User can't see docs in alias, although he has access to alias (but not indices directly)

Hello,

I have multiple indices, such as apache, gunicorn, django, where I store logs from my apps. I also have an alias, which combines all those logs together called webapp.

Now I want to give a user an access to alias webapp and I set my permissions like so:

sg_role_webapp:
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘webapp’:
’:
- READ
dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’
'?kibana
’:
‘*’:
- INDICES_ALL

I also add my user to this new role:

sg_role_webapp:
users:
- testuser

Now when I want to open this webapp index in Kibana, I get an error:Error: Request to Elasticsearch failed: {“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:"no permissions for [indices:data/read/search]

In ES logs, I see:

[2018-07-16T14:33:06,355][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name= testuser, roles=[]] [IndexType [index=logs-gunicorn-2018.07-v1, type=], IndexType [index=logs-httpd-2018.06-v1, type=], IndexType [index=logs-django-2018.07-v1, type=], IndexType [index=logs-gunicorn-2018.06-v1, type=], IndexType [index=logs-httpd-2018.07-v1, type=], IndexType [index=logs-httpd-2018.07-1, type=], IndexType [index=logs-django-2018.06-v1, type=*]] [Action [[indices:data/read/search]]] [RolesChecked [sg_role_webapp]]

Do I have to give the user access to all indices, that are part of alias, as well?

I’m using ES 5.6.6 with SG 5.6.6-18.

Thanks for help.

Yes, you need to give permissions to the actual indices. The way indices are handled in SG is:

If a request comes in, we resolve all indices to the concrete, underlying indices. The original index names can contain for example:

  • Aliases

  • Wildcards

  • Date math based indices

Only after the concrete indices have been evaluated, the permissions are checked.

···

On Monday, July 16, 2018 at 2:50:43 PM UTC+2, Matej Žerovnik wrote:

Hello,

I have multiple indices, such as apache, gunicorn, django, where I store logs from my apps. I also have an alias, which combines all those logs together called webapp.

Now I want to give a user an access to alias webapp and I set my permissions like so:

sg_role_webapp:
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘webapp’:
’:
- READ
dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’
'?kibana
’:
‘*’:
- INDICES_ALL

I also add my user to this new role:

sg_role_webapp:
users:
- testuser

Now when I want to open this webapp index in Kibana, I get an error:Error: Request to Elasticsearch failed: {“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:"no permissions for [indices:data/read/search]

In ES logs, I see:

[2018-07-16T14:33:06,355][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name= testuser, roles=[]] [IndexType [index=logs-gunicorn-2018.07-v1, type=], IndexType [index=logs-httpd-2018.06-v1, type=], IndexType [index=logs-django-2018.07-v1, type=], IndexType [index=logs-gunicorn-2018.06-v1, type=], IndexType [index=logs-httpd-2018.07-v1, type=], IndexType [index=logs-httpd-2018.07-1, type=], IndexType [index=logs-django-2018.06-v1, type=*]] [Action [[indices:data/read/search]]] [RolesChecked [sg_role_webapp]]

Do I have to give the user access to all indices, that are part of alias, as well?

I’m using ES 5.6.6 with SG 5.6.6-18.

Thanks for help.

Thanks for the info.

So if I understand right, is this how my config should look:

sg_role_webapp:
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘webapp’:
’:
- READ
dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’
'logs-httpd-
’:
’:
- READ
dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’
'logs-gunicorn-
’:
’:
- READ
dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’
'?kibana
’:
‘*’:
- INDICES_ALL

So now user has access to all indices, but access is filtered and he also has access to the webapp alias.

Is there a better/nicer way to do that, so I don’t need to copy/paste same lines multiple times? It’s easy to overlook thinks this way.

Thanks, Matej

···

On Tuesday, July 17, 2018 at 12:02:13 AM UTC+2, Jochen Kressin wrote:

Yes, you need to give permissions to the actual indices. The way indices are handled in SG is:

If a request comes in, we resolve all indices to the concrete, underlying indices. The original index names can contain for example:

  • Aliases
  • Wildcards
  • Date math based indices

Only after the concrete indices have been evaluated, the permissions are checked.

On Monday, July 16, 2018 at 2:50:43 PM UTC+2, Matej Žerovnik wrote:

Hello,

I have multiple indices, such as apache, gunicorn, django, where I store logs from my apps. I also have an alias, which combines all those logs together called webapp.

Now I want to give a user an access to alias webapp and I set my permissions like so:

sg_role_webapp:
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘webapp’:
’:
- READ
dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’
'?kibana
’:
‘*’:
- INDICES_ALL

I also add my user to this new role:

sg_role_webapp:
users:
- testuser

Now when I want to open this webapp index in Kibana, I get an error:Error: Request to Elasticsearch failed: {“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:"no permissions for [indices:data/read/search]

In ES logs, I see:

[2018-07-16T14:33:06,355][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name= testuser, roles=[]] [IndexType [index=logs-gunicorn-2018.07-v1, type=], IndexType [index=logs-httpd-2018.06-v1, type=], IndexType [index=logs-django-2018.07-v1, type=], IndexType [index=logs-gunicorn-2018.06-v1, type=], IndexType [index=logs-httpd-2018.07-v1, type=], IndexType [index=logs-httpd-2018.07-1, type=], IndexType [index=logs-django-2018.06-v1, type=*]] [Action [[indices:data/read/search]]] [RolesChecked [sg_role_webapp]]

Do I have to give the user access to all indices, that are part of alias, as well?

I’m using ES 5.6.6 with SG 5.6.6-18.

Thanks for help.

I did some testing and if I set SEARCH permissions to indice and alias, I get permission denied when I select the concrete indice (logs-httpd or gunicorn,…), but if I select the alias, then I can see the logs:

sg_role_webapp:

cluster:

  • CLUSTER_COMPOSITE_OPS_RO

indices:

‘webapp’:

‘*’:

  • SEARCH

dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’

‘logs-httpd-*’:

‘*’:

  • SEARCH

dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’

‘logs-gunicorn-*’:

‘*’:

  • SEARCH

dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’

‘?kibana*’:

‘*’:

  • INDICES_ALL

This will fail when selecting httpd indice with Discover: [security_exception] no permissions for [indices:data/read/field_stats] and User [name=testuser, roles=[]], but selecting webapp alias will show all filtered logs. Is it suppose to work like that?

···

On Tuesday, July 17, 2018 at 7:45:45 AM UTC+2, Matej Žerovnik wrote:

Thanks for the info.

So if I understand right, is this how my config should look:

sg_role_webapp:
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘webapp’:
’:
- READ
dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’
'logs-httpd-
’:
’:
- READ
dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’
'logs-gunicorn-
’:
’:
- READ
dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’
'?kibana
’:
‘*’:
- INDICES_ALL

So now user has access to all indices, but access is filtered and he also has access to the webapp alias.

Is there a better/nicer way to do that, so I don’t need to copy/paste same lines multiple times? It’s easy to overlook thinks this way.

Thanks, Matej

No, this does not seem correct. Can you please open a ticket on Github for this so we can investigate? Thanks!

···

On Tuesday, July 17, 2018 at 7:58:14 AM UTC+2, Matej Žerovnik wrote:

I did some testing and if I set SEARCH permissions to indice and alias, I get permission denied when I select the concrete indice (logs-httpd or gunicorn,…), but if I select the alias, then I can see the logs:

sg_role_webapp:

cluster:

  • CLUSTER_COMPOSITE_OPS_RO

indices:

‘webapp’:

‘*’:

  • SEARCH

dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’

‘logs-httpd-*’:

‘*’:

  • SEARCH

dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’

‘logs-gunicorn-*’:

‘*’:

  • SEARCH

dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’

‘?kibana*’:

‘*’:

  • INDICES_ALL

This will fail when selecting httpd indice with Discover: [security_exception] no permissions for [indices:data/read/field_stats] and User [name=testuser, roles=[]], but selecting webapp alias will show all filtered logs. Is it suppose to work like that?

On Tuesday, July 17, 2018 at 7:45:45 AM UTC+2, Matej Žerovnik wrote:

Thanks for the info.

So if I understand right, is this how my config should look:

sg_role_webapp:
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘webapp’:
’:
- READ
dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’
'logs-httpd-
’:
’:
- READ
dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’
'logs-gunicorn-
’:
’:
- READ
dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’
'?kibana
’:
‘*’:
- INDICES_ALL

So now user has access to all indices, but access is filtered and he also has access to the webapp alias.

Is there a better/nicer way to do that, so I don’t need to copy/paste same lines multiple times? It’s easy to overlook thinks this way.

Thanks, Matej

Tracked here: https://github.com/floragunncom/search-guard/issues/523

···

On Tuesday, July 17, 2018 at 11:02:41 AM UTC+2, Jochen Kressin wrote:

No, this does not seem correct. Can you please open a ticket on Github for this so we can investigate? Thanks!

https://github.com/floragunncom/search-guard/issues

On Tuesday, July 17, 2018 at 7:58:14 AM UTC+2, Matej Žerovnik wrote:

I did some testing and if I set SEARCH permissions to indice and alias, I get permission denied when I select the concrete indice (logs-httpd or gunicorn,…), but if I select the alias, then I can see the logs:

sg_role_webapp:

cluster:

  • CLUSTER_COMPOSITE_OPS_RO

indices:

‘webapp’:

‘*’:

  • SEARCH

dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’

‘logs-httpd-*’:

‘*’:

  • SEARCH

dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’

‘logs-gunicorn-*’:

‘*’:

  • SEARCH

dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’

‘?kibana*’:

‘*’:

  • INDICES_ALL

This will fail when selecting httpd indice with Discover: [security_exception] no permissions for [indices:data/read/field_stats] and User [name=testuser, roles=[]], but selecting webapp alias will show all filtered logs. Is it suppose to work like that?

On Tuesday, July 17, 2018 at 7:45:45 AM UTC+2, Matej Žerovnik wrote:

Thanks for the info.

So if I understand right, is this how my config should look:

sg_role_webapp:
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
‘webapp’:
’:
- READ
dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’
'logs-httpd-
’:
’:
- READ
dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’
'logs-gunicorn-
’:
’:
- READ
dls: ‘{ “bool”: { “must”: { “term”: { “tags”: “webapp” }}}}’
'?kibana
’:
‘*’:
- INDICES_ALL

So now user has access to all indices, but access is filtered and he also has access to the webapp alias.

Is there a better/nicer way to do that, so I don’t need to copy/paste same lines multiple times? It’s easy to overlook thinks this way.

Thanks, Matej