Permissions by index _type

[MASG]

Hi Everyone

* ES 5.4.0 and SG 5-5.4.0-12

* Modules : SSL, Multitenancy, LDAP

* openjdk version "1.8.0_131"

We have configured different roles that have read permissions on different types of one index

On indices idx-esb-* we have defined several document _types  : api, proxy, etc

We defined one role that has read permissions on only one type of the index :

DATAREADER_API:

  cluster:

    - CLUSTER_COMPOSITE_OPS_RO

  indices:

    'idx-esb-*':

      'api':

        - READ

We get this error when opening Kibana Dashbord that has visualizations on all data of idx-esb-* ,  no data is loaded even data from  ''_type = api' (user datareader_api having role DATAREADER_API) :

Error: Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for indices:data/read/search"}],"type":"security_exception","reason":"no permissions for indices:data/read/search"},"status":403}

Request issued by Kibana : POST https://kibana/elasticsearch/_msearch retrieves status code 200 OK with response body :

1. error:{root_cause: [{type: "security_exception", reason: "no permissions for indices:data/read/search"}],…}
1. reason:"no permissions for indices:data/read/search"
2. root_cause:[{type: "security_exception", reason: "no permissions for indices:data/read/search"}]
3. type:"security_exception"
2. status:403

In Elasticsearch we get this error :

[INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=datareader_api, roles=[]] [IndexType [index=idx-esb-2017-s2, type=*]] [Action [indices:data/read/search]] [RolesChecked [DATAREADER_API]]

The user has read permissions only on api _type but the dashboad fails to load data with this _type whereas we have enabled : searchguard.dynamic.kibana.do_not_fail_on_forbidden : true

Is there a way to retrieve data from document types on which the user has role  permissions without giving him data read access to the wole index ? 

Thank you for your help

[Jochen Kressin]

Just to make sure I understood the problem completely:

* The user has access to the index, but only to one specific doc type

* The Dashboard contains visualizations from more than one doc type

* Expectation would be that the data from the accessible doc type is visualized

* And the other Visualizations which contain data from unaccessible document types are empty due to missing privileges

But, the Dashboard fails to load in its entirety with the said error message.

Is this correct? And, do you have Visualizations that contain data from more than one doc type? Means, accessible and unaccessible data in one Visualization?

[MASG]

Hi Jochen,

Thank you for your reply. You seem to understand my issue

The dashboard objects use 'idx-esb-*' index pattern, however the search and visualizations contained in that dashboard have filter on _type field

Without going into the complexity of a dashboard : In Discovery Panel when I select idx-esb-* index pattern, I get the error bellow (screenshot attached) even when I apply a filter on _type field  '_type:api'. My question is why Kibana doesn't retrieve documents with api _type knowing that my user has READ rights on that _type.

Why does it need 'index-level perm' and is there a way to retrieve that data without giving the role READ access on ALL index documents and types

[MASG]

When I filter _type=api in Discover panel, Kibana issues this request :

POST https://kibana/elasticsearch/_msearch

{ "index": ["idx-esb-*"], "ignore_unavailable": true, "preference": 1510740229217 }{ "version": true, "size": 500, "sort": [{ "@timestamp": { "order": "desc", "unmapped_type": "boolean" } }], "query": { "bool": { "must": [{ "query_string": { "query": "_type:api", "analyze_wildcard": true } }, { "range": { "@timestamp": { "gte": 1510700400000, "lte": 1510786799999, "format": "epoch_millis" } } }], "must_not": [] } }, "_source": { "excludes": [] }, "aggs": { "2": { "date_histogram": { "field": "@timestamp", "interval": "30m", "time_zone": "Europe/Berlin", "min_doc_count": 1 } } }, "stored_fields": ["*"], "script_fields": { }, "docvalue_fields": ["@timestamp", "elapsed_timestamp_start"], "highlight": { "pre_tags": ["@kibana-highlighted-field@"], "post_tags": ["@/kibana-highlighted-field@"], "fields": { "*": { "highlight_query": { "bool": { "must": [{ "query_string": { "query": "_type:api", "analyze_wildcard": true, "all_fields": true } }, { "range": { "@timestamp": { "gte": 1510700400000, "lte": 1510786799999, "format": "epoch_millis" } } }], "must_not": [] } } } }, "fragment_size": 2147483647 } 

}

Response code : 200 OK

Response body :

{ "responses": [{ "error": { "root_cause": [{ "type": "security_exception", "reason": "no permissions for indices:data/read/search" }], "type": "security_exception", "reason": "no permissions for indices:data/read/search" }, "status": 403 }] }

[MASG]

Hi all,

Any help ?

Did I miss something on index types based permissions ?

:)

[SG]

I will into this, pls. stay tuned

> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e63ab75d-0b9e-4643-8cdb-adf4f2197586%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Yasvanth Babu]

Hi Team,

Even I have the same issue when user tries to access timelion plugin. The users are restricted based on the doc type. When I checked the audit-log for the users I could see missing privileges for "indices:data/read/get" and "indices:data/read/search".

But the permission are enabled for the user for both ?kibana* and elasticsearch index.

I experience this issue only when I access timilion but discover and other visualization are working.

ES : 5.5

SG 5.5 

Kibana multi-tenancy enabled.

[Zouari Rami]

Hello,

I have exactly the same problem. Did you fix the issue please?