Unable to Refresh Index Pattern in Kibana

Elasticsearch version:
7.9.1 and 7.10.2

Kibana version (if relevant):
7.9.1 and 7.10.2

Describe the issue:
Unable to refresh index patterns in Kibana

Steps to reproduce:

  1. enable FLS on some indices
  2. try to refresh Kibana index pattern - fails
  3. disable FLS on all indices
  4. Clear SG cache
  5. try to refresh Kibana index pattern - still fails

Expected behavior:
Index patttern gets refreshed and adds new fields

Provide logs:
Elasticsearch

PrivEvalResponse [allowed=true, missingPrivileges=[indices:data/write/index, indices:data/write/bulk[s]], allowedFlsFields={quantum_prod_v1_2021_02_23=[~operation.settingsUpdates.selectAnswer, ~operation.settingsUpdates.password, ~operation.settingsUpdates.securityCode, ~operation.settingsUpdates.selectQuestion, ~operation.settingsUpdates.confirmPassword]}, maskedFields=null, queries=null]

Kibana (if relevant)

{“type”:“response”,"@timestamp":“2021-02-23T16:27:04Z”,“tags”:,“pid”:16,“method”:“get”,“statusCode”:200,“req”:{“url”:"/api/index_patterns/_fields_for_wildcard?pattern=quantum_prod_today&meta_fields=_source&meta_fields=_id&meta_fields=_type&meta_fields=_index&meta_fields=_score",“method”:“get”,“headers”:{“host”:“edited”,“sec-ch-ua”:"“Chromium”;v=“88”, “Google Chrome”;v=“88”, “;Not A Brand”;v=“99"”,“sec-ch-ua-mobile”:"?0",“user-agent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36”,“kbn-version”:“7.10.2”,“content-type”:“application/json”,“accept”:"/",“sec-fetch-site”:“same-origin”,“sec-fetch-mode”:“cors”,“sec-fetch-dest”:“empty”,“referer”:“https://edited/kibana/app/management/kibana/indexPatterns/patterns/8be439c0-cd83-11e8-8da8-33f92a7b1a47",“accept-encoding”:"gzip, deflate, br”,“accept-language”:“en-US,en;q=0.9,fr;q=0.8”,“x-opaque-id”:“mine”,“x-forwarded-for”:“1.1.1.1, 1.1.1.1”,“x-forwarded-host”:“edited”,“x-forwarded-proto”:“https”,“connection”:“close”},“remoteAddress”:“1.1.1.1”,“userAgent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36”,“referer”:“https://edited/kibana/app/management/kibana/indexPatterns/patterns/8be439c0-cd83-11e8-8da8-33f92a7b1a47"},“res”:{“statusCode”:200,“responseTime”:77,“contentLength”:9},“message”:"GET /api/index_patterns/_fields_for_wildcard?pattern=quantum_prod_today&meta_fields=_source&meta_fields=_id&meta_fields=_type&meta_fields=_index&meta_fields=_score 200 77ms - 9.0B”}

{“type”:“log”,"@timestamp":“2021-02-23T16:27:04Z”,“tags”:[“error”,“elasticsearch”,“data”],“pid”:16,“message”:"[security_exception]: Update is not supported when FLS or DLS or Fieldmasking is activated"}

{“type”:“error”,"@timestamp":“2021-02-23T16:27:04Z”,“tags”:,“pid”:16,“level”:“error”,“error”:{“message”:“Internal Server Error”,“name”:“Error”,“stack”:“Error: Internal Server Error\n at HapiResponseAdapter.toError (/usr/share/kibana/src/core/server/http/router/response_adapter.js:132:19)\n at HapiResponseAdapter.toHapiResponse (/usr/share/kibana/src/core/server/http/router/response_adapter.js:86:19)\n at HapiResponseAdapter.handle (/usr/share/kibana/src/core/server/http/router/response_adapter.js:81:17)\n at Router.handle (/usr/share/kibana/src/core/server/http/router/router.js:164:34)\n at process._tickCallback (internal/process/next_tick.js:68:7)”},“url”:{“protocol”:null,“slashes”:null,“auth”:null,“host”:null,“port”:null,“hostname”:null,“hash”:null,“search”:null,“query”:{},“pathname”:"/api/saved_objects/index-pattern/8be439c0-cd83-11e8-8da8-33f92a7b1a47",“path”:"/api/saved_objects/index-pattern/8be439c0-cd83-11e8-8da8-33f92a7b1a47",“href”:"/api/saved_objects/index-pattern/8be439c0-cd83-11e8-8da8-33f92a7b1a47"},“message”:“Internal Server Error”}

{“type”:“response”,"@timestamp":“2021-02-23T16:27:04Z”,“tags”:,“pid”:16,“method”:“put”,“statusCode”:500,“req”:{“url”:"/api/saved_objects/index-pattern/8be439c0-cd83-11e8-8da8-33f92a7b1a47",“method”:“put”,“headers”:{“host”:“edited”,“content-length”:“89698”,“sec-ch-ua”:"“Chromium”;v=“88”, “Google Chrome”;v=“88”, “;Not A Brand”;v=“99"”,“sec-ch-ua-mobile”:"?0",“user-agent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36”,“kbn-version”:“7.10.2”,“content-type”:“application/json”,“accept”:"/",“origin”:“https://edited”,“sec-fetch-site”:“same-origin”,“sec-fetch-mode”:“cors”,“sec-fetch-dest”:“empty”,“referer”:“https://edited/kibana/app/management/kibana/indexPatterns/patterns/8be439c0-cd83-11e8-8da8-33f92a7b1a47",“accept-encoding”:"gzip, deflate, br”,“accept-language”:“en-US,en;q=0.9,fr;q=0.8”,“x-opaque-id”:“mine”,“x-forwarded-for”:“1.1.1.1, 1.1.1.1”,“x-forwarded-host”:“edited”,“x-forwarded-proto”:“https”,“connection”:“close”},“remoteAddress”:“1.1.1.1”,“userAgent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36”,“referer”:“https://edited/kibana/app/management/kibana/indexPatterns/patterns/8be439c0-cd83-11e8-8da8-33f92a7b1a47"},“res”:{“statusCode”:500,“responseTime”:348,“contentLength”:9},“message”:"PUT /api/saved_objects/index-pattern/8be439c0-cd83-11e8-8da8-33f92a7b1a47 500 348ms - 9.0B”}

Screenshots (if relevant):

Errors in browser console (if relevant):

VM271:1 PUT https://edited/kibana/api/saved_objects/index-pattern/8be439c0-cd83-11e8-8da8-33f92a7b1a47 500 (Internal Server Error)
(anonymous) @ VM271:1
_callee3$ @ core.entry.js:6
l @ kbn-ui-shared-deps.js:380
(anonymous) @ kbn-ui-shared-deps.js:380
forEach.e. @ kbn-ui-shared-deps.js:380
fetch_asyncGeneratorStep @ core.entry.js:6
_next @ core.entry.js:6
(anonymous) @ core.entry.js:6
(anonymous) @ core.entry.js:6
fetchResponse @ core.entry.js:6
_callee$ @ core.entry.js:6
l @ kbn-ui-shared-deps.js:380
(anonymous) @ kbn-ui-shared-deps.js:380
forEach.e. @ kbn-ui-shared-deps.js:380
fetch_asyncGeneratorStep @ core.entry.js:6
_next @ core.entry.js:6
Promise.then (async)
fetch_asyncGeneratorStep @ core.entry.js:6
_next @ core.entry.js:6
(anonymous) @ core.entry.js:6
(anonymous) @ core.entry.js:6
(anonymous) @ core.entry.js:6
_callee2$ @ core.entry.js:6
l @ kbn-ui-shared-deps.js:380
(anonymous) @ kbn-ui-shared-deps.js:380
forEach.e. @ kbn-ui-shared-deps.js:380
fetch_asyncGeneratorStep @ core.entry.js:6
_next @ core.entry.js:6
(anonymous) @ core.entry.js:6
(anonymous) @ core.entry.js:6
(anonymous) @ core.entry.js:6
savedObjectsFetch @ core.entry.js:13
update @ core.entry.js:13
_callee3$ @ data.plugin.js:1
l @ kbn-ui-shared-deps.js:380
(anonymous) @ kbn-ui-shared-deps.js:380
forEach.e. @ kbn-ui-shared-deps.js:380
asyncGeneratorStep @ data.plugin.js:1
_next @ data.plugin.js:1
(anonymous) @ data.plugin.js:1
(anonymous) @ data.plugin.js:1
update @ data.plugin.js:1
_callee19$ @ data.plugin.js:1
l @ kbn-ui-shared-deps.js:380
(anonymous) @ kbn-ui-shared-deps.js:380
forEach.e. @ kbn-ui-shared-deps.js:380
index_patterns_asyncGeneratorStep @ data.plugin.js:1
_next @ data.plugin.js:1
(anonymous) @ data.plugin.js:1
(anonymous) @ data.plugin.js:1
updateSavedObject @ data.plugin.js:1
_callee$ @ indexPatternManagement.chunk.1.js:1
l @ kbn-ui-shared-deps.js:380
(anonymous) @ kbn-ui-shared-deps.js:380
forEach.e. @ kbn-ui-shared-deps.js:380
edit_index_pattern_asyncGeneratorStep @ indexPatternManagement.chunk.1.js:1
_next @ indexPatternManagement.chunk.1.js:1
Promise.then (async)
edit_index_pattern_asyncGeneratorStep @ indexPatternManagement.chunk.1.js:1
_next @ indexPatternManagement.chunk.1.js:1
(anonymous) @ indexPatternManagement.chunk.1.js:1
(anonymous) @ indexPatternManagement.chunk.1.js:1
(anonymous) @ indexPatternManagement.chunk.1.js:1
Promise.then (async)
refreshFields @ indexPatternManagement.chunk.1.js:1
g @ kbn-ui-shared-deps.js:434
S @ kbn-ui-shared-deps.js:434
(anonymous) @ kbn-ui-shared-deps.js:434
M @ kbn-ui-shared-deps.js:434
L @ kbn-ui-shared-deps.js:434
A @ kbn-ui-shared-deps.js:434
x @ kbn-ui-shared-deps.js:434
wn @ kbn-ui-shared-deps.js:434
ce @ kbn-ui-shared-deps.js:434
Ln @ kbn-ui-shared-deps.js:434
Nn @ kbn-ui-shared-deps.js:434
xn @ kbn-ui-shared-deps.js:434
t.unstable_runWithPriority @ kbn-ui-shared-deps.js:442
Hi @ kbn-ui-shared-deps.js:434
se @ kbn-ui-shared-deps.js:434
An @ kbn-ui-shared-deps.js:434
Show 26 more frames
core.entry.js:6 Uncaught (in promise) Error: Internal Server Error
at Fetch._callee3$ (core.entry.js:6)
at l (kbn-ui-shared-deps.js:380)
at Generator._invoke (kbn-ui-shared-deps.js:380)
at Generator.forEach.e. [as next] (kbn-ui-shared-deps.js:380)
at fetch_asyncGeneratorStep (core.entry.js:6)
at _next (core.entry.js:6)

Additional data:
Have tried with my personal account and the admin account

We have an issue open with our search guard support vendor for at least a week, that has not yielded anything fruitful as of yet.

Can you please post the content your your sg_roles configuration with FLS active?

Also, the logs you are providing seem to reflect that FLS still active. You also wrote that the refresh does not work when FLS is disabled. Do you also have logs (from Elasticsearch and Kibana) in this situation?

I applied FLS: null changes to wrong cluster.
This needs to be documented for FLS, DLS
Ideally, using FLS, DLS, field_masking should not restrict refreshing any kibana index_pattern

We would need the sg_roles with the FLS configuration to be able to tell what exactly went wrong here.


_sg_meta:
type: “roles”
config_version: 2
kibana_dashboard_only_user:
reserved: true
hidden: false
description: “Migrated from v6 (all types mapped)”
cluster_permissions:

  • “INDICES_MONITOR”
  • “CLUSTER_COMPOSITE_OPS”
    index_permissions:
  • index_patterns:
    • “?kibana”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “READ”
  • index_patterns:
    • “?kibana-6”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “READ”
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “indices:data/read/field_caps*”
    • “indices:data/read/search”
      tenant_permissions:
      static: false
      sg_own_index:
      reserved: false
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “CLUSTER_COMPOSITE_OPS”
    index_permissions:
  • index_patterns:
    • “${user_name}”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “INDICES_ALL”
      tenant_permissions:
      static: false
      venona_admin:
      reserved: false
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “indices:admin/template/put”
  • “indices:admin/template/get”
    index_permissions:
  • index_patterns:
    • “venona*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “unlimited”
      tenant_permissions:
      static: false
      nifingest:
      reserved: false
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “CLUSTER_COMPOSITE_OPS”
    index_permissions:
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “indices:data/write/index”
    • “indices:admin/refresh*”
    • “indices:data/write/bulk*”
    • “indices:admin/create*”
    • “indices:admin/mapping/put”
    • “indices:admin/create”
    • “indices:admin/auto_create”
    • “indices:admin/mapping/auto_put”
    • “indices:admin/*”
    • “indices:admin/mappings/auto_put”
      tenant_permissions:
      static: false
      pi_kibana_user:
      reserved: true
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “INDICES_MONITOR”
  • “CLUSTER_COMPOSITE_OPS”
    index_permissions:
  • index_patterns:
    • “?kibana”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “READ”
  • index_patterns:
    • “?kibana-6”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “READ”
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “indices:data/read/field_caps*”
    • “indices:data/read/search”
      tenant_permissions:
      static: false
      sg_xp_monitoring:
      reserved: true
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “cluster:monitor/xpack/info”
  • “cluster:monitor/main”
  • “cluster:admin/xpack/monitoring/bulk”
    index_permissions:
  • index_patterns:
    • “?monitor*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “INDICES_ALL”
      tenant_permissions:
      static: false
      sg_kibana:
      reserved: false
      hidden: false
      description: “Migrated from v6, was in rolemappings but no role existed”
      cluster_permissions:
      index_permissions:
      tenant_permissions:
      static: false
      sg_kibana_user:
      reserved: true
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “INDICES_MONITOR”
  • “CLUSTER_COMPOSITE_OPS”
    index_permissions:
  • index_patterns:
    • “?kibana*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “READ”
    • “DELETE”
    • “MANAGE”
    • “INDEX”
  • index_patterns:
    • “?kibana-6”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “READ”
    • “DELETE”
    • “MANAGE”
    • “INDEX”
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “indices:data/read/field_caps*”
      tenant_permissions:
      static: false
      sg_xp_alerting:
      reserved: true
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “indices:data/read/scroll”
  • “cluster:admin/xpack/watcher*”
  • “cluster:monitor/xpack/watcher*”
    index_permissions:
  • index_patterns:
    • “?watches*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “INDICES_ALL”
  • index_patterns:
    • “?watcher-history-*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “INDICES_ALL”
  • index_patterns:
    • “?triggered_watches”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “INDICES_ALL”
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “READ”
    • “indices:admin/aliases/get”
      tenant_permissions:
      static: false
      elasticview:
      reserved: false
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “UNLIMITED”
    index_permissions:
  • index_patterns:
    • “spectrum_guide_rollout_*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “UNLIMITED”
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “indices:admin/refresh*”
    • “indices:admin/create*”
      tenant_permissions:
  • tenant_patterns:
    • “test_tenant”
    • “adm_tenant”
      allowed_actions:
    • “SGS_KIBANA_ALL_WRITE”
      static: false
      gis_user:
      reserved: false
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “UNLIMITED”
    index_permissions:
  • index_patterns:
    • “gis_*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “UNLIMITED”
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “indices:admin/refresh*”
    • “indices:admin/create*”
      tenant_permissions:
  • tenant_patterns:
    • “test_tenant”
    • “adm_tenant”
      allowed_actions:
    • “SGS_KIBANA_ALL_WRITE”
      static: false
      read_only_venona:
      reserved: false
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “UNLIMITED”
    index_permissions:
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “indices:admin/refresh*”
  • index_patterns:
    • “venona*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “indices:data/read/search*”
    • “indices:admin/get*”
      tenant_permissions:
  • tenant_patterns:
    • “test_tenant”
    • “adm_tenant”
      allowed_actions:
    • “SGS_KIBANA_ALL_READ”
      static: false
      elastalert:
      reserved: false
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “UNLIMITED”
    index_permissions:
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “indices:admin/mapping/put*”
    • “indices:admin/refresh*”
    • “indices:admin/create*”
    • “indices:admin/mapping/put”
    • “indices:data/read/search”
    • “indices:admin/get*”
  • index_patterns:
    • “elastalert*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “indices:data/read/search”
    • “indices:admin/get*”
    • “UNLIMITED”
      tenant_permissions:
  • tenant_patterns:
    • “test_tenant”
    • “adm_tenant”
      allowed_actions:
    • “SGS_KIBANA_ALL_WRITE”
      static: false
      sg_readonly_dlsfls:
      reserved: false
      hidden: false
      description: “Migrated from v6, was in rolemappings but no role existed”
      cluster_permissions:
      index_permissions:
      tenant_permissions:
      static: false
      sg_readall_and_monitor:
      reserved: false
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “CLUSTER_MONITOR”
  • “CLUSTER_COMPOSITE_OPS_RO”
    index_permissions:
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “READ”
      tenant_permissions:
      static: false
      sg_readall:
      reserved: true
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “CLUSTER_COMPOSITE_OPS_RO”
    index_permissions:
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “READ”
    • “indices:data/read/search”
      tenant_permissions:
      static: false
      sg_readall_except_gis:
      reserved: true
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “cluster:monitor/nodes/stats”
  • “cluster:monitor/health”
  • “CLUSTER_COMPOSITE_OPS_RO”
  • “cluster:monitor/state”
  • “cluster:monitor/nodes/info”
  • “cluster:monitor/main”
  • “indices:data/read/scroll*”
  • “indices:monitor/settings/get”
  • “indices:monitor/*”
    index_permissions:
  • index_patterns:
    • ‘/((?!gis_)(\S|\s))*/’
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “READ”
    • “indices:data/read/search”
    • “indices:data/read/scroll”
    • “indices:admin/aliases/get”
    • “indices:monitor/settings/get”
    • “indices:monitor/*”
      tenant_permissions:
      static: false
      sg_kibana_testindex:
      reserved: false
      hidden: false
      description: “Migrated from v6, was in rolemappings but no role existed”
      cluster_permissions:
      index_permissions:
      tenant_permissions:
      static: false
      sg_alerting:
      reserved: false
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “indices:data/read/scroll”
  • “cluster:admin/xpack/watcher/watch/put”
  • “cluster:admin/xpack/watcher*”
  • “CLUSTER_MONITOR”
  • “CLUSTER_COMPOSITE_OPS”
    index_permissions:
  • index_patterns:
    • “?kibana*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “READ”
  • index_patterns:
    • “?watches*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “INDICES_ALL”
  • index_patterns:
    • “?watcher-history-*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “INDICES_ALL”
  • index_patterns:
    • “?triggered_watches”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “INDICES_ALL”
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “READ”
      tenant_permissions:
      static: false
      sg_readonly_and_monitor:
      reserved: false
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “CLUSTER_MONITOR”
  • “CLUSTER_COMPOSITE_OPS_RO”
  • “cluster:admin/xpack/monitoring/*”
  • “cluster:admin/ingest/pipeline/get”
  • “indices:admin/template/get”
  • “indices:admin/get”
  • “cluster:admin/repository/get”
    index_permissions:
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “READ”
    • “indices:monitor/stats”
    • “indices:data/read/field_caps”
    • “indices:admin/get”
    • “indices:monitor/settings/get”
    • “indices:admin/aliases/get”
    • “indices:monitor/recovery”
    • “indices:monitor/segments”
      tenant_permissions:
      static: false
      quantum_stream_aggs:
      reserved: false
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “UNLIMITED”
    index_permissions:
  • index_patterns:
    • “quantum_stream_aggs*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “UNLIMITED”
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “indices:admin/refresh*”
    • “indices:admin/create*”
      tenant_permissions:
  • tenant_patterns:
    • “test_tenant”
    • “adm_tenant”
      allowed_actions:
    • “SGS_KIBANA_ALL_WRITE”
      static: false
      sg_monitor:
      reserved: false
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “cluster:admin/xpack/monitoring/*”
  • “cluster:admin/ingest/pipeline/put”
  • “cluster:admin/ingest/pipeline/get”
  • “indices:admin/template/get”
  • “indices:admin/template/put”
  • “CLUSTER_MONITOR”
  • “CLUSTER_COMPOSITE_OPS”
    index_permissions:
  • index_patterns:
    • “?monitor*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “INDICES_ALL”
  • index_patterns:
    • “?marvel*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “INDICES_ALL”
  • index_patterns:
    • “?kibana*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “READ”
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “indices:monitor/stats”
    • “indices:data/read/field_caps”
    • “indices:monitor/settings/get”
      tenant_permissions:
      static: false
      sg_manage_snapshots:
      reserved: false
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “MANAGE_SNAPSHOTS”
    index_permissions:
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “indices:data/write/index”
    • “indices:admin/create”
      tenant_permissions:
      static: false
      sg_xp_machine_learning:
      reserved: true
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “cluster:admin/persistent*”
  • “cluster:internal/xpack/ml*”
  • “indices:data/read/scroll*”
  • “cluster:admin/xpack/ml*”
  • “cluster:monitor/xpack/ml*”
    index_permissions:
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “READ”
    • “indices:admin/get*”
  • index_patterns:
    • “?ml-*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “*”
      tenant_permissions:
      static: false
      customeridentity:
      reserved: false
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “UNLIMITED”
    index_permissions:
  • index_patterns:
    • “customer_identity_*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “UNLIMITED”
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “indices:admin/refresh*”
    • “indices:admin/create*”
      tenant_permissions:
  • tenant_patterns:
    • “test_tenant”
    • “adm_tenant”
      allowed_actions:
    • “SGS_KIBANA_ALL_WRITE”
      static: false
      sg_kibana_server:
      reserved: true
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “CLUSTER_MONITOR”
  • “CLUSTER_COMPOSITE_OPS”
  • “cluster:admin/xpack/monitoring*”
  • “indices:admin/template*”
  • “indices:admin/create*”
  • “indices:data/read/scroll*”
  • “cluster:admin/ilm/get”
  • “cluster:admin/ilm/put”
    index_permissions:
  • index_patterns:
    • “?kibana*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “READ”
    • “INDICES_ALL”
    • “DELETE”
    • “MANAGE”
    • “INDEX”
    • “indices:admin/auto_create”
    • “indices:data/write/reindex”
  • index_patterns:
    • “?tasks*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “INDICES_ALL”
  • index_patterns:
    • “?reporting*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “INDICES_ALL”
    • “indices:admin/auto_create”
    • “indices:data/read/get”
  • index_patterns:
    • “?monitoring*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “INDICES_ALL”
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “INDICES_ALL”
    • “READ”
    • “DELETE”
    • “MANAGE”
    • “INDEX”
    • “indices:data/read/get”
    • “indices:admin/auto_create”
    • “indices:admin/mappings/auto_put”
      tenant_permissions:
      static: false
      sg_all_access:
      reserved: true
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “UNLIMITED”
  • “MANAGE_SNAPSHOTS”
  • “cluster:admin/snapshot/restore”
  • “cluster:admin/*”
  • “*”
    index_permissions:
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “indices:data/write/index”
    • “indices:data/write/update”
    • “indices:admin/mapping/put”
    • “indices:admin/create”
    • “UNLIMITED”
    • “indices:admin/get”
    • “*”
    • “cluster:admin/snapshot/restore”
      tenant_permissions:
  • tenant_patterns:
    • “admin_tenant”
      allowed_actions:
    • “SGS_KIBANA_ALL_WRITE”
      static: false
      sg_public:
      reserved: false
      hidden: false
      description: “Migrated from v6, was in rolemappings but no role existed”
      cluster_permissions:
      index_permissions:
      tenant_permissions:
      static: false
      sg_logstash:
      reserved: false
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “CLUSTER_MONITOR”
  • “CLUSTER_COMPOSITE_OPS”
  • “indices:admin/template/get”
  • “indices:admin/template/put”
    index_permissions:
  • index_patterns:
    • “logstash-*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “CRUD”
    • “CREATE_INDEX”
  • index_patterns:
    • beat
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “CRUD”
    • “CREATE_INDEX”
      tenant_permissions:
      static: false
      hsdookla:
      reserved: false
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “UNLIMITED”
    index_permissions:
  • index_patterns:
    • “hsd_ookla_*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “UNLIMITED”
  • index_patterns:
    • “gis_events_hsd_ookla*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “UNLIMITED”
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “indices:admin/refresh*”
    • “indices:admin/create*”
      tenant_permissions:
  • tenant_patterns:
    • “test_tenant”
    • “adm_tenant”
      allowed_actions:
    • “SGS_KIBANA_ALL_WRITE”
      static: false
      speedtest:
      reserved: false
      hidden: false
      description: “Migrated from v6 (all types mapped)”
      cluster_permissions:
  • “UNLIMITED”
    index_permissions:
  • index_patterns:
    • “speedtest*”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “UNLIMITED”
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “indices:admin/refresh*”
    • “indices:admin/create*”
      tenant_permissions:
  • tenant_patterns:
    • “test_tenant”
    • “adm_tenant”
      allowed_actions:
    • “SGS_KIBANA_ALL_WRITE”
      static: false
      sg_signals_manager:
      reserved: false
      hidden: false
      description: “Role for kibana users to be able to use watches”
      cluster_permissions:
  • “SGS_SIGNALS_ACCOUNT_MANAGE”
  • “SGS_CLUSTER_COMPOSITE”
  • “SGS_SIGNALS_ALL”
    index_permissions:
  • index_patterns:
    • “?kibana-6”
      dls: null
      fls: null
      masked_fields: null
      allowed_actions:
    • “READ”
  • index_patterns:
    • “*”
      dls: null
      fls:
      • “~operation.settingsUpdates.confirmPassword”
      • “~operation.settingsUpdates.password”
      • “~operation.settingsUpdates.securityCode”
      • “~operation.settingsUpdates.selectAnswer”
      • “~operation.settingsUpdates.selectQuestion”
        masked_fields: null
        allowed_actions:
    • “indices:data/read/field_caps*”
    • “indices:data/read/search”
      tenant_permissions:
  • tenant_patterns:
    • “SGS_GLOBAL_TENANT”
      allowed_actions:
    • “SGS_SIGNALS_ALL”

Thank you.

The problem you are observing results from the following factors:

Kibana stores index patterns, visualisations and other things in its own, private index (named .kibana; if you use multi-tenancy, there will be an additional suffix appended to the index name).

When configuring DLS or FLS for an index, this index will be automatically read-only. This is because otherwise a user would be allowed to manipulate data they might be not allowed to view.

The sg_roles configuration you posted above applies FLS to all indexes by using the index pattern *. This also includes the index used by Kibana. Thus, Kibana won’t be able to write to this index. This causes the errors you are observing.

The solution would be using a more specific index pattern like my_index or my_index_*.