URL shortening perms in Kibana

It appears to me that URL shorting in Kibana requires a permission not granted to the default sg_kibana role:

[2017-12-06T00:30:35,991][INFO ][c.f.s.c.PrivilegesEvaluator] No cluster-level perm match for User [name=redacted, roles=] [IndexType [index=.kibana, type=url]] [Action [indices:data/write/bulk]] [RolesChecked [sg_kibana, sg_public]]

``

My understanding is that granting this permission to the sg_kibana user is acceptable security-wise, as they will still need explicit permission to underlying indices. To avoid granting alias controls to the sg_kibana role, I created a new action group called CLUSTER_COMPOSITE_OPS_BULK:

CLUSTER_COMPOSITE_OPS_BULK:

  • “indices:data/write/bulk”

  • CLUSTER_COMPOSITE_OPS_RO

``

Posting here in case it helps someone else, and in case there is a risk here I haven’t thought of.

this is also fixed in SG 6

···

Am 06.12.2017 um 01:58 schrieb Tom Ryan <tomryanx@gmail.com>:

It appears to me that URL shorting in Kibana requires a permission not granted to the default sg_kibana role:

[2017-12-06T00:30:35,991][INFO ][c.f.s.c.PrivilegesEvaluator] No cluster-level perm match for User [name=redacted, roles=] [IndexType [index=.kibana, type=url]] [Action [indices:data/write/bulk]] [RolesChecked [sg_kibana, sg_public]]

I found the log message a bit confusing... it appears the required permissions is "cluster:data/write/bulk".

My understanding is that granting this permission to the sg_kibana user is acceptable security-wise, as they will still need explicit permission to underlying indices. To avoid granting alias controls to the sg_kibana role, I created a new action group called CLUSTER_COMPOSITE_OPS_BULK:

CLUSTER_COMPOSITE_OPS_BULK:
  - "indices:data/write/bulk"
  - CLUSTER_COMPOSITE_OPS_RO

Posting here in case it helps someone else, and in case there is a risk here I haven't thought of.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/13d59273-367c-4ae5-8191-4282ab27ac30%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.