When I enable multytenancy feature on SG and kibana, tenants menu bar appear in kibana and it works as expected. But when I try to create index pattern via kibana API with sgtenant header, index pattern always created inside default global tenant. Where is my mistake?
Here is my configs:
part of kibana.yml
elasticsearch.username: "system_user"
elasticsearch.password: "kibanaserver"
elasticsearch.ssl.verificationMode: none
searchguard.accountinfo.enabled: true
searchguard.multitenancy.enabled: true
elasticsearch.requestHeadersWhitelist: ["sgtenant", "Authorization"]
part of sg_config.yml
searchguard:
dynamic:
kibana:
multitenancy_enabled: true
server_username: 'system_user'
and my request: url [POST] http://localhost:5601/api/saved_objects/index-pattern/test
body
{
"attributes" : {
"title" : "test"
}
}
headers
kbn-xsrf : true
sgtenant : admin_tenant
Content-Type: application/json
Authorization : Basic <key here>
Hm … actually the configuration you posted seems ok, and also the headers you send in the API call seem to be ok. Which version of ES/SG are you using?
Maybe you have run into an issue with the naming of the HTTP header. For a quick cross-check, can you add “sg_tenant” (with an underscore) to the whitelist:
elasticsearch.requestHeadersWhitelist: ["sgtenant", "sg_tenant", "Authorization"]
and try to use sg_tenant in your call curl? This is just a guess but would help to eliminate that particular issue from the list.
Hello @jkressin , thank you for your reply.
Unfortunately additional header doesnt help.
Maybe I missed something in configs or request params?
To me, the config and the request parameters look good.
Here’s a sample call from one of our integration tests:
curl --insecure -Ss -u admin:admin -H 'Content-Type: application/json' -H "kbn-xsrf: true" -H "sg_tenant: adm_tenant" -XPOST "https://kibana.example.com:5601/api/saved_objects/index-pattern/humanresources" -d "@../resources/kibana/index-pattern.json"
which works fine here. Can you check if your call looks the same?
If this does not help I will need to try to recreate the issue on one of our staging systems.
Unfortunately your example wasnt success…
I do next follow:
Create new role via sg roles api [PUT] "/roles/test" (test is name of tole)
"cluster": ['CLUSTER_COMPOSITE_OPS'],
"indices" : [
"my_index" : {
"*" : "READ"
},
],
"tenants" : {
"my_tenant" : "RW"
}
Create role mapping [PUT] /rolesmapping/test
"backendroles" : [ "test" ],
Create user [PUT] internalusers/user
{
"password": "admin",
"roles": ["role", "test"]
}
Create index pattern with params as I described in a message before (with sgtenant “my_tenant”).
So, can you recreate issue on staging system, please?
Here response from server from previous tests:http://joxi.ru/52azLaPuEDKyjA
Unfortunately I was not able to reproduce the issue. I followed the steps you provided, but the index pattern was correctly created in the tenant.
To further analyse:
Can you please provide the exact API curl call, including the returned JSON from Kibana, like:
Call:
curl --insecure -Ss -u admin:admin -H 'Content-Type: application/json' -H "kbn-xsrf: true" -H "sg_tenant: admin_tenant" -XPOST "http://kibana.example.com:5601/api/saved_objects/index-pattern/myid123" -d '
{
"attributes" : {
"title" : "my_index"
}
}
'
Response
{
"type": "index-pattern",
"id": "myid123",
"attributes": {
"title": "my_index"
},
"migrationVersion": {
"index-pattern": "6.5.0"
},
"updated_at": "2019-04-07T18:41:03.186Z",
"version": 1
}
Also, you please set the loglevel on Elasticsearch to debug:
Then, please issue the curl API call and post the log output here.
system
April 28, 2019, 7:00pm
9
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
