Sgs_cluster_manage_index this doesn't have permission when the specific index pattern is configured as 'log-test*'. But the same works when index pattern is configured as '*'

Search Guard
#1

SGS_CLUSTER_MANAGE_INDEX_TEMPLATES has permission when the index pattern is configured as ’ * '. But the same doesn’t work for a particular index pattern ex: ‘log-test*’ ?
Any particular reason for this behaviour?

sg config for user:
    sg_configmap:
      internal_users_yml: |-
        ---
        _sg_meta:
          type: "internalusers"
          config_version: 2
        admin:
          reserved: true
          hidden: false
          hash: "$xxxxxxxxxxxxxxxxx"
          backend_roles:
          - "admin"
        sachin:
          hash: "$xxxxxxxxxxx"

Sg config for roles:
        sg_sachin_role:
         cluster_permissions:
           - SGS_CLUSTER_MANAGE_INDEX_TEMPLATES
           - SGS_CLUSTER_ALL
         index_permissions:
           - index_patterns:
             - 'log-test*'
             allowed_actions:
             - SGS_INDICES_ALL
             - SGS_CRUD

SG config for role mapping
        sg_sachin_role
          reserved: true
          users:
          - "sachin"

Below error we get while running curl command.

  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "no permissions for [indices:admin/index_template/put] and User [name=sachin, backend_roles=[], requestedTenant=null]"
      }
    ],
    "type" : "security_exception",
    "reason" : "no permissions for [indices:admin/index_template/put] and User [name=sachin, backend_roles=[], requestedTenant=null]"
  },
  "status" : 403

Can you help me resolve the isuue.
Thanks

#2

What version of Search Guard and what version of Elasticsearch are you using?

#3

Hi @nils , Elasticsearch version is - 7.8.0
Searchguard version is - 7.8.0

#4

For Elasticsearch 7.8.0, Search Guard was released in the versions 42.0.0, 43.0.0 and 43.1.0. I’ll assume 43.1.0 for now.

What is the curl command you are trying to execute? What Elasticsearch API are you calling with curl?

  • The normal index API PUT /<target>/_doc/<_id>?
  • The composable template API PUT /_index_template/<index-template>?
  • The legacy template API PUT /_template/<index-template>?
  • Another API?
#5

Hi @nils
Searchguard version used is - 43.0.0 .
curl command used is -

curl -XPUT --insecure -uusername:paaword https://10.xx.xx.xx:9200/_index_template/template_1?pretty -H 'Content-Type: application/json' -d'{"index_patterns": "log-test*","template":{"settings":

 { "number_of_shards": 1 }
 } } '

in SG config for role section , if we give index pattern as ’ log-test* ’ like below…it doesn’t work & curl command fails with error.

        sg_sachin_role:
         cluster_permissions:
           - SGS_CLUSTER_MANAGE_INDEX_TEMPLATES
           - SGS_CLUSTER_ALL
         index_permissions:
           - index_patterns:
             - 'log-test*'
             allowed_actions:
             - SGS_INDICES_ALL
             - SGS_CRUD


 "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "no permissions for [indices:admin/index_template/put] and User [name=sachin, backend_roles=[], requestedTenant=null]"
      }
    ],
    "type" : "security_exception",
    "reason" : "no permissions for [indices:admin/index_template/put] and User [name=sachin, backend_roles=[], requestedTenant=null]"
  },
  "status" : 403
#6

It seems that there are still issues with the new Index Template API introduced in ES 7.8:

We are looking into this. As a workaround, would it be possible for you to use instead the legacy index template API? Docs are here: