Roles not assumed on Kibana with SearchGuard

[Luis Jeremias]

Hello,

I've been trying to restrict the indexes that a user can see from Kibana. 

It seems like anything that I define in the role is not applied to the user. I can put anything on sg_roles.yml that the result is the same. Currently:

=====================================================

On sg_roles.yml:

rolex1:

  cluster:

  - "CLUSTER_COMPOSITE_OPS_RO"

  - "MONITOR"

  indices:

    sg6-auditlog-2018?04?17:

      '*':

      - "DATA_ACCESS"

      - "READ"

      - "INDEX"

=====================================================

On sg_roles_mapping.yml

rolex1:

  backendroles:

  - kibanauser

  - admin

  users:

  - userx1

  - userx2   

=====================================================  

On sg_internal_users.yml

userx1:

  password: ""

  hash: "$2y$12$GgjPLywj27v7SHdYd61y6.2PfRdy8pkD/QLEwdkrj6RyuBp/AVyIK"

  roles:

    - kibanauser

userx2:

  password: ""

  hash: "$2y$12$GgjPLywj27v7SHdYd61y6.2PfRdy8pkD/QLEwdkrj6RyuBp/AVyIK"

  roles:

    - kibanauser

=====================================================

Settings successfully updated using sgadmin

Search Guard Admin v6

Will connect to localhost:9300 ... done

Elasticsearch Version: 6.2.3

Search Guard Version: 6.2.3-22.0

Connected as CN=kirk,OU=client,O=client,L=Test,C=DE

Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...

Clustername: searchguard_demo

Clusterstate: YELLOW

Number of nodes: 1

Number of data nodes: 1

searchguard index already exists, so we do not need to create one.

Populate config from /usr/share/elasticsearch/plugins/search-guard-6/sgconfig

Will update 'sg/config' with ../sgconfig/sg_config.yml

   SUCC: Configuration for 'config' created or updated

Will update 'sg/roles' with ../sgconfig/sg_roles.yml

   SUCC: Configuration for 'roles' created or updated

Will update 'sg/rolesmapping' with ../sgconfig/sg_roles_mapping.yml

   SUCC: Configuration for 'rolesmapping' created or updated

Will update 'sg/internalusers' with ../sgconfig/sg_internal_users.yml

   SUCC: Configuration for 'internalusers' created or updated

Will update 'sg/actiongroups' with ../sgconfig/sg_action_groups.yml

   SUCC: Configuration for 'actiongroups' created or updated

Done with success

=====================================================

When I log into Kibana with anh of the users, I get the error:

Discover: no permissions for [indices:data/read/search] and User [name=userx1, roles=[kibanauser], requestedTenant=null]

=====================================================

curl https://localhost:9200/_searchguard/_mapping?pretty -u userx1 -k

{

  "error" : {

    "root_cause" : [

      {

        "type" : "security_exception",

        "reason" : "Unexpected exception indices:admin/mappings/get"

      }

    ],

    "type" : "security_exception",

    "reason" : "Unexpected exception indices:admin/mappings/get"

  },

  "status" : 500

}

=====================================================

curl -XGET 'https://localhost:9200/_searchguard/authinfo' -u userx1  -k

{"user":"User [name=userx1, roles=[kibanauser], requestedTenant=null]","user_name":"userx1","user_requested_tenant":null,"remote_address":"[::1]:46968","backend_roles":["kibanauser"],"custom_attribute_names":[],"sg_roles":["rolex1","sg_kibana_user","sg_own_index"],"sg_te

nants":{"userx1":true},"principal":null,"peer_certificates":"0"}[root@localhost sgconfig]#

=====================================================

Elasticsearch Version: 6.2.3

Search Guard Version: 6.2.3-22.0

No enterprise modules

Kibana 6.2.3

Can anyone spot something wrong or missing ? Why doesn't the user apply the permissions on the role when logged in ?

Thank you very much,

Luís Jeremias

[SG]

pls post your complete sg_*.yml files as well as elasticsearch.yml and kibana.yml.
Which version of the kibana plugin do you have installed?

> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/eff71ef5-aa72-42b5-8a68-400b634b9995%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Luis Jeremias]

Hi,

I attach the complete files.

Thanks for your time and help!

[Pablo Perza]

Hi,

Not sure why you add users userx1 and userx2 to your rolex1 Search Guard role in sg_roles_mappings.yml. I think it is not necessary as you are including the kibanauser backend role and assigning that backend role to your users. Anyway, user1 and user2 have the kibanauser backend role so they should have the permissions of the sg_kibana_user + rolex1 Search Guard roles, that is:

sg_kibana_user:

  readonly: true

  cluster:

    - MONITOR

    - CLUSTER_COMPOSITE_OPS_RO

  indices:

    '?kibana':

      '*':

        - MANAGE

        - INDEX

        - READ

        - DELETE

    '*':

      '*':

        - indices:data/read/field_caps*

rolex1:

  cluster:

  - "CLUSTER_COMPOSITE_OPS_RO"

  - "MONITOR"

  - "indices:data/read/search*"

  indices:

    sg6-auditlog-2018?04?17:

      '*':

      - "DATA_ACCESS"

      - "READ"

      - "INDEX"

I think that is not enough permissions to access _searchguard/_mapping

[Jochen Kressin]

First question is - do you start with an empty .kibana index, or do you already have some contents in it? If you have already contents in it, could you please post it here?

You write:

"When I log into Kibana with anh of the users, I get the error:

Discover: no permissions for [indices:data/read/search] and User [name=userx1, roles=[kibanauser], requestedTenant=null]"

When this error occurs, you should also see a corresponding message in the Elasticsearch log files, with some more information in which index the security exception happened. Can you please post this log entry? Should look something like:

[2018-04-23T11:50:41,509][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=userx1, roles=[kibanauser], requestedTenant=null] [IndexType [index=sg6-auditlog-2018.04.23, type=*]] [Action [[indices:data/read/search]]] [RolesChecked [rolex1, sg_kibana_user, sg_own_index]]

[2018-04-23T11:50:41,509][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for {sg_own_index=[IndexType [index=sg6-auditlog-2018.04.23, type=*]], rolex1=[IndexType [index=sg6-auditlog-2018.04.23, type=*]], sg_kibana_user=[IndexType [index=sg6-auditlog-2018.04.23, type=*]]}

I have tested it here with your configuration, and everything works fine. I just had to change the date in the index name in the role definition to today's date:

rolex1:

  cluster:

  - "CLUSTER_COMPOSITE_OPS_RO"

  - "MONITOR"

  indices:

    sg6-auditlog-2018?04?24:

      '*':

      - "DATA_ACCESS"

      - "READ"

      - "INDEX"

Then I'm confused about this curl:

curl https://localhost:9200/_searchguard/_mapping?pretty

"_searchguard" is not an index, but the prefix for the SG endpoints like "authinfo". What did you try to achieve by requesting the _mapping here? 

I'm also surprised that when doing this curl you get back a security_exception. You should rather see an invalid_index_name_exception. Did you by chance create an index called _searchguard?

[Luis Jeremias]

Hi Jochen,

Thank you for your answer, and forgive my delay in replying to you.

I attach the contents of the .kibana index. 

The confusing curl is something that I came across in the web, but probably took it out of context. I never created a "_searchguard" index.

Right now, I can see only the " sg6-auditlog-2018.04.17" data, which is what I wanted. 

But all the other indexes are listed, which causes the error on Kibana as soon as I click the "Discover" tab.

Discover: no permissions for [indices:data/read/search] and User [name=userx1, roles=[kibanauser], requestedTenant=null]

Is there any way to filter the index patterns available, according to the logged user ?

[Jochen Kressin]

Ah, now I understand what you mean :) Filtering indices in Kibana where the user has no access permissions for is currently in development. We hope we can ship it within this month. Until then, unfortunately, there is no workaround for this.