Sgtenant header not affected on index-pattern creation

When I enable multytenancy feature on SG and kibana, tenants menu bar appear in kibana and it works as expected. But when I try to create index pattern via kibana API with sgtenant header, index pattern always created inside default global tenant. Where is my mistake?

Here is my configs:

part of kibana.yml

elasticsearch.username: "system_user"
elasticsearch.password: "kibanaserver"

elasticsearch.ssl.verificationMode: none
searchguard.accountinfo.enabled: true
searchguard.multitenancy.enabled: true
elasticsearch.requestHeadersWhitelist: ["sgtenant", "Authorization"]

part of sg_config.yml

searchguard:
  dynamic:
    kibana:
      multitenancy_enabled: true
      server_username: 'system_user'

and my request: url [POST] http://localhost:5601/api/saved_objects/index-pattern/test

body

{
    "attributes" : {
        "title" : "test"
    }
}

headers

kbn-xsrf : true
sgtenant : admin_tenant
Content-Type: application/json
Authorization : Basic <key here>

Hm … actually the configuration you posted seems ok, and also the headers you send in the API call seem to be ok. Which version of ES/SG are you using?

Maybe you have run into an issue with the naming of the HTTP header. For a quick cross-check, can you add “sg_tenant” (with an underscore) to the whitelist:

elasticsearch.requestHeadersWhitelist: ["sgtenant", "sg_tenant", "Authorization"]

and try to use sg_tenant in your call curl? This is just a guess but would help to eliminate that particular issue from the list.

Hello @jkressin, thank you for your reply.

Unfortunately additional header doesnt help.
ES version - 6.6.0
Kibana version - 6.6.0

Maybe I missed something in configs or request params?

To me, the config and the request parameters look good.

Here’s a sample call from one of our integration tests:

curl --insecure -Ss -u admin:admin -H 'Content-Type: application/json' -H "kbn-xsrf: true" -H "sg_tenant: adm_tenant" -XPOST "https://kibana.example.com:5601/api/saved_objects/index-pattern/humanresources" -d "@../resources/kibana/index-pattern.json"

which works fine here. Can you check if your call looks the same?

If this does not help I will need to try to recreate the issue on one of our staging systems.

Unfortunately your example wasnt success…

I do next follow:

  1. Create new role via sg roles api [PUT] "/roles/test" (test is name of tole)
    params:

     "cluster": ['CLUSTER_COMPOSITE_OPS'],
     "indices" : [
         "my_index" : {
             "*" : "READ"
         },
     ],
     "tenants" : {
       "my_tenant" : "RW"
     }
    
  2. Create role mapping [PUT] /rolesmapping/test
    params:

"backendroles" : [ "test" ],
  1. Create user [PUT] internalusers/user
{
  "password": "admin",
  "roles": ["role", "test"]
}
  1. Create index pattern with params as I described in a message before (with sgtenant “my_tenant”).

So, can you recreate issue on staging system, please?

Here response from server from previous tests:
http://joxi.ru/52azLaPuEDKyjA

Unfortunately I was not able to reproduce the issue. I followed the steps you provided, but the index pattern was correctly created in the tenant.

To further analyse:

Can you please provide the exact API curl call, including the returned JSON from Kibana, like:

Call:

curl --insecure -Ss -u admin:admin -H 'Content-Type: application/json' -H "kbn-xsrf: true" -H "sg_tenant: admin_tenant" -XPOST "http://kibana.example.com:5601/api/saved_objects/index-pattern/myid123" -d '
    {
        "attributes" : {
            "title" : "my_index"
        }
    }
'

Response

{
	"type": "index-pattern",
	"id": "myid123",
	"attributes": {
		"title": "my_index"
	},
	"migrationVersion": {
		"index-pattern": "6.5.0"
	},
	"updated_at": "2019-04-07T18:41:03.186Z",
	"version": 1
}

Also, you please set the loglevel on Elasticsearch to debug:

https://docs.search-guard.com/latest/troubleshooting-setting-log-level

Then, please issue the curl API call and post the log output here.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.