Shield 2.4.0 roles.yml - Missing Roles?

mick66 · October 18, 2016, 11:09am

I have just upgraded my cluster to 2.4.0 including Shield and the installation created a new copy of the roles.yml file that looks different to the old one in both format and content.

Here is the compete file with out any modifications:

# All cluster rights
# All operations on all indices
admin:
  cluster:
    - all
  indices:
    - names: '*'
      privileges:
        - all

# monitoring cluster privileges
# All operations on all indices
power_user:
  cluster:
    - monitor
  indices:
    - names: '*'
      privileges:
        - all

# Read-only operations on indices
user:
  indices:
    - names: '*'
      privileges:
        - read

# Defines the required permissions for transport clients
transport_client:
  cluster:
      - transport_client

# The required permissions for the kibana 4 server
kibana4_server:
  cluster:
      - monitor
  indices:
    - names: '.kibana*'
      privileges:
        - all
    - names: '.reporting-*'
      privileges:
        - all

# The required role for logstash users
logstash:
  cluster:
    - manage_index_templates
  indices:
    - names: 'logstash-*'
      privileges:
        - write
        - read
        - create_index

# Marvel user role. Assign to marvel users.
marvel_user:
  indices:
    - names: '.marvel-es-*'
      privileges: [ "read" ]
    - names: '.kibana'
      privileges:
        - view_index_metadata
        - read

# Marvel remote agent role. Assign to the agent user on the remote marvel cluster
# to which the marvel agent will export all its data
remote_marvel_agent:
  cluster: [ "manage_index_templates" ]
  indices:
    - names: '.marvel-es-*'
      privileges: [ "all" ]

In the Shield 2.2.0 version there was a role named kibana4 that is missing from the 2.4.0 file:

# The required permissions for kibana 4 users.
kibana4:
  cluster: 
      - cluster:monitor/nodes/info
      - cluster:monitor/health 
  indices:
    '*':
      privileges: indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:data/read/field_stats, indices:admin/get
    '.kibana':
      privileges: indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update

Could someone confirm if this is an oversight and the kibana4 role should be present in the 2.4.0 file and if so does it need to be converted to the new format?

jaymode · October 18, 2016, 11:53am

Hi Mick,

You are correct, the new file from 2.4 no longer has the kibana4 role by default and this intentional. The default role grants users access to all indices, which may not always be desired, so we have moved the details of how to define the role to the documentation https://www.elastic.co/guide/en/shield/current/kibana.html#kibana4-user-role

Also, the release notes section contains a changes list for the roles file https://www.elastic.co/guide/en/shield/current/release-notes.html#update-roles

mick66 · October 18, 2016, 12:57pm

Hi Jay

Thanks for the quick response. I have updated my roles.yml file based on the docs you linked me to and something is still not right.

I have created the following role:

tss_user:
  cluster:
      - monitor
  indices:
    - names: 'tss-*'
      privileges:
        - view_index_metadata
        - read
    - names: '.kibana*'
      privileges:
        - manage
        - read
        - index

I have granted the role to a user called demo in the users file:

tss_user:demo

The changes are accepted as correct:

[2016-10-18 13:50:26,008][INFO ][shield.authz.store ] [servername] updated roles (roles file [/etc/elasticsearch/shield/roles.yml] changed)

But when I log onto to kibana using the demo user, I get the following error:

RemoteTransportException[[servername][10.1.1.1:9300][indices:data/read/mget[shard][s]]]; nested: ElasticsearchSecurityException[action [indices:data/read/mget[shard][s]] is unauthorized for user [demo]];
Caused by: ElasticsearchSecurityException[action [indices:data/read/mget[shard][s]] is unauthorized for user [demo]]

It seems as though I am still missing some permissions.