Read- only access to index

dkota · March 24, 2016, 10:30pm

I want give read-only access to an index for a local user, in kibana.

Here is role assigned:

bash-4.1$ esusers list
esuser : read_all_indices

roles.yml:

Read-only operations on indices

read_all_indices:
indices:
'*':
privileges: read
'.kibana':
privileges: indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update

I'm getting the below error:

Courier Fetch Error: unhandled courier request error: [security_exception] action [indices:data/read/mget] is unauthorized for user [esuser]

shouldn't privilege: read be inclusive of data/read/mget? I have tried including that privilege as well.
I still get the same error .

What am I missing here?

LeeDr · March 24, 2016, 11:41pm

Some things around privileges have been changing. What version of Elasticsearch and Kibana are you using?

dkota · March 25, 2016, 2:32pm

Shield 2.2.0
Elasticsearch 2.2.0
Kibana 4.4.1

LeeDr · March 25, 2016, 3:22pm

Kibana never writes to the data indexes (like logstash-* for example). So I think what you want is for a readonly user (with a readonly role) to Not be allowed to create/update/delete index patterns, saved searches, visualizations, or dashboards. Those things are all in the .kibana index, so below I've ONLY changed the privileges for the .kibana index.

That way they can Read everything and run queries, even create new visualizations and dashboards (on any existing index pattern) but not save any changes.

If that's correct, in this example below I

readonly:
      cluster: 
          - cluster:monitor/nodes/info
          - cluster:monitor/health 
      indices:
        '*':
          privileges: indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:data/read/field_stats, indices:admin/get
        '.kibana':
          privileges: indices:admin/exists,                            indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search

I removed these privs;

indices:admin/mapping/put,
indices:data/write/delete
indices:data/write/index
indices:data/write/update

Or did you only want the user to not be able to change the index pattern but still be able to create/modify/save Saved searches, Visualizations, and Dashboards?

Regards,
Lee

dkota · March 25, 2016, 4:40pm

Lee,

I used the privs in the example. I still get this error.

Courier Fetch Error: unhandled courier request error: [security_exception] action [indices:data/read/mget] is unauthorized for user [esuser]

LeeDr · March 25, 2016, 5:51pm

Are you using both the Elasticsearch Shield x-plugin and the Kibana Shield plugin which gives you the login screen on Kibana?

Or are you only using the Elasticsearch Shield plugin which gives you the browser pop-up login dialog?

If you're only using the Elasticsearch Shield plugin, and you make any typos on the user or password, I believe you get that mget security exception (I know because I accidentally called my user readyonly instead of readonly).

If you know you have the correct user and password and are still getting the mget security exception I would revert back to the original user permissions and make sure it works, and then remove those 4 privileges I noted above, one at a time, log out and back in. If you're watching the Elasticsearch log when you save the roles.yml file you should see a message indicating the roles were updated;

updated roles (roles file [D:\k4.4-es2.2-final\elasticsearch-2.2.0\config\shield\roles.yml] changed)