User access kibana

395 views
Skip to first unread message

cedric moreaux

unread,
May 17, 2016, 10:40:14 AM5/17/16
to Search Guard
Hello,

I want to centralize logs of differents servers hosting differents services. Each services has his index and i want to create one user per index to let them access there own data see data from other indexes.

Actualy, if I created a user services02-adm in group services_filebeat and give this group right to access the indexes filebeat-services02-adm-*

services_filebeat:
  indices:
    filebeat-services02-adm-*:
      - '*'

services_filebeat:
  users:
    - services02-adm

i get this error when trying to log in kibana:

Courier Fetch Error: unhandled courier request error: [security_exception] no permissions for indices:data/read/mget
Version: 4.5.0
Build: 9889
 
Error: unhandled courier request error: [security_exception] no permissions for indices:data/read/mget
handleError@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:88553:23
AbstractReqProvider/AbstractReq.prototype.handleFailure@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:88473:15
callClient/</<@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:88367:14
callClient/<@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:88365:10
processQueue@http://192.168.1.217/bundles/commons.bundle.js?v=9889:41836:29
scheduleProcessQueue/<@http://192.168.1.217/bundles/commons.bundle.js?v=9889:41852:28
$RootScopeProvider/this.$get</Scope.prototype.$eval@http://192.168.1.217/bundles/commons.bundle.js?v=9889:43080:17
$RootScopeProvider/this.$get</Scope.prototype.$digest@http://192.168.1.217/bundles/commons.bundle.js?v=9889:42891:16
$RootScopeProvider/this.$get</Scope.prototype.$apply@http://192.168.1.217/bundles/commons.bundle.js?v=9889:43188:14
done@http://192.168.1.217/bundles/commons.bundle.js?v=9889:37637:37
completeRequest@http://192.168.1.217/bundles/commons.bundle.js?v=9889:37835:8
requestLoaded@http://192.168.1.217/bundles/commons.bundle.js?v=9889:37776:1


If i had this user to the group sg_kibana4, he can access kibana but he get access to others index too.

How can i restrict his access to only one index?

Regards

cedric moreaux

unread,
May 18, 2016, 9:50:52 AM5/18/16
to Search Guard
To simplify my question, which right are required to authorize a user to access Kibana?

Regards

SG

unread,
May 19, 2016, 11:20:33 AM5/19/16
to search...@googlegroups.com
i assume you need something like

services_filebeat:
indices:
filebeat-services02-adm-*: #index
'*': #type
- READ #permission
- indices:admin/mappings/fields/get* #permission
- indices:admin/validate/query #permission
- indices:admin/get #permission
'?kibana': #index
'*': #type
- indices:admin/exists* #permission
- indices:admin/mapping/put*
- indices:admin/mappings/fields/get*
- indices:admin/refresh*
- indices:admin/validate/query*
- indices:data/read/get*
- indices:data/read/mget*
- indices:data/read/search*
- indices:data/write/delete*
- indices:data/write/index*
- indices:data/write/update*

instead of

services_filebeat:
indices:
filebeat-services02-adm-*:
- '*'


> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e1cbbe10-6368-4d49-9d96-ceb2383d07b1%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

cedric moreaux

unread,
May 20, 2016, 5:36:11 AM5/20/16
to Search Guard
With this i get 2 errors at kibana loading:

Error: [security_exception] no permissions for indices:data/read/field_stats
ErrorAbstract@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:62833:20
StatusCodeError@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:62995:6
respond@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:64200:16
checkRespForFailure@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:64163:8
[24]</AngularConnector.prototype.request/<@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:62781:8

processQueue@http://192.168.1.217/bundles/commons.bundle.js?v=9889:41836:29
scheduleProcessQueue/<@http://192.168.1.217/bundles/commons.bundle.js?v=9889:41852:28
$RootScopeProvider/this.$get</Scope.prototype.$eval@http://192.168.1.217/bundles/commons.bundle.js?v=9889:43080:17
$RootScopeProvider/this.$get</Scope.prototype.$digest@http://192.168.1.217/bundles/commons.bundle.js?v=9889:42891:16
$RootScopeProvider/this.$get</Scope.prototype.$apply@http://192.168.1.217/bundles/commons.bundle.js?v=9889:43188:14
done@http://192.168.1.217/bundles/commons.bundle.js?v=9889:37637:37
completeRequest@http://192.168.1.217/bundles/commons.bundle.js?v=9889:37835:8
requestLoaded@http://192.168.1.217/bundles/commons.bundle.js?v=9889:37776:1

And
Error: [security_exception] no permissions for indices:data/read/msearch
ErrorAbstract@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:62833:20
StatusCodeError@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:62995:6
respond@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:64200:16
checkRespForFailure@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:64163:8
[24]</AngularConnector.prototype.request/<@http://192.168.1.217/bundles/kibana.bundle.js?v=9889:62781:8

processQueue@http://192.168.1.217/bundles/commons.bundle.js?v=9889:41836:29
scheduleProcessQueue/<@http://192.168.1.217/bundles/commons.bundle.js?v=9889:41852:28
$RootScopeProvider/this.$get</Scope.prototype.$eval@http://192.168.1.217/bundles/commons.bundle.js?v=9889:43080:17
$RootScopeProvider/this.$get</Scope.prototype.$digest@http://192.168.1.217/bundles/commons.bundle.js?v=9889:42891:16
$RootScopeProvider/this.$get</Scope.prototype.$apply@http://192.168.1.217/bundles/commons.bundle.js?v=9889:43188:14
done@http://192.168.1.217/bundles/commons.bundle.js?v=9889:37637:37
completeRequest@http://192.168.1.217/bundles/commons.bundle.js?v=9889:37835:8
requestLoaded@http://192.168.1.217/bundles/commons.bundle.js?v=9889:37776:1

The fact is i have others indexes named filebeat-"server-name"-"date".
If i modify the line 
filebeat-services02-adm-*
to
filebeat-*:

it work, but the user can see data from all indexes :/

Is there a solution?

Regards

cedric moreaux
unread,
May 20, 2016, 5:53:05 AM5/20/16
to Search Guard
I found a solution, 
services_filebeat:
  indices:
    '*':
      '*':
        - indices:data/read/field_stats
        - indices:data/read/msearch
    'filebeat-service02*':
      '*':
        - READ
        - indices:admin/mappings/fields/get*
        - indices:admin/validate/query
        - indices:admin/get
    '?kibana':
      '*':
        - indices:admin/exists*

        - indices:admin/mapping/put*
        - indices:admin/mappings/fields/get*
        - indices:admin/refresh*
        - indices:admin/validate/query*
        - indices:data/read/get*
        - indices:data/read/mget*
        - indices:data/read/search*

        - indices:data/read/msearch
        - indices:data/read/field_stats
        - indices:data/write/delete*

        - indices:data/write/index*
        - indices:data/write/update*

        - indices:admin/mappings/fields/get*


If i had the two missing rights on * it works, i just get an error : Discover: no permissions for indices:data/read/search
If i had this right, the user can see everything, but i ignore the error i can just see data from his index.

Thanks!
Wei Hong
unread,
Jun 19, 2016, 9:57:19 PM6/19/16
to Search Guard
Hi, i have some issues like you , the config is here:
sg_apache_tomcat:
  indices:
    '*':
      '*':
        - indices:data/read/field_stats
        - indices:data/read/msearch
    'apache_tomcat*':
      '*':
        - READ
        - indices:admin/mappings/fields/get*
        - indices:admin/validate/query
        - indices:admin/get
        - indices:data/read/field_stats
    '?kibana':
      '*':
        - indices:admin/exists*
        - indices:admin/mapping/put*
        - indices:admin/mappings/fields/get*
        - indices:admin/refresh*
        - indices:admin/validate/query*
        - indices:data/read/get*
        - indices:data/read/mget*
        - indices:data/read/search*
        - indices:data/read/msearch
        - indices:data/read/field_stats
        - indices:data/write/delete*
        - indices:data/write/index*
        - indices:data/write/update*
        - indices:admin/mappings/fields/get*
  
And i got the errors:
 Discover: no permissions for indices:data/read/search

But i can't see the index of "apache-tomcat*". What is the errors???


在 2016年5月20日星期五 UTC+8下午5:53:05,cedric moreaux写道:
SG
unread,
Jun 20, 2016, 4:08:13 AM6/20/16
to search...@googlegroups.com
'apache_tomcat*' does not match "apache-tomcat*" (underscore != dash)

> -- 

> You received this message because you are subscribed to the Google Groups "Search Guard" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

> To post to this group, send email to search...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/55ab6d48-aad0-43e1-80ff-0bbcd222cbc6%40googlegroups.com.

Wei Hong
unread,
Jun 20, 2016, 4:54:48 AM6/20/16
to Search Guard
Thanks, i am so careless.

在 2016年6月20日星期一 UTC+8下午4:08:13,SG写道:
Reply all
Reply to author
Forward
0 new messages