Am 18.03.2019 um 16:35 schrieb JoJo Monkey <jojomnky@gmail.com>:
As requested, here's the log for the updated command:
curl -u giedre:<redacted> --insecure -X GET "http://localhost:9200/library/library/core"
[2019-03-18T15:30:30,361][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from http basic
[2019-03-18T15:30:30,362][DEBUG][c.f.s.a.BackendRegistry ] User 'giedre' is in cache? true (cache size: 5)
[2019-03-18T15:30:30,362][DEBUG][c.f.s.a.BackendRegistry ] User 'User [name=giedre, roles=[rr_subscription_report]]' is authenticated
[2019-03-18T15:30:30,362][DEBUG][c.f.s.a.BackendRegistry ] sg_tenant 'null'
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] evaluate permissions for User [name=giedre, roles=[rr_subscription_report]]
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] requested indices:data/read/get from 172.20.0.1:34094
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolve [library] from class org.elasticsearch.action.get.GetRequest
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] indicesOptions IndicesOptions[id=48, ignore_unavailable=false, allow_no_indices=false, expand_wildcards_open=false, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=false, forbid_closed_indices=true]
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] raw indices [library]
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolved [library] to [library]
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=library, type=library]]
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for giedre: [rr_subscription_report]
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: rr_subscription_report
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] Added to leftovers rr_subscription_report=>[IndexType [index=library, type=library]]
[2019-03-18T15:30:30,362][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=library, type=library]] [Action [indices:data/read/get]] [RolesChecked [rr_subscription_report]]
[2019-03-18T15:30:30,362][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=library, type=library]]}
[2019-03-18T15:30:30,362][DEBUG][c.f.s.f.SearchGuardFilter] no permissions for indices:data/read/get
Thanks for your help!
On Sunday, March 17, 2019 at 3:27:12 PM UTC-4, Search Guard wrote:
From the logs it seems correct because access to .kibanaindex is requested and denied because the user "giedre" is only mapped to sg role "rr_subscription_report" and therefore only allowed
for indices "library" and "beh_optin_history_campaign" but not .kibana.
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] evaluate permissions for User [name=giedre, roles=[rr_subscription_report]]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] requested indices:data/read/search from 172.20.0.3:55628
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.search.SearchRequest <<<<<<<-------------------------------- .kibana
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] indicesOptions IndicesOptions[id=38, ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=true, forbid_closed_indices=true]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] raw indices [.kibana] <<<<<<<-------------------------------- .kibana
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolved [.kibana] to [.kibana] <<<<<<<-------------------------------- .kibana
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=.kibana, type=index-pattern]]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for giedre: [rr_subscription_report]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: rr_subscription_report
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] Added to leftovers rr_subscription_report=>[IndexType [index=.kibana, type=index-pattern]]
[2019-03-11T14:17:38,554][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=.kibana, type=index-pattern]] [Action [indices:data/read/search]] [RolesChecked [rr_subscription_report]]
[2019-03-11T14:17:38,554][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=.kibana, type=index-pattern]]}
[2019-03-11T14:17:38,555][DEBUG][c.f.s.f.SearchGuardFilter] no permissions for indices:data/read/search
With regards to your "curl -u giedre:<redacted> --insecure -X GET "http://localhost:9200/library/_all/core" command:
Does it work when you replace "_all" with the actual type?
We need a debug log which shows exactly the flow from the above curl command.
On Wednesday, 13 March 2019 14:24:02 UTC+1, JoJo Monkey wrote:
Has anyone had a chance to take a look at this or have any suggestions?
On Monday, March 11, 2019 at 10:53:28 AM UTC-4, JoJo Monkey wrote:
I included the Dockerfile thinking it might help you debug.
Versions are:
ES 5.5.0
SG 5.5.0-15
The request is a simple document GET request to elasticsearch.
curl -u giedre:<redacted> --insecure -X GET "http://localhost:9200/library/_all/core"
Thanks for your help.
On Friday, March 8, 2019 at 3:52:28 PM UTC-5, JoJo Monkey wrote:
I can't get my user to have the expected permissions. What am I doing wrong?
versions Search Guard 5, Elastiscsearch 5
sg_roles_mapping.yml:
rr_subscription_report:
users:
- giedre
sg_roles.yml:
trying anything that might work here. nothing seems to take.
rr_subscription_report:
indicies:
'library':
'*':
- READ
- indices:data/read/*
- indices:data/read/get*
- indices:data/read/get
'beh_optin_history_campaign':
'*':
- READ
- indices:data/read/search
- indices:data/read/get
[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=library, type=*]] [Action [indices:data/read/get]] [RolesChecked [rr_subscription_report]]
[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=library, type=*]]}
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/0b673a28-188f-4138-ab70-6dc1da3f44a0%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.