User access kibana

Hello,

I want to centralize logs of differents servers hosting differents services. Each services has his index and i want to create one user per index to let them access there own data see data from other indexes.

Actualy, if I created a user services02-adm in group services_filebeat and give this group right to access the indexes filebeat-services02-adm-*

services_filebeat:
indices:
filebeat-services02-adm-:
- '

services_filebeat:
users:
- services02-adm

i get this error when trying to log in kibana:

Courier Fetch Error: unhandled courier request error: [security_exception] no permissions for indices:data/read/mget
Version: 4.5.0
Build: 9889

Error: unhandled courier request error: [security_exception] no permissions for indices:data/read/mget
handleError@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:88553:23
AbstractReqProvider/AbstractReq.prototype.handleFailure@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:88473:15
callClient/</<@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:88367:14
callClient/<@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:88365:10
processQueue@http://192.168.1.217/bundles/commons.bundle.js?v=9889:41836:29
scheduleProcessQueue/<@http://192.168.1.217/bundles/commons.bundle.js?v=9889:41852:28
$RootScopeProvider/this.$get</Scope.prototype.$eval@http://192.168.1.217/bundles/commons.bundle.js?v=9889:43080:17
$RootScopeProvider/this.$get</Scope.prototype.$digest@http://192.168.1.217/bundles/commons.bundle.js?v=9889:42891:16
$RootScopeProvider/this.$get</Scope.prototype.$apply@http://192.168.1.217/bundles/commons.bundle.js?v=9889:43188:14
done@http://192.168.1.217/bundles/commons.bundle.js?v=9889:37637:37
completeRequest@http://192.168.1.217/bundles/commons.bundle.js?v=9889:37835:8
requestLoaded@http://192.168.1.217/bundles/commons.bundle.js?v=9889:37776:1

``


If i had this user to the group sg_kibana4, he can access kibana but he get access to others index too.

How can i restrict his access to only one index?

Regards

To simplify my question, which right are required to authorize a user to access Kibana?

Regards

i assume you need something like

services_filebeat:
indices:
   filebeat-services02-adm-*: #index
     '*': #type
       - READ #permission
       - indices:admin/mappings/fields/get* #permission
       - indices:admin/validate/query #permission
       - indices:admin/get #permission
     '?kibana': #index
       '*': #type
         - indices:admin/exists* #permission
         - indices:admin/mapping/put*
         - indices:admin/mappings/fields/get*
         - indices:admin/refresh*
         - indices:admin/validate/query*
         - indices:data/read/get*
         - indices:data/read/mget*
         - indices:data/read/search*
         - indices:data/write/delete*
         - indices:data/write/index*
         - indices:data/write/update*

instead of

services_filebeat:
indices:
   filebeat-services02-adm-*:
     - '*'

···

Am 17.05.2016 um 16:40 schrieb cedric moreaux <misterced91@gmail.com>:

Hello,

I want to centralize logs of differents servers hosting differents services. Each services has his index and i want to create one user per index to let them access there own data see data from other indexes.

Actualy, if I created a user services02-adm in group services_filebeat and give this group right to access the indexes filebeat-services02-adm-*

services_filebeat:
  indices:
    filebeat-services02-adm-*:
      - '*'

services_filebeat:
  users:
    - services02-adm

i get this error when trying to log in kibana:

Courier Fetch Error: unhandled courier request error: [security_exception] no permissions for indices:data/read/mget
Version: 4.5.0
Build: 9889

Error: unhandled courier request error: [security_exception] no permissions for indices:data/read/mget
handleError@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:88553:23
AbstractReqProvider/AbstractReq.prototype.handleFailure@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:88473:15
callClient/</<@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:88367:14
callClient/<@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:88365:10
processQueue@http://192.168.1.217/bundles/commons.bundle.js?v=9889:41836:29
scheduleProcessQueue/<@http://192.168.1.217/bundles/commons.bundle.js?v=9889:41852:28
$RootScopeProvider/this.$get</Scope.prototype.$eval@http://192.168.1.217/bundles/commons.bundle.js?v=9889:43080:17
$RootScopeProvider/this.$get</Scope.prototype.$digest@http://192.168.1.217/bundles/commons.bundle.js?v=9889:42891:16
$RootScopeProvider/this.$get</Scope.prototype.$apply@http://192.168.1.217/bundles/commons.bundle.js?v=9889:43188:14
done@http://192.168.1.217/bundles/commons.bundle.js?v=9889:37637:37
completeRequest@http://192.168.1.217/bundles/commons.bundle.js?v=9889:37835:8
requestLoaded@http://192.168.1.217/bundles/commons.bundle.js?v=9889:37776:1

If i had this user to the group sg_kibana4, he can access kibana but he get access to others index too.

How can i restrict his access to only one index?

Regards

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e1cbbe10-6368-4d49-9d96-ceb2383d07b1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

With this i get 2 errors at kibana loading:

Error: [security_exception] no permissions for indices:data/read/field_stats
ErrorAbstract@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:62833:20
StatusCodeError@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:62995:6
respond@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:64200:16
checkRespForFailure@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:64163:8
[24]</AngularConnector.prototype.request/<@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:62781:8
processQueue@http://192.168.1.217/bundles/commons.bundle.js?v=9889:41836:29
scheduleProcessQueue/<@http://192.168.1.217/bundles/commons.bundle.js?v=9889:41852:28
$RootScopeProvider/this.$get</Scope.prototype.$eval@http://192.168.1.217/bundles/commons.bundle.js?v=9889:43080:17
$RootScopeProvider/this.$get</Scope.prototype.$digest@http://192.168.1.217/bundles/commons.bundle.js?v=9889:42891:16
$RootScopeProvider/this.$get</Scope.prototype.$apply@http://192.168.1.217/bundles/commons.bundle.js?v=9889:43188:14
done@http://192.168.1.217/bundles/commons.bundle.js?v=9889:37637:37
completeRequest@http://192.168.1.217/bundles/commons.bundle.js?v=9889:37835:8
requestLoaded@http://192.168.1.217/bundles/commons.bundle.js?v=9889:37776:1

``

And

Error: [security_exception] no permissions for indices:data/read/msearch
ErrorAbstract@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:62833:20
StatusCodeError@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:62995:6
respond@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:64200:16
checkRespForFailure@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:64163:8
[24]</AngularConnector.prototype.request/<@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:62781:8
processQueue@http://192.168.1.217/bundles/commons.bundle.js?v=9889:41836:29
scheduleProcessQueue/<@http://192.168.1.217/bundles/commons.bundle.js?v=9889:41852:28
$RootScopeProvider/this.$get</Scope.prototype.$eval@http://192.168.1.217/bundles/commons.bundle.js?v=9889:43080:17
$RootScopeProvider/this.$get</Scope.prototype.$digest@http://192.168.1.217/bundles/commons.bundle.js?v=9889:42891:16
$RootScopeProvider/this.$get</Scope.prototype.$apply@http://192.168.1.217/bundles/commons.bundle.js?v=9889:43188:14
done@http://192.168.1.217/bundles/commons.bundle.js?v=9889:37637:37
completeRequest@http://192.168.1.217/bundles/commons.bundle.js?v=9889:37835:8
requestLoaded@http://192.168.1.217/bundles/commons.bundle.js?v=9889:37776:1

``

The fact is i have others indexes named filebeat-“server-name”-“date”.
If i modify the line
filebeat-services02-adm-*

``

to
filebeat-*:

``

it work, but the user can see data from all indexes :confused:

Is there a solution?

Regards

I found a solution,
services_filebeat:
indices:
’:
'
’:
- indices:data/read/field_stats
- indices:data/read/msearch
‘filebeat-service02*’:
'’:
- READ
- indices:admin/mappings/fields/get

- indices:admin/validate/query
- indices:admin/get
‘?kibana’:
'’:
- indices:admin/exists

- indices:admin/mapping/put*
- indices:admin/mappings/fields/get*
- indices:admin/refresh*
- indices:admin/validate/query*
- indices:data/read/get*
- indices:data/read/mget*
- indices:data/read/search*
- indices:data/read/msearch
- indices:data/read/field_stats
- indices:data/write/delete*
- indices:data/write/index*
- indices:data/write/update*
- indices:admin/mappings/fields/get*

``

If i had the two missing rights on * it works, i just get an error : Discover: no permissions for indices:data/read/search
If i had this right, the user can see everything, but i ignore the error i can just see data from his index.

Thanks!

Hi, i have some issues like you , the config is here:
sg_apache_tomcat:

indices:

‘*’:

‘*’:

  • indices:data/read/field_stats

  • indices:data/read/msearch

‘apache_tomcat*’:

‘*’:

  • READ

  • indices:admin/mappings/fields/get*

  • indices:admin/validate/query

  • indices:admin/get

  • indices:data/read/field_stats

‘?kibana’:

‘*’:

  • indices:admin/exists*

  • indices:admin/mapping/put*

  • indices:admin/mappings/fields/get*

  • indices:admin/refresh*

  • indices:admin/validate/query*

  • indices:data/read/get*

  • indices:data/read/mget*

  • indices:data/read/search*

  • indices:data/read/msearch

  • indices:data/read/field_stats

  • indices:data/write/delete*

  • indices:data/write/index*

  • indices:data/write/update*

  • indices:admin/mappings/fields/get*

And i got the errors:

Discover: no permissions for indices:data/read/search

But i can’t see the index of “apache-tomcat*”. What is the errors???

在 2016年5月20日星期五 UTC+8下午5:53:05,cedric moreaux写道:

···

I found a solution,
services_filebeat:
indices:
’:
'
’:
- indices:data/read/field_stats
- indices:data/read/msearch
‘filebeat-service02*’:
'’:
- READ
- indices:admin/mappings/fields/get

- indices:admin/validate/query
- indices:admin/get
‘?kibana’:
'’:
- indices:admin/exists

- indices:admin/mapping/put*
- indices:admin/mappings/fields/get*
- indices:admin/refresh*
- indices:admin/validate/query*
- indices:data/read/get*
- indices:data/read/mget*
- indices:data/read/search*
- indices:data/read/msearch
- indices:data/read/field_stats
- indices:data/write/delete*
- indices:data/write/index*
- indices:data/write/update*
- indices:admin/mappings/fields/get*

``

If i had the two missing rights on * it works, i just get an error : Discover: no permissions for indices:data/read/search
If i had this right, the user can see everything, but i ignore the error i can just see data from his index.

Thanks!

'apache_tomcat*' does not match "apache-tomcat*" (underscore != dash)

···

Am 20.06.2016 um 03:57 schrieb Wei Hong <fzuerhw@gmail.com>:

Hi, i have some issues like you , the config is here:
sg_apache_tomcat:
  indices:
    '*':
      '*':
        - indices:data/read/field_stats
        - indices:data/read/msearch
    'apache_tomcat*':
      '*':
        - READ
        - indices:admin/mappings/fields/get*
        - indices:admin/validate/query
        - indices:admin/get
        - indices:data/read/field_stats
    '?kibana':
      '*':
        - indices:admin/exists*
        - indices:admin/mapping/put*
        - indices:admin/mappings/fields/get*
        - indices:admin/refresh*
        - indices:admin/validate/query*
        - indices:data/read/get*
        - indices:data/read/mget*
        - indices:data/read/search*
        - indices:data/read/msearch
        - indices:data/read/field_stats
        - indices:data/write/delete*
        - indices:data/write/index*
        - indices:data/write/update*
        - indices:admin/mappings/fields/get*
  
And i got the errors:
Discover: no permissions for indices:data/read/search

But i can't see the index of "apache-tomcat*". What is the errors???

在 2016年5月20日星期五 UTC+8下午5:53:05,cedric moreaux写道:
I found a solution,
services_filebeat:
  indices:
    '*':
      '*':
        - indices:data/read/field_stats
        - indices:data/read/msearch
    'filebeat-service02*':
      '*':
        - READ
        - indices:admin/mappings/fields/get*
        - indices:admin/validate/query
        - indices:admin/get
    '?kibana':
      '*':
        - indices:admin/exists*
        - indices:admin/mapping/put*
        - indices:admin/mappings/fields/get*
        - indices:admin/refresh*
        - indices:admin/validate/query*
        - indices:data/read/get*
        - indices:data/read/mget*
        - indices:data/read/search*
        - indices:data/read/msearch
        - indices:data/read/field_stats
        - indices:data/write/delete*
        - indices:data/write/index*
        - indices:data/write/update*
        - indices:admin/mappings/fields/get*

If i had the two missing rights on * it works, i just get an error : Discover: no permissions for indices:data/read/search
If i had this right, the user can see everything, but i ignore the error i can just see data from his index.

Thanks!

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/55ab6d48-aad0-43e1-80ff-0bbcd222cbc6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Thanks, i am so careless.

在 2016年6月20日星期一 UTC+8下午4:08:13,SG写道:

···

‘apache_tomcat*’ does not match “apache-tomcat*” (underscore != dash)

Am 20.06.2016 um 03:57 schrieb Wei Hong fzu...@gmail.com:

Hi, i have some issues like you , the config is here:

sg_apache_tomcat:

indices:

'*':
  '*':
    - indices:data/read/field_stats
    - indices:data/read/msearch
'apache_tomcat*':
  '*':
    - READ
    - indices:admin/mappings/fields/get*
    - indices:admin/validate/query
    - indices:admin/get
    - indices:data/read/field_stats
'?kibana':
  '*':
    - indices:admin/exists*
    - indices:admin/mapping/put*
    - indices:admin/mappings/fields/get*
    - indices:admin/refresh*
    - indices:admin/validate/query*
    - indices:data/read/get*
    - indices:data/read/mget*
    - indices:data/read/search*
    - indices:data/read/msearch
    - indices:data/read/field_stats
    - indices:data/write/delete*
    - indices:data/write/index*
    - indices:data/write/update*
    - indices:admin/mappings/fields/get*

And i got the errors:

Discover: no permissions for indices:data/read/search

But i can’t see the index of “apache-tomcat*”. What is the errors???

在 2016年5月20日星期五 UTC+8下午5:53:05,cedric moreaux写道:

I found a solution,
services_filebeat:

indices:

'*':
  '*':
    - indices:data/read/field_stats
    - indices:data/read/msearch
'filebeat-service02*':
  '*':
    - READ
    - indices:admin/mappings/fields/get*
    - indices:admin/validate/query
    - indices:admin/get
'?kibana':
  '*':
    - indices:admin/exists*
    - indices:admin/mapping/put*
    - indices:admin/mappings/fields/get*
    - indices:admin/refresh*
    - indices:admin/validate/query*
    - indices:data/read/get*
    - indices:data/read/mget*
    - indices:data/read/search*
    - indices:data/read/msearch
    - indices:data/read/field_stats
    - indices:data/write/delete*
    - indices:data/write/index*
    - indices:data/write/update*
    - indices:admin/mappings/fields/get*

If i had the two missing rights on * it works, i just get an error : Discover: no permissions for indices:data/read/search

If i had this right, the user can see everything, but i ignore the error i can just see data from his index.

Thanks!


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/55ab6d48-aad0-43e1-80ff-0bbcd222cbc6%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.