Unable to apply a policy to indices - permissions error
603 views
Skip to first unread message
Max Kalachov
Feb 7, 2022, 10:41:11 AM2/7/22
to Wazuh mailing list
Hi guys,
I have a problem applying a policy that moves indices from hot to the cold state after 30 days and after 90 days deletes them. The following error appears:
[security_exception] no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]
App version: 4.1.4
App revision: 4105
Wazuh app for Kibana 7.10.0
App revision: 4105
Wazuh app for Kibana 7.10.0
The same policy works fine with the 4.0.3 version of Wazuh, so I guess it's something related to the newer version of the system.
What should I do to apply a policy and fix/set the proper permissions?
Thank you
Regards,
Max
John Soliani
Feb 7, 2022, 12:31:06 PM2/7/22
to Wazuh mailing list
Hello Max, 
If this is OK, then go to Kibana menu >> Security >> Roles and open the role all_access where you should see these configurations:
Thank you for using Wazuh!
The issue here is not in the ISM policy itself but in the security configurations for the user.
Looks like you are using OpenDistro (for the versioning you described). If you are using the admin account, could you check the roles and identities assigned to the user by clicking on the "a" avatar in the upper-right section of the page and selecting "View roles and identities". You should have these:
If this is OK, then go to Kibana menu >> Security >> Roles and open the role all_access where you should see these configurations:
Also, check that the user admin in Kibana menu >> Security >> Internal users section, has this configuration:
These are the default settings for the user admin, with this, it should have full access to Wazuh, Elastic, and Kibana.
Hope this helps,
John.-
Max Kalachov
Feb 7, 2022, 1:35:33 PM2/7/22
to Wazuh mailing list
Hi John,
Thanks for your reply.
User admin under
Kibana menu >> Security >> Internal users doesn't have the "Backend roles - optional" section at all, in my case.
Thank you
Regards,
Max
John Soliani
Feb 8, 2022, 2:52:40 PM2/8/22
to Wazuh mailing list
Hey Max,
You must have Wazuh 4.0 or older, while you have the all_access role assigned to the user in the "View roles and identities", we are good.
Another important thing to have in mind is that the ISM policy should be applied to "wazuh-*" indices, other indices like .kibana*, .opendistro*, etc should not be included in ISM policies. Wazuh generates wazuh-alerts-*, wazuh-statistics-*, and wazuh-monitoring-*. We recommend only applying ISM/ILM policies to the wazuh-alerts-* indices, which will normally be the bigger and will have all the data from your environment. You can check this by going to Kibana menu >> Index Management >> Managed Indices. Also from there, you can use the filter to list the indices you want to change, select the items and then click on the "Remove Policy" button (or Change policy if you need to) in the upper-right corner of the page to remove the policy to those indices.
Regards,
John.-
John.-
Max Kalachov
Feb 10, 2022, 3:25:54 PM2/10/22
to Wazuh mailing list
Hi John,
Thank you for the clarification.
I think the problem was that I mistakenly included one or more indices that were not "wazuh-*".
Everything works fine now.
Thank you
Regards,
Max
Reply all
Reply to author
Forward
0 new messages