices:data/read/search
  indices:
    '?kibana':
      '*':
        - MANAGE
        - INDEX
        - READ
        - DELETE
    '?kibana-6':
      '*':
        - MANAGE
        - INDEX
        - READ
        - DELETE
    '?kibana_*':
      '*':
        - MANAGE
        - INDEX
        - READ
        - DELETE
    '?tasks':
      '*':
        - INDICES_ALL
    '?management-beats':
      '*':
        - INDICES_ALL
    '*':
      '*':
        - indices:data/read/field_caps*
        - indices:data/read/xpack/rollup*
        - indices:admin/mappings/get*
        - indices:admin/get
    'kibana_sample_data_logs':
      '*':
        - READ
  tenants:
    red_team: "RW"


this_is_alice_role:
  readonly: true
  cluster:
    - INDICES_MONITOR
    - CLUSTER_COMPOSITE_OPS
    - indices:data/read/search
  indices:
    '?kibana':
      '*':
        - MANAGE
        - INDEX
        - READ
        - DELETE
    '?kibana-6':
      '*':
        - MANAGE
        - INDEX
        - READ
        - DELETE
    '?kibana_*':
      '*':
        - MANAGE
        - INDEX
        - READ
        - DELETE
    '?tasks':
      '*':
        - INDICES_ALL
    '?management-beats':
      '*':
        - INDICES_ALL
    '*':
      '*':
        - indices:data/read/field_caps*
        - indices:data/read/xpack/rollup*
        - indices:admin/mappings/get*
        - indices:admin/get
    'kibana_sample_data_logs':
      '*':
        - READ
  tenants:
    alice_stuff: "RW"

this_is_bob_role:
  readonly: true
  cluster:
    - INDICES_MONITOR
    - CLUSTER_COMPOSITE_OPS
  indices:
    '?kibana':
      '*':
        - MANAGE
        - INDEX
        - READ
        - DELETE
    '?kibana-6':
      '*':
        - MANAGE
        - INDEX
        - READ
        - DELETE
    '?kibana_*':
      '*':
        - MANAGE
        - INDEX
        - READ
        - DELETE
    '?tasks':
      '*':
        - INDICES_ALL
    '?management-beats':
      '*':
        - INDICES_ALL
    '*':
      '*':
        - indices:data/read/field_caps*
        - indices:data/read/xpack/rollup*
        - indices:admin/mappings/get*
        - indices:admin/get
  tenants:
    bob_stuff: "RW"

The above config all part of a proof of concept for Kibana multitenancy but the concept is how we do things in our production environment where most of the users we need to assign to roles come from LDAP. We define our own roles in sg_roles.yml, just the names and password hashes for some users like kibana_server are defined in sg_internal_users.yml and everything about which roles users are in is done in sg_roles_mapping.yml.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.