URL shortening perms in Kibana
22 views
Skip to first unread message
Tom Ryan
Dec 5, 2017, 7:58:30 PM12/5/17
to search...@googlegroups.com
It appears to me that URL shorting in Kibana requires a permission not granted to the default sg_kibana role:
Posting here in case it helps someone else, and in case there is a risk here I haven't thought of.
[2017-12-06T00:30:35,991][INFO ][c.f.s.c.PrivilegesEvaluator] No cluster-level perm match for User [name=redacted, roles=[]] [IndexType [index=.kibana, type=url]] [Action [indices:data/write/bulk]] [RolesChecked [sg_kibana, sg_public]]My understanding is that granting this permission to the sg_kibana user is acceptable security-wise, as they will still need explicit permission to underlying indices. To avoid granting alias controls to the sg_kibana role, I created a new action group called CLUSTER_COMPOSITE_OPS_BULK:
CLUSTER_COMPOSITE_OPS_BULK: - "indices:data/write/bulk" - CLUSTER_COMPOSITE_OPS_ROPosting here in case it helps someone else, and in case there is a risk here I haven't thought of.
SG
Dec 28, 2017, 8:02:22 AM12/28/17
to search...@googlegroups.com
this is also fixed in SG 6
> Am 06.12.2017 um 01:58 schrieb Tom Ryan <tomr...@gmail.com>:
>
> It appears to me that URL shorting in Kibana requires a permission not granted to the default sg_kibana role:
>
> [2017-12-06T00:30:35,991][INFO ][c.f.s.c.PrivilegesEvaluator] No cluster-level perm match for User [name=redacted, roles=[]] [IndexType [index=.kibana, type=url]] [Action [indices:data/write/bulk]] [RolesChecked [sg_kibana, sg_public]]
>
> I found the log message a bit confusing... it appears the required permissions is "cluster:data/write/bulk".
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/13d59273-367c-4ae5-8191-4282ab27ac30%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> Am 06.12.2017 um 01:58 schrieb Tom Ryan <tomr...@gmail.com>:
>
> It appears to me that URL shorting in Kibana requires a permission not granted to the default sg_kibana role:
>
> [2017-12-06T00:30:35,991][INFO ][c.f.s.c.PrivilegesEvaluator] No cluster-level perm match for User [name=redacted, roles=[]] [IndexType [index=.kibana, type=url]] [Action [indices:data/write/bulk]] [RolesChecked [sg_kibana, sg_public]]
>
>
> My understanding is that granting this permission to the sg_kibana user is acceptable security-wise, as they will still need explicit permission to underlying indices. To avoid granting alias controls to the sg_kibana role, I created a new action group called CLUSTER_COMPOSITE_OPS_BULK:
>
> CLUSTER_COMPOSITE_OPS_BULK:
> - "indices:data/write/bulk"
> - CLUSTER_COMPOSITE_OPS_RO
>
> Posting here in case it helps someone else, and in case there is a risk here I haven't thought of.
>
> --
> My understanding is that granting this permission to the sg_kibana user is acceptable security-wise, as they will still need explicit permission to underlying indices. To avoid granting alias controls to the sg_kibana role, I created a new action group called CLUSTER_COMPOSITE_OPS_BULK:
>
> CLUSTER_COMPOSITE_OPS_BULK:
> - "indices:data/write/bulk"
> - CLUSTER_COMPOSITE_OPS_RO
>
> Posting here in case it helps someone else, and in case there is a risk here I haven't thought of.
>
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/13d59273-367c-4ae5-8191-4282ab27ac30%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages