sg_roles.yml and matching indexes

Hi,
I can’t configure correctly roles.yml and kibana to do exactly what I need.
Basically I want use this “index partern” in kibana : logstash--apache-access- for our customers globally, configure a dashboard for them with only data they own (their indexes or not other).

In our elasticsearch server we have indexes like that :

  • logstash-clientlogin-apache-access-2016.06.17
  • logstash-clientname-apache-access-2016.06.17
  • logstash-prodtest-sshd-auth-2016.06.16
  • logstash-prodtest-apache-access-2016.06.17
    My roles.yml :

Kibana role read-only for client

sg_kibana4_client:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
‘?kibana’:
'’:
- READ
- indices:admin/mappings/fields/get

- indices:admin/validate/query*
- indices:admin/get*
- indices:admin/exists*
- indices:admin/mappings/fields/get*
- indices:admin/refresh*
- indices:admin/validate/query*
- indices:data/read/get*
- indices:data/read/mget*
- indices:data/read/search*

sg_clientname:
indices:
-clientname-’:
‘*’:
- READ

Then I do for testing :

$ curl -XGET -u clientname:spock http://localhost:9200/logstash--apache-access-?pretty
{
“error” : {
“root_cause” : [ {
“type” : “security_exception”,
“reason” : “no permissions for indices:admin/get”
} ],
“type” : “security_exception”,
“reason” : “no permissions for indices:admin/get”
},
“status” : 403
}

elasticsearch.log :

[com.floragunn.searchguard.configuration.PrivilegesEvaluator] No perm match for indices:admin/get and [sg_kibana4_client, sg_clientname, sg_public]

I tried different configuration for roles, like only one role for rules, different regex also. Kibana errors are on another endpoints but basically it’s the same problem.

Can you help me to achieve that ?

I’m not sure, but it’s not possible to do it with search-guard2 maybe ?

Searchguard evaluate “index search regex” instead of evaluate existing indexes list for his permission ? This is a feature ?

In my head when you call for example :
$ curl -XGET -u clientname:spock http://localhost:9200/logstash--apache-access-?pretty

internally elastic should resolve : “logstash--apache-access-”, give back a list of indexes existing and for finish match again each roles in your plugin.

Maybe this is for better performance but it’s lock us :confused:

Regards,
Lucas

(sorry for my english :/)

pls. try

# Kibana role read-only for client
sg_kibana4_client:
  cluster:
    - indices:admin/template/get
    - indices:admin/template/put
  indices:
    '?kibana':
      '*':
        - READ
        - indices:admin/mappings/fields/get*
        - indices:admin/validate/query*
        - indices:admin/get*
        - indices:admin/exists*
        - indices:admin/mappings/fields/get*
        - indices:admin/refresh*
        - indices:admin/validate/query*
        - indices:data/read/get*
        - indices:data/read/mget*
        - indices:data/read/search*

···

Am 17.06.2016 um 12:18 schrieb ll@ooworx.com:

Hi,

I can't configure correctly roles.yml and kibana to do exactly what I need.

Basically I want use this "index partern" in kibana : logstash-*-apache-access-* for our customers globally, configure a dashboard for them with only data they own (their indexes or not other).

In our elasticsearch server we have indexes like that :
  • logstash-clientlogin-apache-access-2016.06.17
  • logstash-clientname-apache-access-2016.06.17
  • logstash-prodtest-sshd-auth-2016.06.16
  • logstash-prodtest-apache-access-2016.06.17
My roles.yml :

# Kibana role read-only for client
sg_kibana4_client:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
    '?kibana':
      '*':
        - READ
        - indices:admin/mappings/fields/get*
        - indices:admin/validate/query*
        - indices:admin/get*
        - indices:admin/exists*
        - indices:admin/mappings/fields/get*
        - indices:admin/refresh*
        - indices:admin/validate/query*
        - indices:data/read/get*
        - indices:data/read/mget*
        - indices:data/read/search*

sg_clientname:
    indices:
    '*-clientname-*':
      '*':
         - READ

Then I do for testing :
$ curl -XGET -u clientname:spock http://localhost:9200/logstash--apache-access-?pretty
{
  "error" : {
    "root_cause" : [ {
      "type" : "security_exception",
      "reason" : "no permissions for indices:admin/get"
    } ],
    "type" : "security_exception",
    "reason" : "no permissions for indices:admin/get"
  },
  "status" : 403
}

elasticsearch.log :
[com.floragunn.searchguard.configuration.PrivilegesEvaluator] No perm match for indices:admin/get and [sg_kibana4_client, sg_clientname, sg_public]

I tried different configuration for roles, like only one role for rules, different regex also. Kibana errors are on another endpoints but basically it's the same problem.

Can you help me to achieve that ?

I'm not sure, but it's not possible to do it with search-guard2 maybe ?

Searchguard evaluate "index search regex" instead of evaluate existing indexes list for his permission ? This is a feature ?

In my head when you call for example :
$ curl -XGET -u clientname:spock http://localhost:9200/logstash--apache-access-?pretty

internally elastic should resolve : "logstash-*-apache-access-*", give back a list of indexes existing and for finish match again each roles in your plugin.

Maybe this is for better performance but it's lock us :confused:

Regards,
Lucas

(sorry for my english :/)

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4f5dee2c-c314-4e73-9f51-b25a41589550%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

sorry, pls ignore the last answer (copy and paste hell), try:

sg_clientname:
    indices:
    '*-clientname-*':
      '*':
         - READ
         - indices:admin/mappings/fields/get*
         - indices:admin/validate/query*
         - indices:admin/get*

···

Am 17.06.2016 um 12:18 schrieb ll@ooworx.com:

Hi,

I can't configure correctly roles.yml and kibana to do exactly what I need.

Basically I want use this "index partern" in kibana : logstash-*-apache-access-* for our customers globally, configure a dashboard for them with only data they own (their indexes or not other).

In our elasticsearch server we have indexes like that :
  • logstash-clientlogin-apache-access-2016.06.17
  • logstash-clientname-apache-access-2016.06.17
  • logstash-prodtest-sshd-auth-2016.06.16
  • logstash-prodtest-apache-access-2016.06.17
My roles.yml :

# Kibana role read-only for client
sg_kibana4_client:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
    '?kibana':
      '*':
        - READ
        - indices:admin/mappings/fields/get*
        - indices:admin/validate/query*
        - indices:admin/get*
        - indices:admin/exists*
        - indices:admin/mappings/fields/get*
        - indices:admin/refresh*
        - indices:admin/validate/query*
        - indices:data/read/get*
        - indices:data/read/mget*
        - indices:data/read/search*

sg_clientname:
    indices:
    '*-clientname-*':
      '*':
         - READ

Then I do for testing :
$ curl -XGET -u clientname:spock http://localhost:9200/logstash--apache-access-?pretty
{
  "error" : {
    "root_cause" : [ {
      "type" : "security_exception",
      "reason" : "no permissions for indices:admin/get"
    } ],
    "type" : "security_exception",
    "reason" : "no permissions for indices:admin/get"
  },
  "status" : 403
}

elasticsearch.log :
[com.floragunn.searchguard.configuration.PrivilegesEvaluator] No perm match for indices:admin/get and [sg_kibana4_client, sg_clientname, sg_public]

I tried different configuration for roles, like only one role for rules, different regex also. Kibana errors are on another endpoints but basically it's the same problem.

Can you help me to achieve that ?

I'm not sure, but it's not possible to do it with search-guard2 maybe ?

Searchguard evaluate "index search regex" instead of evaluate existing indexes list for his permission ? This is a feature ?

In my head when you call for example :
$ curl -XGET -u clientname:spock http://localhost:9200/logstash--apache-access-?pretty

internally elastic should resolve : "logstash-*-apache-access-*", give back a list of indexes existing and for finish match again each roles in your plugin.

Maybe this is for better performance but it's lock us :confused:

Regards,
Lucas

(sorry for my english :/)

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4f5dee2c-c314-4e73-9f51-b25a41589550%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.