I was looking at the debug logs. This is what I see :-
[2015-06-10 07:10:58,111][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] user User [name=mahesh, roles=[enduser]]
[2015-06-10 07:10:58,111][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] requestedHostAddress: 10.xx.xx.xx OR xxx
[2015-06-10 07:10:58,111][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] requestedAliases: [*]
[2015-06-10 07:10:58,111][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] requestedIndices: [.kibana]
[2015-06-10 07:10:58,111][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] requestedTypes: [*]
[2015-06-10 07:10:58,112][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] Checking 3 rules
[2015-06-10 07:10:58,112][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] Default set to filtersExecute []
[2015-06-10 07:10:58,112][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] Default set to filterBypass []
[2015-06-10 07:10:58,112][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] Check rule 1.: ACRule [hosts=null, users=null, roles=[admin], indices=null, aliases=null, filters_execute=[], filters_bypa
ss=[*], isDefault()=false, __Comment__="For role admin all filters are bypassed (so none will be executed). This means unrestricted access."]
[2015-06-10 07:10:58,112][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] --> User wildcard match
[2015-06-10 07:10:58,112][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] User does not have role admin
[2015-06-10 07:10:58,112][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] No role does not match
[2015-06-10 07:10:58,112][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] --> Host wildcard match
[2015-06-10 07:10:58,112][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] --> Users or roles or hosts does not match, so we skip this rule
[2015-06-10 07:10:58,113][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] Check rule 2.: ACRule [hosts=null, users=[spock], roles=null, indices=[abc, .kibana], aliases=null, filters_execute=[actio
nrequestfilter.readonly_kibana], filters_bypass=[], isDefault()=false, __Comment__="This means that the user spock has readonly access on index abc and ea"]
[2015-06-10 07:10:58,113][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] User mahesh does not match
[2015-06-10 07:10:58,113][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] --> Role wildcard match
[2015-06-10 07:10:58,113][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] --> Host wildcard match
[2015-06-10 07:10:58,113][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] --> Users or roles or hosts does not match, so we skip this rule
[2015-06-10 07:10:58,113][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] Check rule 3.: ACRule [hosts=null, users=[mahesh], roles=null, indices=[.kibana, ea], aliases=null, filters_execute=[actio
nrequestfilter.readonly_kibana], filters_bypass=[], isDefault()=false, __Comment__="This means that the user spock has readonly access on index abc and ea"]
[2015-06-10 07:10:58,113][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] --> User mahesh match
[2015-06-10 07:10:58,113][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] --> Role wildcard match
[2015-06-10 07:10:58,113][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] --> Host wildcard match
[2015-06-10 07:10:58,114][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] Identity would match, see if aliases and indices are also ok?
[2015-06-10 07:10:58,114][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] --> Alias wildcard match
[2015-06-10 07:10:58,114][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] typeAndMatch(): request .kibana, granted .kibana, requestedTypes [*]
[2015-06-10 07:10:58,114][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] Wildcard indices/aliases: .kibana -> .kibana
[2015-06-10 07:10:58,114][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] Wildcard without types: .kibana -> .kibana
[2015-06-10 07:10:58,114][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] -->Index .kibana match .kibana
[2015-06-10 07:10:58,114][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] Index .kibana has a matching pattern
[2015-06-10 07:10:58,114][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] ----> APPLY RULE <---- which means the following executeFilters: [actionrequestfilter.readonly_kibana]/bypassFilters:
[]
[2015-06-10 07:10:58,114][DEBUG][com.floragunn.searchguard.tokeneval.TokenEvaluator] Final executeFilters: [actionrequestfilter.readonly_kibana]/bypassFilters: []
[2015-06-10 07:10:58,117][WARN ][com.floragunn.searchguard.filter.SearchGuardActionFilter] actionrequestfilter.readonly_kibana Action 'indices:admin/mappings/fields/get[index]' is forbidden due to DEFAULT
Which "DEFAULT" rule is the logs referring to ?
Thanx !
- mahesh.