no permissions for [cluster:monitor/main]
608 views
Skip to first unread message
k.zhel...@sap.com
Mar 18, 2019, 11:21:01 AM3/18/19
to Search Guard Community Forum
* Search Guard and Elasticsearch version: search-guard-6:6.5.4-24.0
* JVM version and operating system version: 9
* Search Guard configuration files
Hi. I would like to create custom user which will be able to read the logs only from 1 index. I tried a lot of permissions but when i run curl http://localhost:9200 --user user:<password>, i got:
{
"error": {
"reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]",
"root_cause": [
{
"reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[sg_user], requestedTenant=null]",
"type": "security_exception"
}
],
"type": "security_exception"
},
"status": 403
}
Can you tell me what is wrong with my configuration, please. Here are my sg_*.yml files.
The problem comes with the user "user" and the role "sg_user"
SG
Mar 18, 2019, 11:27:32 AM3/18/19
to search...@googlegroups.com
In sg_roles.yml try
sg_user:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
'*logstash-normal*':
'*':
- READ
readonly: true
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/80313767-322a-4fbd-976f-59e1b91e3f9c%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> <sg_action_group.yml><sg_config.yml><sg_internal_users.yml><sg_roles_mapping.yml><sg_roles.yml>
sg_user:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
'*logstash-normal*':
'*':
- READ
readonly: true
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/80313767-322a-4fbd-976f-59e1b91e3f9c%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> <sg_action_group.yml><sg_config.yml><sg_internal_users.yml><sg_roles_mapping.yml><sg_roles.yml>
k.zhel...@sap.com
Mar 18, 2019, 11:40:40 AM3/18/19
to search...@googlegroups.com
Still the same message
SG
Mar 18, 2019, 11:42:16 AM3/18/19
to search...@googlegroups.com
Did you run sgadmin after altering sg_roles.yml?
> Am 18.03.2019 um 16:40 schrieb k.zhel...@sap.com:
>
> Still the same message
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/066cdea2-0c68-4970-baa4-c3e4c7c4b166%40googlegroups.com.
> Am 18.03.2019 um 16:40 schrieb k.zhel...@sap.com:
>
> Still the same message
k.zhel...@sap.com
Mar 18, 2019, 11:42:59 AM3/18/19
to Search Guard Community Forum
Search Guard Admin v6
Will connect to master-svc:9300 ... done
Elasticsearch Version: 6.5.4
Search Guard Version: 6.5.4-24.0
Connected as CN=master-svc
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: shoot--i355448--shoot-elasticsearch-logging
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
searchguard index already exists, so we do not need to create one.
Populate config from /root/sgconfig/
Will update 'sg/config' with /root/sgconfig/sg_config.yml
SUCC: Configuration for 'config' created or updated
Will update 'sg/roles' with /root/sgconfig/sg_roles.yml
SUCC: Configuration for 'roles' created or updated
Will update 'sg/rolesmapping' with /root/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update 'sg/internalusers' with /root/sgconfig/sg_internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update 'sg/actiongroups' with /root/sgconfig/sg_action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Done with success
SG
Mar 18, 2019, 11:51:46 AM3/18/19
to search...@googlegroups.com
in internal users yml:
user:
hash: $2a$12$Sg4DNnD44579g8D.RJPQtuBacbLH817eVVlOPmHuYx5MS4Heay8TK
aynd in roles mapping yml
sg_user:
users:
- user
readall: true
Mind the additional indirection between "backendroles" and "Search Guard roles" as explained here:
- https://docs.search-guard.com/latest/mapping-users-roles
- https://docs.search-guard.com/latest/role-mapping-modes
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4334b2ae-14d9-495b-bf76-a6c803730f10%40googlegroups.com.
user:
hash: $2a$12$Sg4DNnD44579g8D.RJPQtuBacbLH817eVVlOPmHuYx5MS4Heay8TK
aynd in roles mapping yml
sg_user:
users:
- user
readall: true
Mind the additional indirection between "backendroles" and "Search Guard roles" as explained here:
- https://docs.search-guard.com/latest/mapping-users-roles
- https://docs.search-guard.com/latest/role-mapping-modes
k.zhel...@sap.com
Mar 18, 2019, 12:05:17 PM3/18/19
to Search Guard Community Forum
Thanks a lot, it works.
Can you assist me with one more thing.
My index is called "logstash-normal-2019.03.18"
Why i do not get any logs when my role is:
roles:
sg_user:
readonly: true
k.zhel...@sap.com
Mar 18, 2019, 12:16:04 PM3/18/19
to search...@googlegroups.com
Maybe i do not have enough permissions to read logs from the Index?
Im trying to read them from Kibana
Search Guard
Mar 18, 2019, 12:20:49 PM3/18/19
to Search Guard Community Forum
Your role definition looks good so far.
Any error message? What do you mean with "Why i do not get any logs ..."
k.zhel...@sap.com
Mar 18, 2019, 12:23:37 PM3/18/19
to Search Guard Community Forum
When i log in in Kibana with this User, I do not see any logs.
SG
Mar 18, 2019, 12:26:42 PM3/18/19
to search...@googlegroups.com
Maybe you need to adjust the time filter on the right upper corner.
And make sure you have the correct index pattern selected.
And be sure that there are really log entries exists in the index.
And make sure you have the correct index pattern selected.
And be sure that there are really log entries exists in the index.
> When i log in in Kibana with this User, I do not see any logs.
>
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e8175527-cbb4-41e5-94ab-ecabffeb2445%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
k.zhel...@sap.com
Mar 18, 2019, 12:30:54 PM3/18/19
to Search Guard Community Forum
k.zhel...@sap.com
Mar 18, 2019, 12:33:14 PM3/18/19
to Search Guard Community Forum
I do not have any checkbox, filters and so on in Kibana. So maybe Kibana requires additional permissions i think
Search Guard
Mar 18, 2019, 12:34:45 PM3/18/19
to Search Guard Community Forum
Add the sg_kibana_user role to all users which should be able to use Kibana.
Message has been deleted
Message has been deleted
k.zhel...@sap.com
Mar 18, 2019, 1:00:03 PM3/18/19
to Search Guard Community Forum
With this update i got the following error in Kibana:
Discover: no permissions for [indices:data/read/search] and user [name=user, roles[], requestedTenant=null]
SG
Mar 18, 2019, 4:02:28 PM3/18/19
to search...@googlegroups.com
Make sure you have access to all indices matching your index pattern.
Can you attach a screenshot?
> Am 18.03.2019 um 18:00 schrieb k.zhel...@sap.com:
>
> With this update i got the following error in Kibana:
>
> Discover: no permissions for [indices:data/read/search] and user [name=user, roles[], requestedTenant=null]
>
Can you attach a screenshot?
> Am 18.03.2019 um 18:00 schrieb k.zhel...@sap.com:
>
> With this update i got the following error in Kibana:
>
> Discover: no permissions for [indices:data/read/search] and user [name=user, roles[], requestedTenant=null]
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/db8c3ca1-69c1-4dba-a3db-425e63c8b992%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
k.zhel...@sap.com
Mar 18, 2019, 4:04:01 PM3/18/19
to Search Guard Community Forum
I found that it works by adding "- indices:data/read/scroll " in the clusters permissions. Thanks for the help :)
Reply all
Reply to author
Forward
0 new messages