Not able to curl the index with username and its defined role

[Sahil Modgill]

Greetings everyone,

We are facing below issues while configuring SearchGaurd.

Environment details:

OS: Ubuntu:14.04
Java; 1.8
ES: 5.6.8
SearchGaurd: 5-5.6.8-19
Cerebro: 0.7.3

Use-case:

Indexes : client1 & client2

Users: user1/2/3/4 and admin

We want to assign below permissions:

user1 can have an access only to client1 index (both read/write)
user2 can have an access only to client2 index (both read/write)
user3 can have an access only to client1 index (only read)
user4 can have an access only to client2 index (only read)
admin user can have an access to both the indexes (both read/write)

Below are the entries we have made:

file: sg_internal_users.yml

user1:
 hash: $2a$12$i9OlhTub5HYc3sgUJD24QeEQPXPCr1CHz8EGB4KEHKZdaq4fWE8iW
 #password is: demo1
 roles:
   - sg_client1_read
   - sg_client1_write
  
user2:
  hash: $2a$12$Hrzo.FfsyXx6KxhqLZhlPeB62rKlTeBorWnzJCzp7c5HjeLTq07Yy
  #password is: demo2
  roles:
    - sg_client2_read
    - sg_client2_write
  
user3:
  hash: $2a$12$3Sg2KO3FyWVU/KZQ8oSVS.B10J2It0ffWFTMgUQ/Y0OsWN8BWueiq
  #password is: demo3
  roles:
   - sg_client1_read

user4:
  hash: $2a$12$3Sg2KO3FyWVU/KZQ8oSVS.B10J2It0ffWFTMgUQ/Y0OsWN8BWueiq
  #password is: demo4
  roles:
   - sg_client2_read

admin:
  hash: $2a$12$3Sg2KO3FyWVU/KZQ8oSVS.B10J2It0ffWFTMgUQ/Y0OsWN8BWueiq
  #password is: admin
  roles:
   - sg_client1_read
   - sg_client1_write
   - sg_client2_read
   - sg_client2_write

###########################

file: sg_roles.yml

# Read/Monitor/CRUD on all the indices and cluster wide
sg_our_admin:
  cluster:
    - CLUSTER_MONITOR
    - CLUSTER_COMPOSITE_OPS_RO
  indices:
    '*':
      - CRUD

#Read client1 indices only
sg_client1_read:
  cluster:
    - CLUSTER_MONITOR
    - CLUSTER_COMPOSITE_OPS_RO
    - INDICES_MONITOR
  indices:
    '?monitor*':
      '*':
        - INDICES_ALL
    client1:
      '*':
        - INDICES_MONITOR
        - INDICES_ALL
        - RO

#Read client2 indices only
sg_client2_read:
  cluster:
    - CLUSTER_MONITOR
    - CLUSTER_COMPOSITE_OPS_RO
    - INDICES_MONITOR
  indices:
    '?monitor*':
      '*':
        - INDICES_ALL
    client2:
      '*':
        - INDICES_MONITOR
        - INDICES_ALL
        - RO

#Write client1 indices only
sg_client1_write:
  cluster:
    - CLUSTER_MONITOR
    - CLUSTER_COMPOSITE_OPS_RO
    - INDICES_MONITOR
  indices:
    '?monitor*':
      '*':
        - INDICES_ALL
    client1:
      '*':
        - INDICES_MONITOR
        - INDICES_ALL
        - WRITE

#Write client2 indices only
sg_client2_write:
  cluster:
    - CLUSTER_MONITOR
    - CLUSTER_COMPOSITE_OPS_RO
    - INDICES_MONITOR
  indices:
    '?monitor*':
      '*':
        - INDICES_ALL
    client2:
      '*':
        - INDICES_MONITOR
        - INDICES_ALL
        - WRITE

#############################

file: sg_roles_mapping.yml

# Role Mappings

sg_our_admin:
  users:
    - admin

sg_client1_read:
  users:
    - user1
    - user3

sg_client2_read:
  users:
    - user2
    - user4

sg_client1_write:
  users:
    - user1

sg_client2_write:
  users:
    - user2


We reload the SearchGaurd config using sgadmin.sh script and it is loading all the roles and mappings successfully. But the moment we try to curl the specific index with respective username and password we are getting an error as:

type":"security_exception","reason":"no permissions for [indices:monitor/stats]

Though we have provided the roles related to monitor (CLUSTER_MONITOR and INDICES_MONITOR). We are not clear how to achieve this.

Can one illuminate us on this and enlighten us if we are approaching it in wrong manner?

We have couple of doubts that:

* Is there a convention to assign roles with 'sg_' as prefix or we can go by any name?
* What is tenant for and what is its role?

Thank you in adcance!

[SG]

Can you pls attach all of your sg_*.yml files (as files) and post the curl command you are executing along with the full response

Your questions:

> * Is there a convention to assign roles with 'sg_' as prefix or we can go by any name?

can be any name

> * What is tenant for and what is its role?

tenants are a kibana specific thing, i think you can just ignore them at the moment.
see https://docs.search-guard.com/latest/kibana-multi-tenancy#kibana-multitenancy

> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/812440ed-c6e0-401e-9423-a2c29bed95e3%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Sahil Modgill]

On Monday, April 23, 2018 at 1:33:02 PM UTC+5:30, Search Guard wrote:

Can you pls attach all of your sg_*.yml files (as files) and post the curl command you are executing along with the full response

Files attached to this message.

Snapshot:
$ curl -k -u user1:demo1 https://master3:9200/_cat/indices?v

As per the roles we have assigned user1 should have an access (read/write) to client1 index but we are getting below error:

 

Please review and highlight our mistakes if we are making any.

Thanks for your patience and concern!

[SG]

you missed to add sg_config.yml as well as sg_action_groups.yml. We need them to help you.

> Am 23.04.2018 um 12:52 schrieb Sahil Modgill <modgi...@gmail.com>:
>
>
>
> On Monday, April 23, 2018 at 1:33:02 PM UTC+5:30, Search Guard wrote:
> Can you pls attach all of your sg_*.yml files (as files) and post the curl command you are executing along with the full response
>
>
>

> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f525a082-8ff9-4631-ba0f-ad2c2a7da803%40googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

> <sg_internal_users.yml><sg_roles.yml><sg_roles_mapping.yml>

[Sahil Modgill]

Greetings SearchGaurd,

My apologies for missing out those file. Reason for not sharing because we haven't modified or made any changes in those files. Do we need to? I might be sound weird but we didn't find any thing which needs to be changed as relevant to our requriement. This is purely my understanding and I could be wrong on this. Please illuminate me on this.
And, for your reference I have added the respective files.
Thanks!

[Sahil Modgill]

Greetings SearchGaurd,

Have you had time to look into the configs which I have shared? Please let us know.

Thank you for time and concern!

[Jochen Kressin]

Just to make 100% sure - Kibana is not involved here, right?

Next, can you please try to access this endpoint with your user1 / demo1 and post the output here:

https://<hostname>:9200/_searchguard/authinfo

Among other information this will print out all SG roles assigned to user1, so we can be 100% sure what roles the user hase.

Next, when you execute the failing curl command, can you please look at the Elasticsearch logs. You should find something like:

No index-level perm match for ...

Or:

No cluser-level perm match for ...

This will shed some light on what actual permission is missing, and on what level.

Thanks!

[Sahil Modgill]

Hello,

I do not know wy my reply has been deleted. Not once but twice.

Is this the problem I am facing or a others are also facing? I only inserted the images (as snapshots) to my reply. But my reply has been deleted. :(

Please update me.

Thanks!

[Search Guard]

we do not delete messages (unless they are offending or otherwise illegal) so i think it must have been you or google probably

If you still have trouble you can also mail us directly, see https://github.com/floragunncom for the email address or open a issue on github.

[Search Guard]

looks like your "deleted" post were categorized as spam by google

On Wednesday, 25 April 2018 13:43:18 UTC+2, Sahil Modgill wrote:

[Sahil Modgill]

Probably Google is the culprit behind this and considering my messages as SPAM.

My apologies for that!

[Sahil Modgill]

On Wednesday, April 25, 2018 at 11:35:48 AM UTC+5:30, Jochen Kressin wrote:

Just to make 100% sure - Kibana is not involved here, right?

No. Kibana is not involved.

Next, can you please try to access this endpoint with your user1 / demo1 and post the output here:

https://<hostname>:9200/_searchguard/authinfo

Among other information this will print out all SG roles assigned to user1, so we can be 100% sure what roles the user hase.

Next, when you execute the failing curl command, can you please look at the Elasticsearch logs. You should find something like:

No index-level perm match for ...

Or:

No cluser-level perm match for ...

This will shed some light on what actual permission is missing, and on what level.

I executed the curl command but I didn't find any thing closely related to the above error in ES logs.
Can you please validate our configs and try to re-produce the use-case (simple ones like ours) and if everything works fine then we can write a small doc on the same for newbies?
Please inform us.
Thanks

[Search Guard]

can you pls post the contents of the missing screenshots as text?

(or as links to a image hosting service)

seems inline pics are are spam indicator for google here