using public group * adds user unintentionally
17 views
Skip to first unread message
djtecha
Jun 21, 2016, 5:35:59 PM6/21/16
to Search Guard
So I have an admin group and a public group. The admin group has my user defined and allows complete searching, the public group defines it's users as '*' and has a DLS attached. Problem is, SG adds my defined user to both and then inherits the dls which I don't want. Any ideas?
sg_roles.yml
sg_admin:
cluster:
- '*'
indices:
'*':
'*':
- '*'
sg_public:
indices:
'*':
'*':
- READ
- indices:admin/mappings/fields/get*
- indices:admin/validate/query*
- indices:admin/get*
'*-*':
'*':
- READ
- indices:admin/mappings/fields/get*
- indices:admin/validate/query*
- indices:admin/get*
_dls_: '{ "term" : {"tags" : "devlogs" } }'
'?kibana':
'*':
- indices:admin/exists*
- indices:admin/mapping/put*
- indices:admin/mappings/fields/get*
- indices:admin/refresh*
- indices:admin/validate/query*
- indices:data/read/get*
- indices:data/read/mget*
- indices:data/read/search*
- indices:data/write/delete*
- indices:data/write/index*
- indices:data/write/update*
sg_roles_mapping.yml
sg_admin:
users:
- admin
- daniel.kasen
sg_public:
users:
- '*'
Log:
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=daniel.kasen, roles=[]]
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested indices:data/read/search from 10.0.11.193:36878
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolve [logstash-2016.06.21] from class org.elasticsearch.action.search.SearchRequest
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] indicesOptions IndicesOptions[id=39, ignore_unavailable=true, allow_no_indices=true, expand_wildcards_open=true, expand_wild
cards_closed=false, allow_alisases_to_multiple_indices=true, forbid_closed_indices=true]
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] raw indices [logstash-2016.06.21]
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolved [logstash-2016.06.21] to {}
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved aliases and indices: [logstash-2016.06.21]
[2016-06-21 14:24:17,462][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved types: [_all]
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] mapped roles: [sg_admin, sg_public]
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_admin
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for *
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match for *: [logstash-2016.06.21]
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for *, will check now types [*]
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for */*: [*]
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/search against */*: [*]
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested aliases and indices: []
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested resolved types: []
[2016-06-21 14:24:17,463][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for 'sg_admin.*', evaluate other roles
[2016-06-21 14:24:17,470][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_public
[2016-06-21 14:24:17,470][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for *-*
[2016-06-21 14:24:17,470][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match for *-*: [logstash-2016.06.21]
[2016-06-21 14:24:17,470][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for *-*, will check now types [*]
[2016-06-21 14:24:17,470][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for *-*/*: [indices:admin/validate/query*, indices:admin/get*, indices:admin/mappings/fields/get*, indic
es:data/read*]
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/search against *-*/*: [indices:admin/validate/query*, indices:admin/get*, indic
es:admin/mappings/fields/get*, indices:data/read*]
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index *-* remaining requested aliases and indices: []
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index *-* remaining requested resolved types: []
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for 'sg_public.*-*', evaluate other roles
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for *
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match fo
r *: [logstash-2016.06.21]
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for *, will check now types [*]
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for */*: [indices:admin/validate/query*, indices:admin/get*, indices:admin/mappings/fields/get*, indices:data/read*]
[2016-06-21 14:24:17,471][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/search against */*: [indices:admin/validate/query*, indices:admin/get*, indices:admin/mappings/fields/get*, indices:data/read*]
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested aliases and indices: []
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested resolved types: []
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for 'sg_public.*', evaluate other roles
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for ?kibana
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] No wildcard match found for ?kibana
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index ?kibana remaining requested aliases and indices: [logstash-2016.06.21]
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index ?kibana remaining requested resolved types: [_all]
[2016-06-21 14:24:17,472][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] dls query { "term" : {"tags" : "devlogs" } }
SG
Jun 26, 2016, 4:38:17 AM6/26/16
to search...@googlegroups.com
I see two possibilities:
- Use a regex in sg_public to exclude "admin" user. Something like this should work:
sg_public:
users:
- '/((?!admin).)*/ '
- Do not use '*' in sg_public but name the users explicitly or use roles for that (and make sure that admin/danuiel.kasen does not have this role)
Maybe we can add a dedicated option to exclude users from DLS/FLS, we will think about this.
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/17cd7087-b569-4d06-90b9-aed981f0cc90%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
- Use a regex in sg_public to exclude "admin" user. Something like this should work:
sg_public:
users:
- '/((?!admin).)*/ '
- Do not use '*' in sg_public but name the users explicitly or use roles for that (and make sure that admin/danuiel.kasen does not have this role)
Maybe we can add a dedicated option to exclude users from DLS/FLS, we will think about this.
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/17cd7087-b569-4d06-90b9-aed981f0cc90%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Daniel Kasen
Jun 27, 2016, 3:47:53 PM6/27/16
to search...@googlegroups.com
Ahh this worked wonderfully, thank you!
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/D357E67F-CBD5-4BEE-B6EF-29A0BA8B7F78%40search-guard.com.
Reply all
Reply to author
Forward
0 new messages