[SOLVED] Limiting access to indices

Search Guard
1

Hello,I am putting here this solution, because I saw than many people at some forums cannot find solution. By chance I came to the solution.I tried limit access to indices tomcat-*. Configurations are found below. After login to kibana (with role sg_tomcat_user_1), In tab DISCOVER I saw only blank page. So after changing role from
sg_tomcat_user_1 to sg_tomcat_user_2**,** in tab DISCOVER I got access to tomcat-* indices. If I chose different indices eg.: nginx-* I got expected message

Error: Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:data/read/search] and User [name=tomcat, roles=[tomcat_role], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:data/read/search] and User [name=tomcat, roles=[tomcat_role], requestedTenant=null]"},"status":403}

setting roles
vim /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles.yml
sg_tomcat_user_1:
cluster:
- UNLIMITED
indices:
‘tomcat-':
'’:
- UNLIMITED
sg_tomcat_user_2:
cluster:
- indices:data/read/mget
- indices:data/read/msearch
- indices:data/read/search
- indices:data/read/field_caps
- CLUSTER_COMPOSITE_OPS
indices:
‘?kibana’:
':
- MANAGE
- INDEX
- READ
- DELETE
'tomcat-’:
‘*’:
- indices:admin/mappings/fields/get
- indices:admin/validate/query
- indices:data/read/search
- indices:data/read/msearch
- indices:data/read/field_stats
- indices:data/read/field_caps
- READ
- SEARCH
setting roles mappingvim /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles_mapping.ymlsg_tomcat_user_1:
backendroles:
- tomcat_role
#sg_tomcat_user_2:

backendroles:

- tomcat_role

setting uservim /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_internal_users.yml
tomcat:
hash: $2y$12$Bbdmu8BGdNjGs3yNqT8JTOOwVd9viT8DU2wqho2zrep42UTJzFY3O
roles:
- tomcat_role
applying changes
/usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig -icl -key /etc/elasticsearch/kirk-key.pem -cert /etc/elasticsearch/kirk.pem -cacert /etc/elasticsearch/root-ca.pem -nhnv
WARNING: JAVA_HOME not set, will use /bin/java
Search Guard Admin v6
Will connect to localhost:9300 … done
Connected as CN=kirk,OU=client,O=client,L=Test,C=DE
Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …
Clustername: c1.lm.localhost
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 1
searchguard index already exists, so we do not need to create one.
Populate config from /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/
Will update ‘sg/config’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_config.yml
SUCC: Configuration for ‘config’ created or updated
Will update ‘sg/roles’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles.yml
SUCC: Configuration for ‘roles’ created or updated
Will update ‘sg/rolesmapping’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘sg/internalusers’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘sg/actiongroups’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Done with success
If you knew how to limit the list of available indices to only tomcat-* in DISCOVERY tab, I’d be glad.
Have a nice day.
Vasek