Sgtenant header not affected on index-pattern creation

#1

When I enable multytenancy feature on SG and kibana, tenants menu bar appear in kibana and it works as expected. But when I try to create index pattern via kibana API with sgtenant header, index pattern always created inside default global tenant. Where is my mistake?

Here is my configs:

part of kibana.yml

elasticsearch.username: "system_user"
elasticsearch.password: "kibanaserver"

elasticsearch.ssl.verificationMode: none
searchguard.accountinfo.enabled: true
searchguard.multitenancy.enabled: true
elasticsearch.requestHeadersWhitelist: ["sgtenant", "Authorization"]

part of sg_config.yml

searchguard:
  dynamic:
    kibana:
      multitenancy_enabled: true
      server_username: 'system_user'

and my request: url [POST] http://localhost:5601/api/saved_objects/index-pattern/test

body

{
    "attributes" : {
        "title" : "test"
    }
}

headers

kbn-xsrf : true
sgtenant : admin_tenant
Content-Type: application/json
Authorization : Basic <key here>
0 Likes

assigned jkressin #2
0 Likes

#3

Hm … actually the configuration you posted seems ok, and also the headers you send in the API call seem to be ok. Which version of ES/SG are you using?

Maybe you have run into an issue with the naming of the HTTP header. For a quick cross-check, can you add “sg_tenant” (with an underscore) to the whitelist:

elasticsearch.requestHeadersWhitelist: ["sgtenant", "sg_tenant", "Authorization"]

and try to use sg_tenant in your call curl? This is just a guess but would help to eliminate that particular issue from the list.

0 Likes

#4

Hello @jkressin, thank you for your reply.

Unfortunately additional header doesnt help.
ES version - 6.6.0
Kibana version - 6.6.0

Maybe I missed something in configs or request params?

0 Likes

#5

To me, the config and the request parameters look good.

Here’s a sample call from one of our integration tests:

curl --insecure -Ss -u admin:admin -H 'Content-Type: application/json' -H "kbn-xsrf: true" -H "sg_tenant: adm_tenant" -XPOST "https://kibana.example.com:5601/api/saved_objects/index-pattern/humanresources" -d "@../resources/kibana/index-pattern.json"

which works fine here. Can you check if your call looks the same?

If this does not help I will need to try to recreate the issue on one of our staging systems.

0 Likes

#6

Unfortunately your example wasnt success…

I do next follow:

  1. Create new role via sg roles api [PUT] "/roles/test" (test is name of tole)
    params:

     "cluster": ['CLUSTER_COMPOSITE_OPS'],
     "indices" : [
         "my_index" : {
             "*" : "READ"
         },
     ],
     "tenants" : {
       "my_tenant" : "RW"
     }
    
  2. Create role mapping [PUT] /rolesmapping/test
    params:

"backendroles" : [ "test" ],
  1. Create user [PUT] internalusers/user
{
  "password": "admin",
  "roles": ["role", "test"]
}
  1. Create index pattern with params as I described in a message before (with sgtenant “my_tenant”).

So, can you recreate issue on staging system, please?

0 Likes

#7

Here response from server from previous tests:
http://joxi.ru/52azLaPuEDKyjA

0 Likes

#8

Unfortunately I was not able to reproduce the issue. I followed the steps you provided, but the index pattern was correctly created in the tenant.

To further analyse:

Can you please provide the exact API curl call, including the returned JSON from Kibana, like:

Call:

curl --insecure -Ss -u admin:admin -H 'Content-Type: application/json' -H "kbn-xsrf: true" -H "sg_tenant: admin_tenant" -XPOST "http://kibana.example.com:5601/api/saved_objects/index-pattern/myid123" -d '
    {
        "attributes" : {
            "title" : "my_index"
        }
    }
'

Response

{
	"type": "index-pattern",
	"id": "myid123",
	"attributes": {
		"title": "my_index"
	},
	"migrationVersion": {
		"index-pattern": "6.5.0"
	},
	"updated_at": "2019-04-07T18:41:03.186Z",
	"version": 1
}

Also, you please set the loglevel on Elasticsearch to debug:

https://docs.search-guard.com/latest/troubleshooting-setting-log-level

Then, please issue the curl API call and post the log output here.

0 Likes