Stop user seeing index he/she doesn't have access too.

Hey, I am sure I am doing something incorrect here however when a user signs into Kibana they are able to see indexes they don’t have access too.

For example

My user has access to nginx-* to read/search/get but not the others.

Now here is my config:

sg_role_developer:

cluser:

  • UNLIMITED

indices:

‘nginx-*’:

‘*’:

  • READ
  • GET
  • SEARCH

dls: ‘{“query”: { “bool”: { “should”: { “term”: { “fields.environment”: “dev” }}}}}’

‘?kibana’:

‘*’:

  • INDICES_ALL

dls: ‘{“query”: { “bool”: { “should”: { “term”: { “fields.environment”: “dev” }}}}}’

I thought it would be a case of just changing this:

‘?kibana’:

‘nginx-*’:

  • INDICES_ALL

But this just causes it to load a white screen.

(I’m aware the DLS command is most likely wrong, I am still testing this :slight_smile: )

Does anyone have any idea here?

···

On Tuesday, 3 October 2017 17:12:39 UTC+1, anthony...@actual-experience.com wrote:

Hey, I am sure I am doing something incorrect here however when a user signs into Kibana they are able to see indexes they don’t have access too.

For example

My user has access to nginx-* to read/search/get but not the others.

Now here is my config:

sg_role_developer:

cluser:

  • UNLIMITED

indices:

‘nginx-*’:

‘*’:

  • READ
  • GET
  • SEARCH

dls: ‘{“query”: { “bool”: { “should”: { “term”: { “fields.environment”: “dev” }}}}}’

‘?kibana’:

‘*’:

  • INDICES_ALL

dls: ‘{“query”: { “bool”: { “should”: { “term”: { “fields.environment”: “dev” }}}}}’

I thought it would be a case of just changing this:

‘?kibana’:

‘nginx-*’:

  • INDICES_ALL

But this just causes it to load a white screen.

(I’m aware the DLS command is most likely wrong, I am still testing this :slight_smile: )

HI Antony,

let me start saying that I am not a search guard expert, I start using a few weeks ago. However, I think I know what’s wrong with your config.

The role definition structure is:

  <sg_role_name>:
cluster:
- '<action group or single permission>'
- ...
indices:
'<indexname or alias>':
'<document type>': - '<action group or single permission>'
- ...

Reference: http://floragunncom.github.io/search-guard-docs/configuration_roles_permissions.html

Looking to your “?kibana” section, you wrote as document-type “nginx-*” which is not the type but the name of an index pattern, the type is actually 'index-pattern" (you can see it by doing a simple query: “GET .kibana/index-pattern/_search” ) you will see that you have multiple entries of the index-pattern type one per each pattern you configured. With this explanation in mind, what you want to do is actually restrict the access to the document level (a user should be able to see only a specific document of the “.kibana” index) and this, I think is an Enterprise feature (see https://floragunn.com/)

Summarizing, your config is not correct for what you want to achieve and you cannot do what you want to do with the free version of search guard.

Please, do not take this as the oracle truth, I am just a user and not even for a very long time.

Cheers,

···

On Wednesday, October 4, 2017 at 11:43:10 AM UTC+1, anthony...@actual-experience.com wrote:

Does anyone have any idea here?

On Tuesday, 3 October 2017 17:12:39 UTC+1, anthony...@actual-experience.com wrote:

Hey, I am sure I am doing something incorrect here however when a user signs into Kibana they are able to see indexes they don’t have access too.

For example

My user has access to nginx-* to read/search/get but not the others.

Now here is my config:

sg_role_developer:

cluser:

  • UNLIMITED

indices:

‘nginx-*’:

‘*’:

  • READ
  • GET
  • SEARCH

dls: ‘{“query”: { “bool”: { “should”: { “term”: { “fields.environment”: “dev” }}}}}’

‘?kibana’:

‘*’:

  • INDICES_ALL

dls: ‘{“query”: { “bool”: { “should”: { “term”: { “fields.environment”: “dev” }}}}}’

I thought it would be a case of just changing this:

‘?kibana’:

‘nginx-*’:

  • INDICES_ALL

But this just causes it to load a white screen.

(I’m aware the DLS command is most likely wrong, I am still testing this :slight_smile: )

Thanks for the reply, I definitely got the wrong end of the stick with the kibana reference, I am still battling with this. Thankfully I am in contact with a support team to guide me through it, when I find my answer I will post it here.

···

On Monday, 9 October 2017 11:59:25 UTC+1, Alessandro Puccetti wrote:

HI Antony,

let me start saying that I am not a search guard expert, I start using a few weeks ago. However, I think I know what’s wrong with your config.

The role definition structure is:

  <sg_role_name>:
cluster:
- '<action group or single permission>'
- ...
indices:
'<indexname or alias>':
'<document type>': - '<action group or single permission>'
- ...

Reference: http://floragunncom.github.io/search-guard-docs/configuration_roles_permissions.html

Looking to your “?kibana” section, you wrote as document-type “nginx-*” which is not the type but the name of an index pattern, the type is actually 'index-pattern" (you can see it by doing a simple query: “GET .kibana/index-pattern/_search” ) you will see that you have multiple entries of the index-pattern type one per each pattern you configured. With this explanation in mind, what you want to do is actually restrict the access to the document level (a user should be able to see only a specific document of the “.kibana” index) and this, I think is an Enterprise feature (see https://floragunn.com/)

Summarizing, your config is not correct for what you want to achieve and you cannot do what you want to do with the free version of search guard.

Please, do not take this as the oracle truth, I am just a user and not even for a very long time.

Cheers,

On Wednesday, October 4, 2017 at 11:43:10 AM UTC+1, anthony...@actual-experience.com wrote:

Does anyone have any idea here?

On Tuesday, 3 October 2017 17:12:39 UTC+1, anthony...@actual-experience.com wrote:

Hey, I am sure I am doing something incorrect here however when a user signs into Kibana they are able to see indexes they don’t have access too.

For example

My user has access to nginx-* to read/search/get but not the others.

Now here is my config:

sg_role_developer:

cluser:

  • UNLIMITED

indices:

‘nginx-*’:

‘*’:

  • READ
  • GET
  • SEARCH

dls: ‘{“query”: { “bool”: { “should”: { “term”: { “fields.environment”: “dev” }}}}}’

‘?kibana’:

‘*’:

  • INDICES_ALL

dls: ‘{“query”: { “bool”: { “should”: { “term”: { “fields.environment”: “dev” }}}}}’

I thought it would be a case of just changing this:

‘?kibana’:

‘nginx-*’:

  • INDICES_ALL

But this just causes it to load a white screen.

(I’m aware the DLS command is most likely wrong, I am still testing this :slight_smile: )