User permissions aren't working

[JoJo Monkey]

I can't get my user to have the expected permissions. What am I doing wrong?

versions Search Guard 5, Elastiscsearch 5

sg_roles_mapping.yml:

rr_subscription_report:

  users:

    - giedre

sg_roles.yml:

trying anything that might work here. nothing seems to take.

rr_subscription_report:

  indicies:

    'library':

      '*':

        - READ

        - indices:data/read/*

        - indices:data/read/get*

        - indices:data/read/get

    'beh_optin_history_campaign':

      '*':

        - READ

        - indices:data/read/search

        - indices:data/read/get

[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=library, type=*]] [Action [indices:data/read/get]] [RolesChecked [rr_subscription_report]]

[2019-03-08T20:50:03,829][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=library, type=*]]}

[SG]

The roles and rolesmapping looks right actually.

Can you please attach the complete sg_roles_mapping.yml and sg_roles.yml as file?
This makes it easier for us to reproduce it. Please also turn on debug logging (https://docs.search-guard.com/latest/troubleshooting-setting-log-level#turn-on-debug-logging-temporarily)
and post the logs.

What kind of query/request did you issue?
Which exact version of Elasticsearch and SG do you use?

> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/362eb254-2534-4d3b-aa37-ce0f8cc36f69%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[JoJo Monkey]

I included the Dockerfile thinking it might help you debug. 

Versions are:

ES 5.5.0 

SG 5.5.0-15

The request is a simple document GET request to elasticsearch. 

curl -u giedre:<redacted> --insecure -X GET "http://localhost:9200/library/_all/core"

Thanks for your help.

[JoJo Monkey]

Has anyone had a chance to take a look at this or have any suggestions?

[Search Guard]

From the logs it seems correct because access to .kibanaindex is requested and denied because the user "giedre" is only mapped to sg role "rr_subscription_report" and therefore only allowed

for indices "library" and "beh_optin_history_campaign" but not .kibana.

[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] evaluate permissions for User [name=giedre, roles=[rr_subscription_report]]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] requested indices:data/read/search from 172.20.0.3:55628
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.search.SearchRequest  <<<<<<<-------------------------------- .kibana
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] indicesOptions IndicesOptions[id=38, ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=true, forbid_closed_indices=true]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] raw indices [.kibana] <<<<<<<-------------------------------- .kibana
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolved [.kibana] to [.kibana] <<<<<<<-------------------------------- .kibana
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=.kibana, type=index-pattern]]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for giedre: [rr_subscription_report]
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: rr_subscription_report
[2019-03-11T14:17:38,554][DEBUG][c.f.s.c.PrivilegesEvaluator] Added to leftovers rr_subscription_report=>[IndexType [index=.kibana, type=index-pattern]]
[2019-03-11T14:17:38,554][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=.kibana, type=index-pattern]] [Action [indices:data/read/search]] [RolesChecked [rr_subscription_report]]
[2019-03-11T14:17:38,554][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=.kibana, type=index-pattern]]}

[2019-03-11T14:17:38,555][DEBUG][c.f.s.f.SearchGuardFilter] no permissions for indices:data/read/search

With regards to your "curl -u giedre:<redacted> --insecure -X GET "http://localhost:9200/library/_all/core" command:

Does it work when you replace "_all" with the actual type?

We need a debug log which shows exactly the flow from the above curl command.

[JoJo Monkey]

As requested, here's the log for the updated command:

curl -u giedre:<redacted> --insecure -X GET "http://localhost:9200/library/library/core"

[2019-03-18T15:30:30,361][DEBUG][c.f.s.a.BackendRegistry  ] Try to extract auth creds from http basic

[2019-03-18T15:30:30,362][DEBUG][c.f.s.a.BackendRegistry  ] User 'giedre' is in cache? true (cache size: 5)

[2019-03-18T15:30:30,362][DEBUG][c.f.s.a.BackendRegistry  ] User 'User [name=giedre, roles=[rr_subscription_report]]' is authenticated

[2019-03-18T15:30:30,362][DEBUG][c.f.s.a.BackendRegistry  ] sg_tenant 'null'

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] evaluate permissions for User [name=giedre, roles=[rr_subscription_report]]

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] requested indices:data/read/get from 172.20.0.1:34094

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolve [library] from class org.elasticsearch.action.get.GetRequest

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] indicesOptions IndicesOptions[id=48, ignore_unavailable=false, allow_no_indices=false, expand_wildcards_open=false, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=false, forbid_closed_indices=true]

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] raw indices [library]

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolved [library] to [library]

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=library, type=library]]

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for giedre: [rr_subscription_report]

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: rr_subscription_report

[2019-03-18T15:30:30,362][DEBUG][c.f.s.c.PrivilegesEvaluator] Added to leftovers rr_subscription_report=>[IndexType [index=library, type=library]]

[2019-03-18T15:30:30,362][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=giedre, roles=[rr_subscription_report]] [IndexType [index=library, type=library]] [Action [indices:data/read/get]] [RolesChecked [rr_subscription_report]]

[2019-03-18T15:30:30,362][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {rr_subscription_report=[IndexType [index=library, type=library]]}

[2019-03-18T15:30:30,362][DEBUG][c.f.s.f.SearchGuardFilter] no permissions for indices:data/read/get

Thanks for your help!

[SG]

This seems like a bug.

Elasticsearch 5.5 is already EOL (End of life) so i like to ask you if you can check if this behaviour also occurs with 5.6.15 and Search Guard 19.3.
If so we will provide a fix but for 5.6.15 only. See https://docs.search-guard.com/latest/eol-policy

Pls. consider also upgrading to 6.6.x because ES 5 will soon be completely discontinued.

> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/0b673a28-188f-4138-ab70-6dc1da3f44a0%40googlegroups.com.

[SG]

During reproduction it turns out you made just a typo:

rr_subscription_report:
indicies:
'library':
'*':
- READ
- indices:data/read/*
- indices:data/read/get*
- indices:data/read/get
'beh_optin_history_campaign':
'*':
- READ
- indices:data/read/search
- indices:data/read/get

Its not "indicies", it must be "indices" like

rr_subscription_report:
indices:

'library':
'*':
- READ
- indices:data/read/*
- indices:data/read/get*
- indices:data/read/get
'beh_optin_history_campaign':
'*':
- READ
- indices:data/read/search
- indices:data/read/get

> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/F0682FAA-857C-4453-AD4E-4DFF049774E2%40search-guard.com.

[JoJo Monkey]

Doh! That was it. Thanks for spotting that!