(search-guard-helm) New user cannot access kibana UI after log in successfully

25 views
Skip to first unread message

johnz...@gmail.com

unread,
Nov 29, 2018, 7:45:18 AM11/29/18
to Search Guard Community Forum
* Search Guard and Elasticsearch version   (Answer: by default - 6.4.1)
* Installed and used enterprise modules, if any  (Answer: by default of search-guard-helm)
 
1  Created with search-guard-helm.
2  Works well with admin user
3  Add a new user "pp" as below
```
------------
    ### dev1c_pp*
    sg_dev1c_pp:
      readonly: true
      cluster:
        - CLUSTER_COMPOSITE_OPS_RO
      indices:
        'dev1c_pp*':
          '*':
            - READ
--------------
    sg_dev1c_pp:
      readonly: true
      backendroles:
        - dev1c_pp

---------
    #password is: password123
    pp:
      hash: $2y$12$PJOcaB0KNnBnpx51GybEj.lnEqj9ey1HLRW.u5d3cF9fEJrlkhfZy
      roles:
        - kibanauser
        - dev1c_pp
```

4  Run sgadmin_update.sh successfully
```
[root@inclined-ostrich-sg-helm-sgadmin-5b455c8d6b-vbqsn ~]# /root/sgadmin_update.sh
... ...
Will update 'sg/actiongroups' with /root/sgconfig/sg_action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Done with success
```

5 Log in kibana with new user pp successfully

6  However, the tab of kibana show empty.

7 Click other link  (Discover/ Visualize/ Dashboard/ Timelion/ Dev Tools/ Management/), all is empty or not work.

kibana.png



Jochen Kressin

unread,
Nov 29, 2018, 10:22:06 AM11/29/18
to Search Guard Community Forum
It seems that the sgadmin_update.sh script does not update all the config files:

[root@inclined-ostrich-sg-helm-sgadmin-5b455c8d6b-vbqsn ~]# /root/sgadmin_update.sh

... ...
Will update 'sg/actiongroups' with /root/sgconfig/sg_action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated
Done with success

Usually, you would see all 5 configs being updated. Or did you just trim the output of sgadmin? 

Can you please check the output of the authinfo endpoint with your newly created pp user:


Please post the output here. Pay attention to the sg_roles field in the JSON that this endpoint returns. Does it contain the sg_kibana_user role?

SG

unread,
Nov 29, 2018, 12:31:21 PM11/29/18
to search...@googlegroups.com
I guess that the the kibanauser role is not mapped to the appropriate permissions because either the rolemapping is missing or the sg_kibana_user role is missing.
In our helmcharts they are not included! To make a long story short: I think is solely a permission misconfiguration and not k8s related.

Best way to find this out is to dump the current configuration with "sgadmin -r" and post the files.
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cf556cc8-9f13-49e8-ad99-8708d94edb0b%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

johnz...@gmail.com

unread,
Nov 30, 2018, 2:25:22 AM11/30/18
to Search Guard Community Forum
 Resolved!  
 
Change below: 
    ### dev1c_pp*
    sg_dev1c_pp:
      readonly: true
      cluster:
        - CLUSTER_COMPOSITE_OPS_RO
      indices:
        'dev1c_pp*':
          '*':
            - READ

To:
    ### dev1c_pp*
    sg_dev1c_pp:
      readonly: true
      cluster:
        - CLUSTER_COMPOSITE_OPS_RO
      indices:
        'dev1c_pp*':
          '*':
            - READ
        '?kibana':
          '*':
            - INDICES_ALL
        '?kibana-6':
          '*':
            - INDICES_ALL
        '?reporting*':
          '*':
            - INDICES_ALL
        '?monitoring*':
          '*':
            - INDICES_ALL 
Reply all
Reply to author
Forward
0 new messages