Unable to apply index-level security

I have a requirement to restrict access to specific indices. I’ve created both a role and a role mapping, following the examples in the SG documentation. The first thing I attempted to do was to create a role and role mapping for the indices that aren’t restricted. However, users in the assigned user group (as well as the local test user) aren’t able to even login, with these mappings in effect.

When I attempt to login, I get:

{"message":"no permissions for [indices:data/read/search] and User [name=testuser01, roles=[beats_readall], requestedTenant=null]: [security_exception] no permissions for [indices:data/read/search] and User [name=testuser, roles=[beats_readall], requestedTenant=null]","statusCode":403,"error":"Forbidden"}

My role definition is:

beats_readall:
  cluster:
  - "CLUSTER_COMPOSITE_OPS_RO"
  indices:
    'myapp1-*':
      '*':
      - "READ"
    'myapp2-*':
      '*':
      - "READ"
    'myapp3-*':
      '*':
      - "READ"

My role mapping is:

beats_readall:
  backendroles:
  - "MyUserGroup"
  hosts: []
  users:
  - "testuser01"

Can you please set the log level on your Elasticsearch cluster to debug, reproduce the error and post the logs here?

Background: Whenever Search Guard raises a security exception it prints some helpful messages to the logfile. These error messages can be used to see exactly what permissions are missing and for what indices.

https://docs.search-guard.com/latest/troubleshooting-setting-log-level

We have also a permissions troubleshooting guide which explains the steps:

Also, can you post the exact call / search you perform that triggers the security exception?

I’m not attempting to do a call or search that is causing this. I’m attempting to login. The weird thing is that, if I write the definition the same as sg_readall, it works just fine.

Also - logs are rather large. Anywhere I can actually upload them as a file?

So, as a follow-up…when I follow the instructions under the Permissions Troubleshooting link provided above to retrieve data via curl, I’m able to retrieve the data I expect to see from the command line via curl.

However, when I attempt to login via Kibana, I get the following in the log:

[2019-05-03T09:31:53,913][ERROR][c.f.s.a.BackendRegistry  ] [p01rut007] Cannot retrieve roles for User [name=testuser, roles=[], requestedTenant=null] from ldap due to ElasticsearchSecurityException[ElasticsearchSecurityException[No user testuser found]]; nested: ElasticsearchSecurityException[No user testuser found];

However, if I set the indices value to *, as with the sg_readall role, the user can login with the expected permissions.

OK…digging into it, it looks as if that’s an LDAP error, since this is a local test user. If I add * for indices, I can login and still receive the same error.

I think I got it. I had to grant READ access to the ?kibana* indices, so that the user could login.

For all users stumbling across the same issue: Any Kibana user should be mapped to the sg_kibana_user (SG6) / SGS_KIBANA_USER (SG7) role. Those roles contain the minimum set of permissions for using Kibana, like READ access to the Kibana index:

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.