Using JWT Tokens with Beats

Doug_Renze · March 1, 2021, 5:18pm

Elastic Stack 7.10.2/SG 49.0.0/metricbeat 7.10.1 (I’m including the JWT as Authorization: Bearer ... header).

I’m attempting to use SG-issued JWT authentication with metricbeat and output.elasticsearch. I want to give this token SGS_WRITE access to the metricbeat-* indices.

I’m using ILM, so I’m attempting to write to the rollover alias (metricbeat-7.10.1). Here are the parameters I used to create my token (I couldn’t get it to work with SGS_WRITE, so I revoked/recreated it with SGS_CRUD, which also failed):

POST /_searchguard/authtoken
{
  "name": "metricbeat-index-write-2021.03.01T11.07-0600",
  "requested": {
    "index_permissions": 
    [
      {
        "index_patterns": ["metricbeat-*"],
        "allowed_actions": ["SGS_CRUD"]
      }
    ],
    "cluster_permissions": [ "*" ]
  },
  "expires_after": "1y"
}

Here’s what I get in the metricbeat log:

Mar 01 10:58:41 D01RDB002 metricbeat[122769]: 2021-03-01T10:58:41.172-0600        ERROR        [publisher_pipeline_output]        pipeline/output.go:154        Failed to connect to backoff(elasticsearch(https://elasticsearch.example.com:9200)): Connection marked as failed because the onConnect callback failed: failed to check for alias 'metricbeat-7.10.1': (status=403) {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:admin/aliases/get] and User [name=me@example.com (AuthToken metricbeat-index-write-2021.03.01T10.57-0600 [xpnMFspuRrCsR9AiyuSQkg]), backend_roles=[SG_ADMIN, SG_USER], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:admin/aliases/get] and User [name=me@example.com (AuthToken metricbeat-index-write-2021.03.01T10.57-0600 [xpnMFspuRrCsR9AiyuSQkg]), backend_roles=[SG_ADMIN, SG_USER], requestedTenant=null]"},"status":403}: 403 Forbidden: {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:admin/aliases/get] and User [name=me@example.com (AuthToken metricbeat-index-write-2021.03.01T10.57-0600 [xpnMFspuRrCsR9AiyuSQkg]), backend_roles=[SG_ADMIN, SG_USER], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:admin/aliases/get] and User [name=me@example.com (AuthToken metricbeat-index-write-2021.03.01T10.57-0600 [xpnMFspuRrCsR9AiyuSQkg]), backend_roles=[SG_ADMIN, SG_USER], requestedTenant=null]"},"status":403}

What are the minimum permissions I need to create the token with in order for this to work correctly?

Thanks.

Update

Note that the backend role SG_ADMIN is a SAML assertion that is mapped to the SGS_ALL_ACCESS role.

nils · March 1, 2021, 6:30pm

The error message complains about the missing indices:admin/aliases/get.

Can you please try the following:

POST /_searchguard/authtoken
{
  "name": "metricbeat-index-write-2021.03.01T11.07-0600",
  "requested": {
    "index_permissions": 
    [
      {
        "index_patterns": ["metricbeat-*"],
        "allowed_actions": ["SGS_CRUD", "indices:admin/aliases/get"]
      }
    ],
    "cluster_permissions": [ "*" ]
  },
  "expires_after": "1y"
}

(I have to admit that it should be usually not necessary to include plain (i.e., non-action group) permissions in any Search Guard configuration. We need to check if the permission is missing somewhere in the default action groups).

Doug_Renze · March 1, 2021, 7:00pm

That did not work, however, when I created a token with full admin permissions, it worked as expected:

POST /_searchguard/authtoken
{
  "name": "metricbeat-index-write-2021.03.01T12.57-0600",
  "requested": {
    "index_permissions": 
    [
      {
        "index_patterns": ["*"],
        "allowed_actions": ["*"]
      }
    ],
    "cluster_permissions": [ "*" ]
  },
  "expires_after": "1y"
}

I’d like to be able to restrict things farther than that, though.

nils · March 1, 2021, 7:06pm

So, did the error message stay the same when you added the permission?

Of course, it is desirable to just have minimal permissions in tokens

Doug_Renze · March 1, 2021, 7:35pm

Sorry - yes, I got the same error message.

Doug_Renze · March 2, 2021, 8:18pm

After much experimentation (this was iteration #29, as you can see), this appears to be the minimum necessary permissions for the auth token, since I’m manually loading templates:

POST /_searchguard/authtoken
{
  "name": "metricbeat-index-write-029",
  "requested": {
    "cluster_permissions": [
      "cluster:admin/ilm/get",
      "cluster:monitor/main",
      "cluster:monitor/xpack/info",
      "cluster:monitor/xpack/license/get",
      "indices:data/write*"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "metricbeat-*"
        ],
        "allowed_actions": [
          "SGS_WRITE"
        ]
      },
      {
        "index_patterns": ["*"],
        "allowed_actions": [
          "indices:admin/aliases/exists*",
          "indices:admin/aliases/get*"
        ]
      }
    ]
  },
  "expires_after": "1y"
}

system · March 23, 2021, 8:19pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Permission of searchguard Search Guard	3	1937	November 16, 2019
Beat cannot send the data to the cluster. Search Guard	2	3758	March 19, 2019
Unexpected exception [_xpack] InvalidIndexNameException for Filebeat 6.7.1 Search Guard	4	5207	April 30, 2019
[search-guard group] sgadmin fails on IndexNotFoundException Search Guard	0	392	November 29, 2016
sgadmin Run Search Guard	2	374	June 23, 2018

Using JWT Tokens with Beats

Update

Related Topics