The issue seems to be a bug with the way that wildcard chars are handled when there is a date involved in the index name
Cluster-level action groups
Name Description CLUSTER_ALL Grants all cluster permissions. Equates to cluster:*
Name | Description |
---|---|
UNLIMITED | Grants complete access, can be used on index- and cluster-level. Equates to "*" . |
Name | Description |
---|---|
INDICES_ALL | Grants all permissions on the index. Equates to indices:* |
- The searchguard API documentation is very vague and does not seem to be very helpful.- Most of the docs reference yml format, yet the api references json format- There seems to not be any explanation for most of the values.- I feel that clearer documentation about searchguard is needed
- Per the documentation "UNLIMITED" on an index should allow that user to perform any action on that index- "MANAGE" on an index should allow the user with that role to perform nearly any action on that indexLet me see if I can explain this better...---------------------------------Sending data such as 'es.resource.write' = "spectrum_guide_rollout{date_time}/account"curl -XPUT 'https://d03nappp0102:9200/_searchguard/api/roles/elasticview' -d '{"cluster":["indices:admin/*","indices:data/read/scroll","cluster:monitor/nodes/info"],"indices":{"spectrum_guide_rollout_*":{"*":["UNLIMITED","MANAGE"]}}}' -> does not work and returns error --- > org.elasticsearch.hadoop.rest.EsHadoopInvalidRequest: no permissions for [indices:admin/refresh] and User [name=elasticview, roles=[elasticview], requestedTenant=null]
curl -XPUT 'https://es_node:9200/_searchguard/api/roles/elasticview' -d '{"cluster":["indices:admin/*","indices:data/read/scroll","cluster:monitor/nodes/info"],"indices":{"*":{"*":["UNLIMITED","MANAGE"]}}}' -> does not work -> works but allows the user any index----------------------------------Sending data such as 'es.resource.write' = "spectrum_guide_rollout/account"curl -XPUT 'https://es_node:9200/_searchguard/api/roles/elasticview' -d '{"cluster":["indices:admin/*","indices:data/read/scroll","cluster:monitor/nodes/info"],"indices":{"spectrum_guide_rollout_*":{"*":["UNLIMITED","MANAGE"]}}}' -> works____________________
Sending data such as 'es.resource.write' = "spectrum_guide_rollout_2018_05_24/account"curl -XPUT 'https://es_node:9200/_searchguard/api/roles/elasticview' -d '{"cluster":["indices:admin/*","indices:data/read/scroll","cluster:monitor/nodes/info"],"indices":{"spectrum_guide_rollout_2018_05_24":{"*":["UNLIMITED","MANAGE"]}}}' -> works
curl -XPUT 'https://es_node:9200/_searchguard/api/roles/elasticview' -d '{"cluster":["indices:admin/*","indices:data/read/scroll","cluster:monitor/nodes/info"],"indices":{"spectrum_guide_rollout_*":{"*":["UNLIMITED","MANAGE"]}}}' -> does not work and returns error --- > org.elasticsearch.hadoop.rest.EsHadoopInvalidRequest: no permissions for [indices:admin/refresh] and User [name=elasticview, roles=[elasticview], requestedTenant=null]___________________
I mean even this fails:curl -XPUT 'https://es_node:9200/_searchguard/api/roles/elasticview' -d '{"cluster":["CLUSTER_ALL"],"indices":{"*spectrum_guide_rollout_*":{"*":["UNLIMITED","*","MANAGE","INDICES_ALL"]},"*":{"*":["admin/refresh"]}}}'
Sending data such as 'es.resource.write' = "spectrum_guide_rollout_2018_05_24/account"curl -XPUT 'https://es_node:9200/_searchguard/api/roles/elasticview' -d '{"cluster":["indices:admin/*","indices:data/read/scroll","cluster:monitor/nodes/info"],"indices":{"spectrum_guide_rollout_2018_05_24":{"*":["UNLIMITED","MANAGE"]}}}' -> workspattern match
Sending data such as 'es.resource.write' = "spectrum_guide_rollout{date_time}/account"curl -XPUT 'https://d03nappp0102:9200/_searchguard/api/roles/elasticview' -d '{"cluster":["indices:admin/*","indices:data/read/scroll","cluster:monitor/nodes/info"],"indices":{"spectrum_guide_rollout_*":{"*":["UNLIMITED","MANAGE"]}}}' -> does not work and returns error --- > org.elasticsearch.hadoop.rest.EsHadoopInvalidRequest: no permissions for [indices:admin/refresh] and User [name=elasticview, roles=[elasticview], requestedTenant=null]
curl -XPUT 'https://es_node:9200/_searchguard/api/roles/elasticview' -d '{"cluster":["indices:admin/*","indices:data/read/scroll","cluster:monitor/nodes/info"],"indices":{"spectrum_guide_rollout_*":{"*":["UNLIMITED","MANAGE"]}}}' -> does not work and returns error --- > org.elasticsearch.hadoop.rest.EsHadoopInvalidRequest: no permissions for [indices:admin/refresh] and User [name=elasticview, roles=[elasticview], requestedTenant=null]___________________
I mean even this fails:curl -XPUT 'https://es_node:9200/_searchguard/api/roles/elasticview' -d '{"cluster":["CLUSTER_ALL"],"indices":{"*spectrum_guide_rollout_*":{"*":["UNLIMITED","*","MANAGE","INDICES_ALL"]},"*":{"*":["admin/refresh"]}}}'
curl -u ... -H "Content-Type: application/json" -XPUT 'https://es_node:9200/_searchguard/api/roles/elasticview' -d '{"cluster":["CLUSTER_ALL"],"indices":{"spectrum_guide_rollout_*":{"*":["UNLIMITED"]}}}'
curl -u elasticview:password -XPOST 'https://es_node:9200/spectrum_guide_rollout_zuk_2018_05_29/_refresh'
1) Set the log level for Search Guard to debug1.1) This is described here: https://docs.search-guard.com/latest/troubleshooting-tls2) Set your Hadoop table to use the elasticview user3) Issue the (failing): Hive> insert into table es_spec_guide_rollout_zuk_test values ('zukel','lance',"2018_05_29");
2018-05-31T17:44:36,511][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=hr_employee, roles=[kibanauser], requestedTenant=null] [IndexType [index=searchguard, type=*], IndexType [index=sg6-auditlog-2018.05.31, type=*]] [Action [[indices:data/read/search]]] [RolesChecked [sg_kibana_user, sg_own_index]]
[2018-05-31T17:44:36,511][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_own_index=[IndexType [index=sg6-auditlog-2018.05.31, type=*], IndexType [index=searchguard, type=*]], sg_kibana_user=[IndexType [index=sg6-auditlog-2018.05.31, type=*], IndexType [index=searchguard, type=*]]}
Maybe it's sufficient to set up a simple one node cluster for testing? The basic goal is to see the exact request that Hadoop issues to debug the permission problems, running it on your 51 node prod cluster is probably not needed.
Regarding your permission settings: Can you try to use:
indices:admin/refresh*
indices:admin/refresh
If this also does not work there must be some other indices:admin/* query that Hadoop issues.