using public group * adds user unintentionally

Am 21.06.2016 um 23:35 schrieb djtecha <djtecha@gmail.com>:

So I have an admin group and a public group. The admin group has my user defined and allows complete searching, the public group defines it's users as '*' and has a DLS attached. Problem is, SG adds my defined user to both and then inherits the dls which I don't want. Any ideas?

sg_roles.yml

sg_admin:
  cluster:
    - '*'
  indices:
    '*':
      '*':
        - '*'
        
sg_public:
  indices:
    '*':
      '*':
        - READ
        - indices:admin/mappings/fields/get*
        - indices:admin/validate/query*
        - indices:admin/get*
    '*-*':
      '*':
        - READ
        - indices:admin/mappings/fields/get*
        - indices:admin/validate/query*
        - indices:admin/get*
      _dls_: '{ "term" : {"tags" : "devlogs" } }'
    '?kibana':
      '*':
        - indices:admin/exists*
        - indices:admin/mapping/put*
        - indices:admin/mappings/fields/get*
        - indices:admin/refresh*
        - indices:admin/validate/query*
        - indices:data/read/get*
        - indices:data/read/mget*
        - indices:data/read/search*
        - indices:data/write/delete*
        - indices:data/write/index*
        - indices:data/write/update*

sg_roles_mapping.yml

sg_admin:
  users:
    - admin
    - daniel.kasen

sg_public:
  users:
    - '*'

Log:

[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=daniel.kasen, roles=]
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested indices:data/read/search from 10.0.11.193:36878
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolve [logstash-2016.06.21] from class org.elasticsearch.action.search.SearchRequest
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] indicesOptions IndicesOptions[id=39, ignore_unavailable=true, allow_no_indices=true, expand_wildcards_open=true, expand_wild
cards_closed=false, allow_alisases_to_multiple_indices=true, forbid_closed_indices=true]
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] raw indices [logstash-2016.06.21]
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolved [logstash-2016.06.21] to {}
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved aliases and indices: [logstash-2016.06.21]
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved types: [_all]
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] mapped roles: [sg_admin, sg_public]
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_admin
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for *
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match for *: [logstash-2016.06.21]
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for *, will check now types [*]
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for */*: [*]
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/search against */*: [*]
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested aliases and indices:
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested resolved types:
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for 'sg_admin.*', evaluate other roles
[2016-06-21 14:24:17,470][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_public
[2016-06-21 14:24:17,470][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for *-*
[2016-06-21 14:24:17,470][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match for *-*: [logstash-2016.06.21]
[2016-06-21 14:24:17,470][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for *-*, will check now types [*]
[2016-06-21 14:24:17,470][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for *-*/*: [indices:admin/validate/query*, indices:admin/get*, indices:admin/mappings/fields/get*, indic
es:data/read*]
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/search against *-*/*: [indices:admin/validate/query*, indices:admin/get*, indic
es:admin/mappings/fields/get*, indices:data/read*]
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index *-* remaining requested aliases and indices:
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index *-* remaining requested resolved types:
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for 'sg_public.*-*', evaluate other roles
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for *
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match fo
r *: [logstash-2016.06.21]
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for *, will check now types [*]
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for */*: [indices:admin/validate/query*, indices:admin/get*, indices:admin/mappings/fields/get*, indices:data/read*]
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/search against */*: [indices:admin/validate/query*, indices:admin/get*, indices:admin/mappings/fields/get*, indices:data/read*]
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested aliases and indices:
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested resolved types:
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for 'sg_public.*', evaluate other roles
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for ?kibana
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] No wildcard match found for ?kibana
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index ?kibana remaining requested aliases and indices: [logstash-2016.06.21]
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index ?kibana remaining requested resolved types: [_all]
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] dls query { "term" : {"tags" : "devlogs" } }

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/17cd7087-b569-4d06-90b9-aed981f0cc90%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

On Sun, Jun 26, 2016 at 1:38 AM, SG info@search-guard.com wrote:

I see two possibilities:

• Use a regex in sg_public to exclude “admin” user. Something like this should work:

sg_public:

users:

- '/((?!admin).)*/ '

• Do not use ‘*’ in sg_public but name the users explicitly or use roles for that (and make sure that admin/danuiel.kasen does not have this role)

Maybe we can add a dedicated option to exclude users from DLS/FLS, we will think about this.

Am 21.06.2016 um 23:35 schrieb djtecha djtecha@gmail.com:

So I have an admin group and a public group. The admin group has my user defined and allows complete searching, the public group defines it’s users as ‘*’ and has a DLS attached. Problem is, SG adds my defined user to both and then inherits the dls which I don’t want. Any ideas?

sg_roles.yml

sg_admin:

cluster:

- '*'

indices:

'*':

  '*':

    - '*'

sg_public:

indices:

'*':

  '*':

    - READ

    - indices:admin/mappings/fields/get*

    - indices:admin/validate/query*

    - indices:admin/get*

'*-*':

  '*':

    - READ

    - indices:admin/mappings/fields/get*

    - indices:admin/validate/query*

    - indices:admin/get*

  _dls_: '{ "term" : {"tags" : "devlogs" } }'

'?kibana':

  '*':

    - indices:admin/exists*

    - indices:admin/mapping/put*

    - indices:admin/mappings/fields/get*

    - indices:admin/refresh*

    - indices:admin/validate/query*

    - indices:data/read/get*

    - indices:data/read/mget*

    - indices:data/read/search*

    - indices:data/write/delete*

    - indices:data/write/index*

    - indices:data/write/update*

sg_roles_mapping.yml

sg_admin:

users:

- admin

- daniel.kasen

sg_public:

users:

- '*'

Log:

[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=daniel.kasen, roles=]

[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested indices:data/read/search from 10.0.11.193:36878

[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolve [logstash-2016.06.21] from class org.elasticsearch.action.search.SearchRequest

[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] indicesOptions IndicesOptions[id=39, ignore_unavailable=true, allow_no_indices=true, expand_wildcards_open=true, expand_wild

cards_closed=false, allow_alisases_to_multiple_indices=true, forbid_closed_indices=true]

[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] raw indices [logstash-2016.06.21]

[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolved [logstash-2016.06.21] to {}

[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved aliases and indices: [logstash-2016.06.21]

[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved types: [_all]

[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] mapped roles: [sg_admin, sg_public]

[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_admin

[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for *

[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match for *: [logstash-2016.06.21]

[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for , will check now types []

[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for /: [*]

[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/search against /: [*]

[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested aliases and indices:

[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested resolved types:

[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for ‘sg_admin.*’, evaluate other roles

[2016-06-21 14:24:17,470][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_public

[2016-06-21 14:24:17,470][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for -

[2016-06-21 14:24:17,470][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match for -: [logstash-2016.06.21]

[2016-06-21 14:24:17,470][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for -, will check now types [*]

[2016-06-21 14:24:17,470][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for -/: [indices:admin/validate/query, indices:admin/get*, indices:admin/mappings/fields/get*, indic

es:data/read*]

[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/search against -/: [indices:admin/validate/query, indices:admin/get*, indic

es:admin/mappings/fields/get*, indices:data/read*]

[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index - remaining requested aliases and indices:

[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index - remaining requested resolved types:

[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for ‘sg_public.-’, evaluate other roles

[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for *

[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match fo

r *: [logstash-2016.06.21]

[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for , will check now types []

[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for /: [indices:admin/validate/query*, indices:admin/get*, indices:admin/mappings/fields/get*, indices:data/read*]

[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/search against /: [indices:admin/validate/query*, indices:admin/get*, indices:admin/mappings/fields/get*, indices:data/read*]

[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested aliases and indices:

[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested resolved types:

[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for ‘sg_public.*’, evaluate other roles

[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for ?kibana

[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] No wildcard match found for ?kibana

[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index ?kibana remaining requested aliases and indices: [logstash-2016.06.21]

[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index ?kibana remaining requested resolved types: [_all]

[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] dls query { “term” : {“tags” : “devlogs” } }

–

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/17cd7087-b569-4d06-90b9-aed981f0cc90%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

–

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/D357E67F-CBD5-4BEE-B6EF-29A0BA8B7F78%40search-guard.com.
For more options, visit https://groups.google.com/d/optout.