No permission (agent:read) required error
545 views
Skip to first unread message
sau sau
Oct 10, 2023, 1:17:05 AM10/10/23
to Wazuh | Mailing List
Dear team,
I am getting this error while trying to access agent preview tab.
But I am able to see agent overview and agent's security events for tenant np001_cit that my user is logged in as.
My current policy applied for this tenant is:
My current rule mapping is as follow.
I am getting this error while trying to access agent preview tab.
But I am able to see agent overview and agent's security events for tenant np001_cit that my user is logged in as.
My current policy applied for this tenant is:
My current rule mapping is as follow.
elw...@wazuh.com
Oct 10, 2023, 5:30:20 AM10/10/23
to Wazuh | Mailing List
Hello Usha,
This behavior occurs when the user lacks permissions at the level of the Wazuh API, I am sharing below a step-by-step guide and a similar use case:
Regards,
Wali
This behavior occurs when the user lacks permissions at the level of the Wazuh API, I am sharing below a step-by-step guide and a similar use case:
- Create Read-only user: https://documentation.wazuh.com/current/user-manual/user-administration/rbac.html#creating-and-setting-a-wazuh-read-only-user
- Create a user with permission to read and manage a group of agents: https://documentation.wazuh.com/current/user-manual/user-administration/rbac.html#use-case-give-a-user-permissions-to-read-and-manage-a-group-of-agents
Regards,
Wali
sau sau
Oct 10, 2023, 5:50:34 AM10/10/23
to Wazuh | Mailing List
Hello Wali,
Thank you for the response.
In my environment, I am not creating internal users. I am using openid keycloak with kibana. Hence, I though of mapping rule on basic of backend_role. So, doesn't that mean if any user getting logged in to kibana has its backend_role set as np001_cit (in my case), should be given np001_cit_role. This np001_cit_role is assigned with np001_cit_policy that gives agent:read (along with other permissions) to all agents that belong to group np001_cit.
Doesn't this logic work? I think I am missing out on something here.
Thank you for the response.
In my environment, I am not creating internal users. I am using openid keycloak with kibana. Hence, I though of mapping rule on basic of backend_role. So, doesn't that mean if any user getting logged in to kibana has its backend_role set as np001_cit (in my case), should be given np001_cit_role. This np001_cit_role is assigned with np001_cit_policy that gives agent:read (along with other permissions) to all agents that belong to group np001_cit.
Doesn't this logic work? I think I am missing out on something here.
elw...@wazuh.com
Oct 11, 2023, 3:42:36 AM10/11/23
to Wazuh | Mailing List
Hello Usha,
The workflow described is the correct one. Can you please share the following:
- Backend roles that are fetched by the user, You can click on the user icon (top-right), you will get something similar to below:
- Share the Wazuh indexer logs files : /var/log/wazuh-indexer/wazuh-cluster.log
- The Wazuh API logs: /var/ossec/logs/api.log
- The configuration file /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
Wali
sau sau
Oct 11, 2023, 6:02:41 AM10/11/23
to Wazuh | Mailing List
Hello Wali,
Thank you again for your response.
Thank you again for your response.
- Backend roles that are fetched by the user
Here is the backend roles that are fetched by the user.
- Share the Wazuh indexer logs files : /var/log/wazuh-indexer/wazuh-cluster.log
I am using Open Distro for Elasticsearch.
- The Wazuh API logs: /var/ossec/logs/api.log
2023/10/11 09:58:49 INFO: wazuh 172.18.0.5 "POST /security/user/authenticate/run_as" done in 252.9999999969732ms: 200
2023/10/11 09:58:49 INFO: wazuh 172.18.0.5 "GET /security/user/authenticate" done in 239.00000000139698ms: 200
2023/10/11 09:58:50 INFO: wazuh 172.18.0.5 "GET /manager/info" done in 81.00000000558794ms: 200
2023/10/11 09:58:50 INFO: wazuh 172.18.0.5 "GET /security/users/me/policies" done in 51.99999999604188ms: 200
2023/10/11 09:58:50 INFO: wazuh 172.18.0.5 "GET /agents/summary/status" done in 89.00000000721775ms: 200
2023/10/11 09:58:50 INFO: wazuh 172.18.0.5 "GET /agents/summary/status" done in 52.999999999883585ms: 200
2023/10/11 09:58:50 INFO: wazuh 172.18.0.5 "GET /agents" done in 58.0000000045402ms: 200
2023/10/11 09:58:50 INFO: wazuh 172.18.0.5 "GET /cluster/status" done in 36.999999996623956ms: 200
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /agents/summary/status" done in 32.99999999580905ms: 200
2023/10/11 09:58:54 INFO: unknown_user 172.18.0.5 "GET " done in 2.0000000076834112ms: 308
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /" done in 28.99999999499414ms: 200
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /agents/000/config/auth/auth" done in 32.99999999580905ms: 403
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /security/user/authenticate" done in 181.0000000114087ms: 200
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /manager/info" done in 33.999999999650754ms: 200
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /agents" done in 34.999999988940544ms: 200
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /cluster/status" done in 35.99999999278225ms: 200
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /agents/000/config/request/remote" done in 31.000000002677552ms: 403
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /security/user/authenticate" done in 186.0000000015134ms: 200
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /manager/info" done in 33.000000010360964ms: 200
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /agents" done in 33.999999999650754ms: 200
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /cluster/status" done in 38.00000000046566ms: 200
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /groups" done in 25.99999999802094ms: 200
hosts:
- default:
url: https://wazuh
port: 55000
username: wazuh
password: wazuh
run_as: true
2023/10/11 09:58:49 INFO: wazuh 172.18.0.5 "GET /security/user/authenticate" done in 239.00000000139698ms: 200
2023/10/11 09:58:50 INFO: wazuh 172.18.0.5 "GET /manager/info" done in 81.00000000558794ms: 200
2023/10/11 09:58:50 INFO: wazuh 172.18.0.5 "GET /security/users/me/policies" done in 51.99999999604188ms: 200
2023/10/11 09:58:50 INFO: wazuh 172.18.0.5 "GET /agents/summary/status" done in 89.00000000721775ms: 200
2023/10/11 09:58:50 INFO: wazuh 172.18.0.5 "GET /agents/summary/status" done in 52.999999999883585ms: 200
2023/10/11 09:58:50 INFO: wazuh 172.18.0.5 "GET /agents" done in 58.0000000045402ms: 200
2023/10/11 09:58:50 INFO: wazuh 172.18.0.5 "GET /cluster/status" done in 36.999999996623956ms: 200
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /agents/summary/status" done in 32.99999999580905ms: 200
2023/10/11 09:58:54 INFO: unknown_user 172.18.0.5 "GET " done in 2.0000000076834112ms: 308
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /" done in 28.99999999499414ms: 200
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /agents/000/config/auth/auth" done in 32.99999999580905ms: 403
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /security/user/authenticate" done in 181.0000000114087ms: 200
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /manager/info" done in 33.999999999650754ms: 200
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /agents" done in 34.999999988940544ms: 200
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /cluster/status" done in 35.99999999278225ms: 200
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /agents/000/config/request/remote" done in 31.000000002677552ms: 403
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /security/user/authenticate" done in 186.0000000015134ms: 200
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /manager/info" done in 33.000000010360964ms: 200
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /agents" done in 33.999999999650754ms: 200
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /cluster/status" done in 38.00000000046566ms: 200
2023/10/11 09:58:54 INFO: wazuh 172.18.0.5 "GET /groups" done in 25.99999999802094ms: 200
- The configuration file wazuh.yml
- default:
url: https://wazuh
port: 55000
username: wazuh
password: wazuh
run_as: true
sau sau
Oct 14, 2023, 10:51:57 PM10/14/23
to Wazuh | Mailing List
Dear Team,
I hope you're doing well. I wanted to follow up on the question I asked earlier. Is there any update or progress regarding my inquiry? Your assistance is greatly appreciated, and I'm looking forward to resolving this matter.
Thank you for your help.
elw...@wazuh.com
Oct 16, 2023, 8:51:51 AM10/16/23
to Wazuh | Mailing List
Hello Usha,
Can you please upload the full logs files (in the case of opensearch you should have it under /var/log/opensearch/<cluster-name>.log) to review the whole content when this behavior occurs?
Regards,
Wali
Can you please upload the full logs files (in the case of opensearch you should have it under /var/log/opensearch/<cluster-name>.log) to review the whole content when this behavior occurs?
Regards,
Wali
Reply all
Reply to author
Forward
0 new messages