User permissions aren't working

I can’t get my user to have the expected permissions. What am I doing wrong?

versions Search Guard 5, Elastiscsearch 5

sg_roles_mapping.yml:

rr_subscription_report:

users:

  • giedre

``

sg_roles.yml:

trying anything that might work here. nothing seems to take.

rr_subscription_report:

indicies:

‘library’:

‘*’:

  • READ

  • indices:data/read/*

  • indices:data/read/get*

  • indices:data/read/get

‘beh_optin_history_campaign’:

‘*’:

  • READ

  • indices:data/read/search

  • indices:data/read/get

``

[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=library, type=*]] [Action [indices:data/read/get]] [RolesChecked [rr_subscription_report]]

[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=library, type=*]]}

``

The roles and rolesmapping looks right actually.

Can you please attach the complete sg_roles_mapping.yml and sg_roles.yml as file?
This makes it easier for us to reproduce it. Please also turn on debug logging (https://docs.search-guard.com/latest/troubleshooting-setting-log-level#turn-on-debug-logging-temporarily)
and post the logs.

What kind of query/request did you issue?
Which exact version of Elasticsearch and SG do you use?

···

Am 08.03.2019 um 21:52 schrieb JoJo Monkey <jojomnky@gmail.com>:

I can't get my user to have the expected permissions. What am I doing wrong?

versions Search Guard 5, Elastiscsearch 5

sg_roles_mapping.yml:

rr_subscription_report:
  users:
    - giedre

sg_roles.yml:

trying anything that might work here. nothing seems to take.

rr_subscription_report:
  indicies:
    'library':
      '*':
        - READ
        - indices:data/read/*
        - indices:data/read/get*
        - indices:data/read/get
    'beh_optin_history_campaign':
      '*':
        - READ
        - indices:data/read/search
        - indices:data/read/get

[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=library, type=*]] [Action [indices:data/read/get]] [RolesChecked [rr_subscription_report]]
[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=library, type=*]]}

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/362eb254-2534-4d3b-aa37-ce0f8cc36f69%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

I included the Dockerfile thinking it might help you debug.

Versions are:

ES 5.5.0

SG 5.5.0-15

The request is a simple document GET request to elasticsearch.

curl -u giedre: --insecure -X GET “http://localhost:9200/library/_all/core

``

Thanks for your help.

logcatch.log (23.7 KB)

sg_roles_mapping.yml (742 Bytes)

sg_roles.yml (4.01 KB)

Dockerfile (504 Bytes)

···

On Friday, March 8, 2019 at 3:52:28 PM UTC-5, JoJo Monkey wrote:

I can’t get my user to have the expected permissions. What am I doing wrong?

versions Search Guard 5, Elastiscsearch 5

sg_roles_mapping.yml:

rr_subscription_report:

users:

  • giedre

``

sg_roles.yml:

trying anything that might work here. nothing seems to take.

rr_subscription_report:

indicies:

‘library’:

‘*’:

  • READ
  • indices:data/read/*
  • indices:data/read/get*
  • indices:data/read/get

‘beh_optin_history_campaign’:

‘*’:

  • READ
  • indices:data/read/search
  • indices:data/read/get

``

[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=library, type=*]] [Action [indices:data/read/get]] [RolesChecked [rr_subscription_report]]

[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=library, type=*]]}

``

Has anyone had a chance to take a look at this or have any suggestions?

···

On Monday, March 11, 2019 at 10:53:28 AM UTC-4, JoJo Monkey wrote:

I included the Dockerfile thinking it might help you debug.

Versions are:

ES 5.5.0

SG 5.5.0-15

The request is a simple document GET request to elasticsearch.

curl -u giedre: --insecure -X GET “http://localhost:9200/library/_all/core

``

Thanks for your help.

On Friday, March 8, 2019 at 3:52:28 PM UTC-5, JoJo Monkey wrote:

I can’t get my user to have the expected permissions. What am I doing wrong?

versions Search Guard 5, Elastiscsearch 5

sg_roles_mapping.yml:

rr_subscription_report:

users:

  • giedre

``

sg_roles.yml:

trying anything that might work here. nothing seems to take.

rr_subscription_report:

indicies:

‘library’:

‘*’:

  • READ
  • indices:data/read/*
  • indices:data/read/get*
  • indices:data/read/get

‘beh_optin_history_campaign’:

‘*’:

  • READ
  • indices:data/read/search
  • indices:data/read/get

``

[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=library, type=*]] [Action [indices:data/read/get]] [RolesChecked [rr_subscription_report]]

[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=library, type=*]]}

``

From the logs it seems correct because access to .kibanaindex is requested and denied because the user “giedre” is only mapped to sg role “rr_subscription_report” and therefore only allowed

for indices “library” and “beh_optin_history_campaign” but not .kibana.

[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] evaluate permissions for User [name=giedre, roles=[rr_subscription_report]]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] requested indices:data/read/search from 172.20.0.3:55628
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.search.SearchRequest <<<<<<<-------------------------------- .kibana
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] indicesOptions IndicesOptions[id=38, ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=true, forbid_closed_indices=true]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] raw indices [.kibana] <<<<<<<-------------------------------- .kibana
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolved [.kibana] to [.kibana] <<<<<<<-------------------------------- .kibana
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=.kibana, type=index-pattern]]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for giedre: [rr_subscription_report]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: rr_subscription_report
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] Added to leftovers rr_subscription_report=>[IndexType [index=.kibana, type=index-pattern]]
[2019-03-11T14:17:38,554][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=.kibana, type=index-pattern]] [Action [indices:data/read/search]] [RolesChecked [rr_subscription_report]]
[2019-03-11T14:17:38,554][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=.kibana, type=index-pattern]]}
[2019-03-11T14:17:38,555][DEBUG][c.f.s.f.SearchGuardFilter] no permissions for indices:data/read/search

With regards to your "curl -u giedre: --insecure -X GET “http://localhost:9200/library/_all/core” command:

Does it work when you replace “_all” with the actual type?

We need a debug log which shows exactly the flow from the above curl command.

···

On Wednesday, 13 March 2019 14:24:02 UTC+1, JoJo Monkey wrote:

Has anyone had a chance to take a look at this or have any suggestions?

On Monday, March 11, 2019 at 10:53:28 AM UTC-4, JoJo Monkey wrote:

I included the Dockerfile thinking it might help you debug.

Versions are:

ES 5.5.0

SG 5.5.0-15

The request is a simple document GET request to elasticsearch.

curl -u giedre: --insecure -X GET “http://localhost:9200/library/_all/core

``

Thanks for your help.

On Friday, March 8, 2019 at 3:52:28 PM UTC-5, JoJo Monkey wrote:

I can’t get my user to have the expected permissions. What am I doing wrong?

versions Search Guard 5, Elastiscsearch 5

sg_roles_mapping.yml:

rr_subscription_report:

users:

  • giedre

``

sg_roles.yml:

trying anything that might work here. nothing seems to take.

rr_subscription_report:

indicies:

‘library’:

‘*’:

  • READ
  • indices:data/read/*
  • indices:data/read/get*
  • indices:data/read/get

‘beh_optin_history_campaign’:

‘*’:

  • READ
  • indices:data/read/search
  • indices:data/read/get

``

[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=library, type=*]] [Action [indices:data/read/get]] [RolesChecked [rr_subscription_report]]

[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=library, type=*]]}

``

As requested, here’s the log for the updated command:
curl -u giedre: --insecure -X GET “http://localhost:9200/library/library/core

``

[2019-03-18T15:30:30,361][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from http basic

[2019-03-18T15:30:30,362][DEBUG][c.f.s.a.BackendRegistry ] User ‘giedre’ is in cache? true (cache size: 5)

[2019-03-18T15:30:30,362][DEBUG][c.f.s.a.BackendRegistry ] User ‘User [name=giedre, roles=[rr_subscription_report]]’ is authenticated

[2019-03-18T15:30:30,362][DEBUG][c.f.s.a.BackendRegistry ] sg_tenant ‘null’

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] evaluate permissions for User [name=giedre, roles=[rr_subscription_report]]

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] requested indices:data/read/get from 172.20.0.1:34094

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolve [library] from class org.elasticsearch.action.get.GetRequest

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] indicesOptions IndicesOptions[id=48, ignore_unavailable=false, allow_no_indices=false, expand_wildcards_open=false, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=false, forbid_closed_indices=true]

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] raw indices [library]

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolved [library] to [library]

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=library, type=library]]

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for giedre: [rr_subscription_report]

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: rr_subscription_report

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] Added to leftovers rr_subscription_report=>[IndexType [index=library, type=library]]

[2019-03-18T15:30:30,362][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=library, type=library]] [Action [indices:data/read/get]] [RolesChecked [rr_subscription_report]]

[2019-03-18T15:30:30,362][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=library, type=library]]}

[2019-03-18T15:30:30,362][DEBUG][c.f.s.f.SearchGuardFilter] no permissions for indices:data/read/get

``

Thanks for your help!

···

On Sunday, March 17, 2019 at 3:27:12 PM UTC-4, Search Guard wrote:

From the logs it seems correct because access to .kibanaindex is requested and denied because the user “giedre” is only mapped to sg role “rr_subscription_report” and therefore only allowed

for indices “library” and “beh_optin_history_campaign” but not .kibana.

[2019-03-11T14:17:38,555][DEBUG][c.f.s.f.SearchGuardFilter] no permissions for indices:data/read/search

With regards to your "curl -u giedre: --insecure -X GET “http://localhost:9200/library/_all/core” command:

Does it work when you replace “_all” with the actual type?

We need a debug log which shows exactly the flow from the above curl command.

Has anyone had a chance to take a look at this or have any suggestions?

On Monday, March 11, 2019 at 10:53:28 AM UTC-4, JoJo Monkey wrote:

I included the Dockerfile thinking it might help you debug.

Versions are:

ES 5.5.0

SG 5.5.0-15

The request is a simple document GET request to elasticsearch.

curl -u giedre: --insecure -X GET “http://localhost:9200/library/_all/core

``

Thanks for your help.

On Friday, March 8, 2019 at 3:52:28 PM UTC-5, JoJo Monkey wrote:

I can’t get my user to have the expected permissions. What am I doing wrong?

versions Search Guard 5, Elastiscsearch 5

sg_roles_mapping.yml:

rr_subscription_report:

users:

  • giedre

``

sg_roles.yml:

trying anything that might work here. nothing seems to take.

rr_subscription_report:

indicies:

‘library’:

‘*’:

  • READ
  • indices:data/read/*
  • indices:data/read/get*
  • indices:data/read/get

‘beh_optin_history_campaign’:

‘*’:

  • READ
  • indices:data/read/search
  • indices:data/read/get

``

[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=library, type=*]] [Action [indices:data/read/get]] [RolesChecked [rr_subscription_report]]

[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=library, type=*]]}

``

[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] evaluate permissions for User [name=giedre, roles=[rr_subscription_report]]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] requested indices:data/read/search from 172.20.0.3:55628
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.search.SearchRequest <<<<<<<-------------------------------- .kibana
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] indicesOptions IndicesOptions[id=38, ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=true, forbid_closed_indices=true]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] raw indices [.kibana] <<<<<<<-------------------------------- .kibana
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolved [.kibana] to [.kibana] <<<<<<<-------------------------------- .kibana
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=.kibana, type=index-pattern]]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for giedre: [rr_subscription_report]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: rr_subscription_report
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] Added to leftovers rr_subscription_report=>[IndexType [index=.kibana, type=index-pattern]]
[2019-03-11T14:17:38,554][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=.kibana, type=index-pattern]] [Action [indices:data/read/search]] [RolesChecked [rr_subscription_report]]
[2019-03-11T14:17:38,554][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=.kibana, type=index-pattern]]}
On Wednesday, 13 March 2019 14:24:02 UTC+1, JoJo Monkey wrote:

This seems like a bug.

Elasticsearch 5.5 is already EOL (End of life) so i like to ask you if you can check if this behaviour also occurs with 5.6.15 and Search Guard 19.3.
If so we will provide a fix but for 5.6.15 only. See https://docs.search-guard.com/latest/eol-policy

Pls. consider also upgrading to 6.6.x because ES 5 will soon be completely discontinued.

···

Am 18.03.2019 um 16:35 schrieb JoJo Monkey <jojomnky@gmail.com>:

As requested, here's the log for the updated command:
curl -u giedre:<redacted> --insecure -X GET "http://localhost:9200/library/library/core"

[2019-03-18T15:30:30,361][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from http basic
[2019-03-18T15:30:30,362][DEBUG][c.f.s.a.BackendRegistry ] User 'giedre' is in cache? true (cache size: 5)
[2019-03-18T15:30:30,362][DEBUG][c.f.s.a.BackendRegistry ] User 'User [name=giedre, roles=[rr_subscription_report]]' is authenticated
[2019-03-18T15:30:30,362][DEBUG][c.f.s.a.BackendRegistry ] sg_tenant 'null'
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] evaluate permissions for User [name=giedre, roles=[rr_subscription_report]]
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] requested indices:data/read/get from 172.20.0.1:34094
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolve [library] from class org.elasticsearch.action.get.GetRequest
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] indicesOptions IndicesOptions[id=48, ignore_unavailable=false, allow_no_indices=false, expand_wildcards_open=false, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=false, forbid_closed_indices=true]
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] raw indices [library]
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolved [library] to [library]
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=library, type=library]]
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for giedre: [rr_subscription_report]
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: rr_subscription_report
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] Added to leftovers rr_subscription_report=>[IndexType [index=library, type=library]]
[2019-03-18T15:30:30,362][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=library, type=library]] [Action [indices:data/read/get]] [RolesChecked [rr_subscription_report]]
[2019-03-18T15:30:30,362][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=library, type=library]]}
[2019-03-18T15:30:30,362][DEBUG][c.f.s.f.SearchGuardFilter] no permissions for indices:data/read/get

Thanks for your help!

On Sunday, March 17, 2019 at 3:27:12 PM UTC-4, Search Guard wrote:
From the logs it seems correct because access to .kibanaindex is requested and denied because the user "giedre" is only mapped to sg role "rr_subscription_report" and therefore only allowed
for indices "library" and "beh_optin_history_campaign" but not .kibana.

[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] evaluate permissions for User [name=giedre, roles=[rr_subscription_report]]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] requested indices:data/read/search from 172.20.0.3:55628
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.search.SearchRequest <<<<<<<-------------------------------- .kibana
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] indicesOptions IndicesOptions[id=38, ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=true, forbid_closed_indices=true]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] raw indices [.kibana] <<<<<<<-------------------------------- .kibana
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolved [.kibana] to [.kibana] <<<<<<<-------------------------------- .kibana
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=.kibana, type=index-pattern]]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for giedre: [rr_subscription_report]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: rr_subscription_report
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] Added to leftovers rr_subscription_report=>[IndexType [index=.kibana, type=index-pattern]]
[2019-03-11T14:17:38,554][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=.kibana, type=index-pattern]] [Action [indices:data/read/search]] [RolesChecked [rr_subscription_report]]
[2019-03-11T14:17:38,554][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=.kibana, type=index-pattern]]}
[2019-03-11T14:17:38,555][DEBUG][c.f.s.f.SearchGuardFilter] no permissions for indices:data/read/search

With regards to your "curl -u giedre:<redacted> --insecure -X GET "http://localhost:9200/library/_all/core" command:
Does it work when you replace "_all" with the actual type?

We need a debug log which shows exactly the flow from the above curl command.

On Wednesday, 13 March 2019 14:24:02 UTC+1, JoJo Monkey wrote:
Has anyone had a chance to take a look at this or have any suggestions?

On Monday, March 11, 2019 at 10:53:28 AM UTC-4, JoJo Monkey wrote:
I included the Dockerfile thinking it might help you debug.

Versions are:
ES 5.5.0
SG 5.5.0-15

The request is a simple document GET request to elasticsearch.

curl -u giedre:<redacted> --insecure -X GET "http://localhost:9200/library/_all/core"

Thanks for your help.

On Friday, March 8, 2019 at 3:52:28 PM UTC-5, JoJo Monkey wrote:
I can't get my user to have the expected permissions. What am I doing wrong?

versions Search Guard 5, Elastiscsearch 5

sg_roles_mapping.yml:

rr_subscription_report:
  users:
    - giedre

sg_roles.yml:

trying anything that might work here. nothing seems to take.

rr_subscription_report:
  indicies:
    'library':
      '*':
        - READ
        - indices:data/read/*
        - indices:data/read/get*
        - indices:data/read/get
    'beh_optin_history_campaign':
      '*':
        - READ
        - indices:data/read/search
        - indices:data/read/get

[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=library, type=*]] [Action [indices:data/read/get]] [RolesChecked [rr_subscription_report]]
[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=library, type=*]]}

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/0b673a28-188f-4138-ab70-6dc1da3f44a0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

During reproduction it turns out you made just a typo:

rr_subscription_report:
  indicies:
    'library':
      '*':
        - READ
        - indices:data/read/*
        - indices:data/read/get*
        - indices:data/read/get
    'beh_optin_history_campaign':
      '*':
        - READ
        - indices:data/read/search
        - indices:data/read/get

Its not "indicies", it must be "indices" like

rr_subscription_report:
  indices:
    'library':
      '*':
        - READ
        - indices:data/read/*
        - indices:data/read/get*
        - indices:data/read/get
    'beh_optin_history_campaign':
      '*':
        - READ
        - indices:data/read/search
        - indices:data/read/get

···

Am 18.03.2019 um 17:00 schrieb SG <info@search-guard.com>:

This seems like a bug.

Elasticsearch 5.5 is already EOL (End of life) so i like to ask you if you can check if this behaviour also occurs with 5.6.15 and Search Guard 19.3.
If so we will provide a fix but for 5.6.15 only. See https://docs.search-guard.com/latest/eol-policy

Pls. consider also upgrading to 6.6.x because ES 5 will soon be completely discontinued.

Am 18.03.2019 um 16:35 schrieb JoJo Monkey <jojomnky@gmail.com>:

As requested, here's the log for the updated command:
curl -u giedre:<redacted> --insecure -X GET "http://localhost:9200/library/library/core"

[2019-03-18T15:30:30,361][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from http basic
[2019-03-18T15:30:30,362][DEBUG][c.f.s.a.BackendRegistry ] User 'giedre' is in cache? true (cache size: 5)
[2019-03-18T15:30:30,362][DEBUG][c.f.s.a.BackendRegistry ] User 'User [name=giedre, roles=[rr_subscription_report]]' is authenticated
[2019-03-18T15:30:30,362][DEBUG][c.f.s.a.BackendRegistry ] sg_tenant 'null'
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] evaluate permissions for User [name=giedre, roles=[rr_subscription_report]]
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] requested indices:data/read/get from 172.20.0.1:34094
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolve [library] from class org.elasticsearch.action.get.GetRequest
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] indicesOptions IndicesOptions[id=48, ignore_unavailable=false, allow_no_indices=false, expand_wildcards_open=false, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=false, forbid_closed_indices=true]
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] raw indices [library]
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolved [library] to [library]
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=library, type=library]]
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for giedre: [rr_subscription_report]
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: rr_subscription_report
[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] Added to leftovers rr_subscription_report=>[IndexType [index=library, type=library]]
[2019-03-18T15:30:30,362][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=library, type=library]] [Action [indices:data/read/get]] [RolesChecked [rr_subscription_report]]
[2019-03-18T15:30:30,362][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=library, type=library]]}
[2019-03-18T15:30:30,362][DEBUG][c.f.s.f.SearchGuardFilter] no permissions for indices:data/read/get

Thanks for your help!

On Sunday, March 17, 2019 at 3:27:12 PM UTC-4, Search Guard wrote:
From the logs it seems correct because access to .kibanaindex is requested and denied because the user "giedre" is only mapped to sg role "rr_subscription_report" and therefore only allowed
for indices "library" and "beh_optin_history_campaign" but not .kibana.

[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] evaluate permissions for User [name=giedre, roles=[rr_subscription_report]]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] requested indices:data/read/search from 172.20.0.3:55628
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.search.SearchRequest <<<<<<<-------------------------------- .kibana
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] indicesOptions IndicesOptions[id=38, ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=true, forbid_closed_indices=true]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] raw indices [.kibana] <<<<<<<-------------------------------- .kibana
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolved [.kibana] to [.kibana] <<<<<<<-------------------------------- .kibana
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=.kibana, type=index-pattern]]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for giedre: [rr_subscription_report]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: rr_subscription_report
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] Added to leftovers rr_subscription_report=>[IndexType [index=.kibana, type=index-pattern]]
[2019-03-11T14:17:38,554][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=.kibana, type=index-pattern]] [Action [indices:data/read/search]] [RolesChecked [rr_subscription_report]]
[2019-03-11T14:17:38,554][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=.kibana, type=index-pattern]]}
[2019-03-11T14:17:38,555][DEBUG][c.f.s.f.SearchGuardFilter] no permissions for indices:data/read/search

With regards to your "curl -u giedre:<redacted> --insecure -X GET "http://localhost:9200/library/_all/core" command:
Does it work when you replace "_all" with the actual type?

We need a debug log which shows exactly the flow from the above curl command.

On Wednesday, 13 March 2019 14:24:02 UTC+1, JoJo Monkey wrote:
Has anyone had a chance to take a look at this or have any suggestions?

On Monday, March 11, 2019 at 10:53:28 AM UTC-4, JoJo Monkey wrote:
I included the Dockerfile thinking it might help you debug.

Versions are:
ES 5.5.0
SG 5.5.0-15

The request is a simple document GET request to elasticsearch.

curl -u giedre:<redacted> --insecure -X GET "http://localhost:9200/library/_all/core"

Thanks for your help.

On Friday, March 8, 2019 at 3:52:28 PM UTC-5, JoJo Monkey wrote:
I can't get my user to have the expected permissions. What am I doing wrong?

versions Search Guard 5, Elastiscsearch 5

sg_roles_mapping.yml:

rr_subscription_report:
users:
   - giedre

sg_roles.yml:

trying anything that might work here. nothing seems to take.

rr_subscription_report:
indicies:
   'library':
     '*':
       - READ
       - indices:data/read/*
       - indices:data/read/get*
       - indices:data/read/get
   'beh_optin_history_campaign':
     '*':
       - READ
       - indices:data/read/search
       - indices:data/read/get

[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=library, type=*]] [Action [indices:data/read/get]] [RolesChecked [rr_subscription_report]]
[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=library, type=*]]}

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/0b673a28-188f-4138-ab70-6dc1da3f44a0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/F0682FAA-857C-4453-AD4E-4DFF049774E2%40search-guard.com.
For more options, visit https://groups.google.com/d/optout.

Doh! That was it. Thanks for spotting that!

···

On Monday, March 18, 2019 at 12:17:30 PM UTC-4, Search Guard wrote:

During reproduction it turns out you made just a typo:

rr_subscription_report:

indicies:

'library':

  '*':

    - READ

    - indices:data/read/*

    - indices:data/read/get*

    - indices:data/read/get

'beh_optin_history_campaign':

  '*':

    - READ

    - indices:data/read/search

    - indices:data/read/get

Its not “indicies”, it must be “indices” like

rr_subscription_report:

indices:

'library':

  '*':

    - READ

    - indices:data/read/*

    - indices:data/read/get*

    - indices:data/read/get

'beh_optin_history_campaign':

  '*':

    - READ

    - indices:data/read/search

    - indices:data/read/get

Am 18.03.2019 um 17:00 schrieb SG in...@search-guard.com:

This seems like a bug.

Elasticsearch 5.5 is already EOL (End of life) so i like to ask you if you can check if this behaviour also occurs with 5.6.15 and Search Guard 19.3.

If so we will provide a fix but for 5.6.15 only. See https://docs.search-guard.com/latest/eol-policy

Pls. consider also upgrading to 6.6.x because ES 5 will soon be completely discontinued.

Am 18.03.2019 um 16:35 schrieb JoJo Monkey jojo...@gmail.com:

As requested, here’s the log for the updated command:

curl -u giedre: --insecure -X GET “http://localhost:9200/library/library/core

[2019-03-18T15:30:30,361][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from http basic

[2019-03-18T15:30:30,362][DEBUG][c.f.s.a.BackendRegistry ] User ‘giedre’ is in cache? true (cache size: 5)

[2019-03-18T15:30:30,362][DEBUG][c.f.s.a.BackendRegistry ] User ‘User [name=giedre, roles=[rr_subscription_report]]’ is authenticated

[2019-03-18T15:30:30,362][DEBUG][c.f.s.a.BackendRegistry ] sg_tenant ‘null’

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] evaluate permissions for User [name=giedre, roles=[rr_subscription_report]]

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] requested indices:data/read/get from 172.20.0.1:34094

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolve [library] from class org.elasticsearch.action.get.GetRequest

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] indicesOptions IndicesOptions[id=48, ignore_unavailable=false, allow_no_indices=false, expand_wildcards_open=false, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=false, forbid_closed_indices=true]

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] raw indices [library]

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolved [library] to [library]

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=library, type=library]]

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for giedre: [rr_subscription_report]

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: rr_subscription_report

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] Added to leftovers rr_subscription_report=>[IndexType [index=library, type=library]]

[2019-03-18T15:30:30,362][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=library, type=library]] [Action [indices:data/read/get]] [RolesChecked [rr_subscription_report]]

[2019-03-18T15:30:30,362][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=library, type=library]]}

[2019-03-18T15:30:30,362][DEBUG][c.f.s.f.SearchGuardFilter] no permissions for indices:data/read/get

Thanks for your help!

On Sunday, March 17, 2019 at 3:27:12 PM UTC-4, Search Guard wrote:

From the logs it seems correct because access to .kibanaindex is requested and denied because the user “giedre” is only mapped to sg role “rr_subscription_report” and therefore only allowed

for indices “library” and “beh_optin_history_campaign” but not .kibana.

[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] evaluate permissions for User [name=giedre, roles=[rr_subscription_report]]

[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] requested indices:data/read/search from 172.20.0.3:55628

[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.search.SearchRequest <<<<<<<-------------------------------- .kibana

[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] indicesOptions IndicesOptions[id=38, ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=true, forbid_closed_indices=true]

[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] raw indices [.kibana] <<<<<<<-------------------------------- .kibana

[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolved [.kibana] to [.kibana] <<<<<<<-------------------------------- .kibana

[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=.kibana, type=index-pattern]]

[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for giedre: [rr_subscription_report]

[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: rr_subscription_report

[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] Added to leftovers rr_subscription_report=>[IndexType [index=.kibana, type=index-pattern]]

[2019-03-11T14:17:38,554][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=.kibana, type=index-pattern]] [Action [indices:data/read/search]] [RolesChecked [rr_subscription_report]]

[2019-03-11T14:17:38,554][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=.kibana, type=index-pattern]]}

[2019-03-11T14:17:38,555][DEBUG][c.f.s.f.SearchGuardFilter] no permissions for indices:data/read/search

With regards to your "curl -u giedre: --insecure -X GET “http://localhost:9200/library/_all/core” command:

Does it work when you replace “_all” with the actual type?

We need a debug log which shows exactly the flow from the above curl command.

On Wednesday, 13 March 2019 14:24:02 UTC+1, JoJo Monkey wrote:

Has anyone had a chance to take a look at this or have any suggestions?

On Monday, March 11, 2019 at 10:53:28 AM UTC-4, JoJo Monkey wrote:

I included the Dockerfile thinking it might help you debug.

Versions are:

ES 5.5.0
SG 5.5.0-15

The request is a simple document GET request to elasticsearch.

curl -u giedre: --insecure -X GET “http://localhost:9200/library/_all/core

Thanks for your help.

On Friday, March 8, 2019 at 3:52:28 PM UTC-5, JoJo Monkey wrote:

I can’t get my user to have the expected permissions. What am I doing wrong?

versions Search Guard 5, Elastiscsearch 5

sg_roles_mapping.yml:

rr_subscription_report:

users:

  • giedre

sg_roles.yml:

trying anything that might work here. nothing seems to take.

rr_subscription_report:

indicies:

‘library’:

 '*':
   - READ
   - indices:data/read/*
   - indices:data/read/get*
   - indices:data/read/get

‘beh_optin_history_campaign’:

 '*':
   - READ
   - indices:data/read/search
   - indices:data/read/get

[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=library, type=*]] [Action [indices:data/read/get]] [RolesChecked [rr_subscription_report]]

[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=library, type=*]]}


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/0b673a28-188f-4138-ab70-6dc1da3f44a0%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/F0682FAA-857C-4453-AD4E-4DFF049774E2%40search-guard.com.

For more options, visit https://groups.google.com/d/optout.