Elastic Stack 7.10.2/SG 49.0.0/metricbeat 7.10.1 (I’m including the JWT as Authorization: Bearer ...
header).
I’m attempting to use SG-issued JWT authentication with metricbeat and output.elasticsearch
. I want to give this token SGS_WRITE
access to the metricbeat-*
indices.
I’m using ILM, so I’m attempting to write to the rollover alias (metricbeat-7.10.1
). Here are the parameters I used to create my token (I couldn’t get it to work with SGS_WRITE
, so I revoked/recreated it with SGS_CRUD
, which also failed):
POST /_searchguard/authtoken
{
"name": "metricbeat-index-write-2021.03.01T11.07-0600",
"requested": {
"index_permissions":
[
{
"index_patterns": ["metricbeat-*"],
"allowed_actions": ["SGS_CRUD"]
}
],
"cluster_permissions": [ "*" ]
},
"expires_after": "1y"
}
Here’s what I get in the metricbeat log:
Mar 01 10:58:41 D01RDB002 metricbeat[122769]: 2021-03-01T10:58:41.172-0600 ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://elasticsearch.example.com:9200)): Connection marked as failed because the onConnect callback failed: failed to check for alias 'metricbeat-7.10.1': (status=403) {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:admin/aliases/get] and User [name=me@example.com (AuthToken metricbeat-index-write-2021.03.01T10.57-0600 [xpnMFspuRrCsR9AiyuSQkg]), backend_roles=[SG_ADMIN, SG_USER], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:admin/aliases/get] and User [name=me@example.com (AuthToken metricbeat-index-write-2021.03.01T10.57-0600 [xpnMFspuRrCsR9AiyuSQkg]), backend_roles=[SG_ADMIN, SG_USER], requestedTenant=null]"},"status":403}: 403 Forbidden: {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:admin/aliases/get] and User [name=me@example.com (AuthToken metricbeat-index-write-2021.03.01T10.57-0600 [xpnMFspuRrCsR9AiyuSQkg]), backend_roles=[SG_ADMIN, SG_USER], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:admin/aliases/get] and User [name=me@example.com (AuthToken metricbeat-index-write-2021.03.01T10.57-0600 [xpnMFspuRrCsR9AiyuSQkg]), backend_roles=[SG_ADMIN, SG_USER], requestedTenant=null]"},"status":403}
What are the minimum permissions I need to create the token with in order for this to work correctly?
Thanks.
Update
Note that the backend role SG_ADMIN
is a SAML assertion that is mapped to the SGS_ALL_ACCESS
role.