Why the roles are not picking though the user is been assigned to role?

Search Guard
1

For example:

sg_config.yml:

searchguard:

authc:

basic_internal_auth_domain:
enabled: true

order: 1

http_authenticator:

type: basic

challenge: true

authentication_backend:

type: intern

sg_roles_mapping.yml:

sg_kibana4_server:

users:

  • kibanaserver

sg_roles.yml:

sg_kibana4_server:

cluster:

  • cluster:monitor/nodes/info

  • cluster:monitor/health

indices:

‘?kibana’:

‘*’:

  • ALL

In The log:

[2016-08-10 11:33:22,157][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] raw indices [.kibana]

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolved [.kibana] to {}

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved aliases and indices: [.kibana]

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved types: [config]

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] mapped roles: [sg_kibana4_server]

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_kibana4_server

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for ?kibana

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match for ?kibana: [.kibana]

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for ?kibana, will check now types [*]

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for ?kibana/: [indices:]

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/search against ?kibana/: [indices:]

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index ?kibana remaining requested aliases and indices:

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index ?kibana remaining requested resolved types:

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for ‘sg_kibana4_server.?kibana’, evaluate other roles

[2016-08-10 11:33:24,664][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http basic

[2016-08-10 11:33:24,664][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘kibanaserver’ is in cache? true (cache size: 1)

[2016-08-10 11:33:24,664][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘User [name=kibanaserver, roles=[]]’ is authenticated

[2016-08-10 11:33:24,666][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http basic

[2016-08-10 11:33:24,666][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘kibanaserver’ is in cache? true (cache size: 1)

[2016-08-10 11:33:24,666][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘User [name=kibanaserver, roles=]’ is authenticated

[2016-08-10 11:33:24,667][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=kibanaserver, roles=]

[2016-08-10 11:33:24,667][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested cluster:monitor/nodes/info from 172.16.189.219:60040

[2016-08-10 11:33:24,667][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] class org.elasticsearch.action.admin.cluster.node.info.NodesInfoRequest is not an IndicesRequest

[2016-08-10 11:33:24,667][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved aliases and indices: [_all]

[2016-08-10 11:33:24,667][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved types: [_all]

[2016-08-10 11:33:24,667][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] mapped roles: [sg_kibana4_server]

[2016-08-10 11:33:24,667][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_kibana4_server

[2016-08-10 11:33:24,667][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolved cluster actions:[cluster:monitor/nodes/info, cluster:monitor/health]

[2016-08-10 11:33:24,667][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for ‘sg_kibana4_server’ and cluster:monitor/nodes/info, skip other roles

[2016-08-10 11:33:24,677][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http basic

[2016-08-10 11:33:24,677][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘kibanaserver’ is in cache? true (cache size: 1)

[2016-08-10 11:33:24,677][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘User [name=kibanaserver, roles=[]]’ is authenticated

[2016-08-10 11:33:24,677][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=kibanaserver, roles=[]]

[2016-08-10 11:33:24,677][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested cluster:monitor/health from 172.16.189.219:60041

[2016-08-10 11:33:24,678][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.admin.cluster.health.ClusterHealthRequest

[2016-08-10 11:33:24,678][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] indicesOptions IndicesOptions[id=7, ignore_unavailable=true, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=true, forbid_closed_indices=false]

[2016-08-10 11:33:24,678][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] raw indices [.kibana]

[2016-08-10 11:33:24,678][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolved [.kibana] to {}

[2016-08-10 11:33:24,678][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved aliases and indices: [.kibana]

[2016-08-10 11:33:24,678][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved types: [_all]

[2016-08-10 11:33:24,678][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] mapped roles: [sg_kibana4_server]

[2016-08-10 11:33:24,678][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_kibana4_server

[2016-08-10 11:33:24,678][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolved cluster actions:[cluster:monitor/nodes/info, cluster:monitor/health]

[2016-08-10 11:33:24,678][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for ‘sg_kibana4_server’ and cluster:monitor/health, skip other roles

[2016-08-10 11:33:24,683][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http basic

[2016-08-10 11:33:24,683][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘kibanaserver’ is in cache? true (cache size: 1)

[2016-08-10 11:33:24,683][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘User [name=kibanaserver, roles=[]]’ is authenticated

[2016-08-10 11:33:24,684][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=kibanaserver, roles=[]]

[2016-08-10 11:33:24,684][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested indices:data/read/search from 172.16.189.219:60042

[2016-08-10 11:33:24,684][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.search.SearchRequest

[2016-08-10 11:33:24,684][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] indicesOptions IndicesOptions**[id=38**, ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=true, forbid_closed_indices=true]

Some one please throw some on light on this, I’m totally confused.

2

Everything seems to work fine. Wehn speaking of roles, there are actually two types of roles:

  • Backend roles
  • These are roles that Search Guard retrieves from some authorization backend like LDAP
  • These authorization backends are configured in the authz section of the sg_config
  • You use them to collect additional roles for the user
  • Mapped roles
  • Search Guard maps users and backend roles to Search Guard roles
  • This is what you define in sg_roles_mapping
  • Search Guard uses the mapped roles to define permissions
    What you see in the logfiles are the backend roles of the user, not the mapped roles. If you have not defined an authorization backend, and thus have no additional backend roles, these will always be empty.

The important part in the log is:

mapped roles: [sg_kibana4_server]

Which means that Search Guard has mapped user names and backend roles to the sg_kibana4_server role, and SG will use the permission settings for this mapped role.

···

On Wednesday, 10 August 2016 13:52:32 UTC+2, SAI KRISHNA GHANTA wrote:

For example:

sg_config.yml:

searchguard:

authc:

basic_internal_auth_domain:
enabled: true

order: 1

http_authenticator:

type: basic

challenge: true

authentication_backend:

type: intern

sg_roles_mapping.yml:

sg_kibana4_server:

users:

  • kibanaserver

sg_roles.yml:

sg_kibana4_server:

cluster:

  • cluster:monitor/nodes/info
  • cluster:monitor/health

indices:

‘?kibana’:

‘*’:

  • ALL

In The log:

[2016-08-10 11:33:22,157][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] raw indices [.kibana]

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolved [.kibana] to {}

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved aliases and indices: [.kibana]

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved types: [config]

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] mapped roles: [sg_kibana4_server]

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_kibana4_server

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for ?kibana

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match for ?kibana: [.kibana]

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for ?kibana, will check now types [*]

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for ?kibana/: [indices:]

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/search against ?kibana/: [indices:]

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index ?kibana remaining requested aliases and indices:

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index ?kibana remaining requested resolved types:

[2016-08-10 11:33:22,158][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for ‘sg_kibana4_server.?kibana’, evaluate other roles

[2016-08-10 11:33:24,664][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http basic

[2016-08-10 11:33:24,664][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘kibanaserver’ is in cache? true (cache size: 1)

[2016-08-10 11:33:24,664][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘User [name=kibanaserver, roles=[]]’ is authenticated

[2016-08-10 11:33:24,666][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http basic

[2016-08-10 11:33:24,666][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘kibanaserver’ is in cache? true (cache size: 1)

[2016-08-10 11:33:24,666][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘User [name=kibanaserver, roles=]’ is authenticated

[2016-08-10 11:33:24,667][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=kibanaserver, roles=]

[2016-08-10 11:33:24,667][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested cluster:monitor/nodes/info from 172.16.189.219:60040

[2016-08-10 11:33:24,667][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] class org.elasticsearch.action.admin.cluster.node.info.NodesInfoRequest is not an IndicesRequest

[2016-08-10 11:33:24,667][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved aliases and indices: [_all]

[2016-08-10 11:33:24,667][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved types: [_all]

[2016-08-10 11:33:24,667][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] mapped roles: [sg_kibana4_server]

[2016-08-10 11:33:24,667][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_kibana4_server

[2016-08-10 11:33:24,667][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolved cluster actions:[cluster:monitor/nodes/info, cluster:monitor/health]

[2016-08-10 11:33:24,667][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for ‘sg_kibana4_server’ and cluster:monitor/nodes/info, skip other roles

[2016-08-10 11:33:24,677][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http basic

[2016-08-10 11:33:24,677][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘kibanaserver’ is in cache? true (cache size: 1)

[2016-08-10 11:33:24,677][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘User [name=kibanaserver, roles=[]]’ is authenticated

[2016-08-10 11:33:24,677][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=kibanaserver, roles=[]]

[2016-08-10 11:33:24,677][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested cluster:monitor/health from 172.16.189.219:60041

[2016-08-10 11:33:24,678][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.admin.cluster.health.ClusterHealthRequest

[2016-08-10 11:33:24,678][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] indicesOptions IndicesOptions[id=7, ignore_unavailable=true, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=true, forbid_closed_indices=false]

[2016-08-10 11:33:24,678][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] raw indices [.kibana]

[2016-08-10 11:33:24,678][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolved [.kibana] to {}

[2016-08-10 11:33:24,678][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved aliases and indices: [.kibana]

[2016-08-10 11:33:24,678][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved types: [_all]

[2016-08-10 11:33:24,678][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] mapped roles: [sg_kibana4_server]

[2016-08-10 11:33:24,678][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_kibana4_server

[2016-08-10 11:33:24,678][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolved cluster actions:[cluster:monitor/nodes/info, cluster:monitor/health]

[2016-08-10 11:33:24,678][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for ‘sg_kibana4_server’ and cluster:monitor/health, skip other roles

[2016-08-10 11:33:24,683][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http basic

[2016-08-10 11:33:24,683][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘kibanaserver’ is in cache? true (cache size: 1)

[2016-08-10 11:33:24,683][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘User [name=kibanaserver, roles=[]]’ is authenticated

[2016-08-10 11:33:24,684][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=kibanaserver, roles=[]]

[2016-08-10 11:33:24,684][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested indices:data/read/search from 172.16.189.219:60042

[2016-08-10 11:33:24,684][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.search.SearchRequest

[2016-08-10 11:33:24,684][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] indicesOptions IndicesOptions**[id=38**, ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=true, forbid_closed_indices=true]

Some one please throw some on light on this, I’m totally confused.