Unable to apply index-level security

**Doug_Renze** · April 10, 2019, 7:23pm

I have a requirement to restrict access to specific indices. I’ve created both a role and a role mapping, following the examples in the SG documentation. The first thing I attempted to do was to create a role and role mapping for the indices that aren’t restricted. However, users in the assigned user group (as well as the local test user) aren’t able to even login, with these mappings in effect.

When I attempt to login, I get:

{"message":"no permissions for [indices:data/read/search] and User [name=testuser01, roles=[beats_readall], requestedTenant=null]: [security_exception] no permissions for [indices:data/read/search] and User [name=testuser, roles=[beats_readall], requestedTenant=null]","statusCode":403,"error":"Forbidden"}

My role definition is:

beats_readall:
  cluster:
  - "CLUSTER_COMPOSITE_OPS_RO"
  indices:
    'myapp1-*':
      '*':
      - "READ"
    'myapp2-*':
      '*':
      - "READ"
    'myapp3-*':
      '*':
      - "READ"

My role mapping is:

beats_readall:
  backendroles:
  - "MyUserGroup"
  hosts: []
  users:
  - "testuser01"

**jkressin** · April 11, 2019, 3:22pm

**jkressin** · April 11, 2019, 3:37pm

Can you please set the log level on your Elasticsearch cluster to debug, reproduce the error and post the logs here?

Background: Whenever Search Guard raises a security exception it prints some helpful messages to the logfile. These error messages can be used to see exactly what permissions are missing and for what indices.

https://docs.search-guard.com/latest/troubleshooting-setting-log-level

We have also a permissions troubleshooting guide which explains the steps:

Also, can you post the exact call / search you perform that triggers the security exception?