A custom role which contains all privileges is not updated after changing to read only role

Please help to configure how a custom role which contains all privileges is not updated after changing to read only role.

Steps to reproduce:

  1. First, create a custom role which contains all privileges
    curl -XPUT http://server:9200/security/role/CUSTOM_ROLE -H 'Content-Type: application/json' -d'
    {
    "cluster" : [
    "monitor",
    "manage_index_templates",
    "cluster:admin/xpack/monitoring/bulk",
    "manage_saml",
    "manage_token",
    "manage_oidc",
    "cluster:admin/xpack/security/api_key/invalidate",
    "grant_api_key",
    "cluster:admin/xpack/security/privilege/builtin/get",
    "delegate_pki",
    "cluster:admin/ilm/get",
    "cluster:admin/ilm/put",
    "manage_ml",
    "cluster:admin/analyze"
    ],

"indices" : [
{
"names" : [
".kibana*",
".reporting-"
],
"privileges" : [
"all"
],
"allow_restricted_indices" : false
},
{
"names" : [
".monitoring-
"
],
"privileges" : [
"read",
"read_cross_cluster"
],
"allow_restricted_indices" : false
},
{
"names" : [
".management-beats"
],
"privileges" : [
"create_index",
"read",
"write"
],
"allow_restricted_indices" : false
},
{
"names" : [
".ml-anomalies*",
".ml-notifications*",
".ml-stats-"
],
"privileges" : [
"read"
],
"allow_restricted_indices" : false
},
{
"names" : [
".ml-annotations
"
],
"privileges" : [
"read",
"write"
],
"allow_restricted_indices" : false
},
{
"names" : [
".apm-agent-configuration"
],
"privileges" : [
"all"
],
"allow_restricted_indices" : false
},
{
"names" : [
".apm-custom-link"
],
"privileges" : [
"all"
],
"allow_restricted_indices" : false
},
{
"names" : [
"apm-"
],
"privileges" : [
"read",
"read_cross_cluster"
],
"allow_restricted_indices" : false
},
{
"names" : [
"
"
],
"privileges" : [
"view_index_metadata",
"monitor"
],
"allow_restricted_indices" : false
},
{
"names" : [
".logs-endpoint.diagnostic.collection-*"
],
"privileges" : [
"read"
],
"allow_restricted_indices" : false
}
],
"applications" : [
{
"application" : "kibana-.kibana",
"privileges" : [
"feature_discover.all",
"feature_dashboard.all",
"feature_canvas.all",
"feature_maps.all",
"feature_ml.all",
"feature_graph.all",
"feature_visualize.all"
],
"resources" : [
"space:default"
]
}
],
"run_as" : ["_anonymous"],
"metadata" : { },
"transient_metadata" : {
"enabled" : true
}
}
'

  1. Assign this role to anonymous user in elasticsearch.yml file
  • xpack.security.authc.anonymous.roles: CUSTOM_ROLE
  1. Restart Elasticsearch
  2. Log into Kibana to verify all features are displayed.
  3. Now update this role to Read Only role
    curl -X PUT http://server:9200/security/role/CUSTOM_ROLE -H 'Content-Type: application/json' -d'
    {
    "cluster" : ,
    "indices" : [
    {
    "names" : ,
    "privileges" : [
    "view_index_metadata",
    "read"
    ],
    "field_security" : {
    "grant" : [
    "*"
    ],
    "except" :
    },
    "allow_restricted_indices" : false
    }
    ],
    "applications" : [
    {
    "application" : "kibana-.kibana",
    "privileges" : [
    "feature_discover.all",
    "feature_dashboard.all",
    "feature_canvas.all",
    "feature_maps.all",
    "feature_ml.all",
    "feature_graph.all",
    "feature_visualize.all"
    ],
    "resources" : [
    "space:default"
    ]
    }
    ],
    "run_as" : ["anonymous"],
    "metadata" : { },
    "transient_metadata" : {
    "enabled" : true
    }
    }
    '
  4. Restart Elasticsearch
  5. Login back to Kibana to verify that there should be ONLY read only Kibana features displayed (NO Stack Management feature)

*** Actual Results: ALL features of Kibana are displayed. A read only role seems not updated.

What do you mean by "login" to Kibana?
Do you have a login page on Kibana in which you enter credentials, or do you just mean "start a new session" ?

Hi Tim,
Thanks so much for response.

I mean login to Kibana as anonymous user. There is no login page since xpack.security.enable is set to false in kibana.yml file. It is purpose of requirement. Thanks again.

This tells Kibana that you don't want security. So ...

If you tell Kibana to disable security, then it really does, and the UI will not reflect the user's privileges because you have asked Kibana to disable all access checks.

If you want anonymous access in Kibana, then you need to use Kibana's anonymous access feature instead. That requires 7.11 or higher.

Thanks so much for your help, Tim.

Per your advise, I try to use Kibana's anonymous access by setting as below in kibana.yml file but I get error {reason[\](file:///)":[\](file:///)"action [cluster:monitor/xpack/info] is unauthorized for user [anonymous][\](file:///)"},[\](file:///)"status[\](file:///)":403}"}. Please help. Thanks again.

xpack.security.authc.providers:
anonymous.anonymous1:
order: 0
credentials: "elasticsearch_anonymous_user"

You need to provide more information.

Where did you see that error?
What were you trying to do?
What other messages are in the logs?

It is almost impossible for anyone to help you based purely on a single error message with zero context.

Hi Tim,

Sorry for the late reply. Many thanks for your response.

  1. Where did you see that error?
  • It is returned in output 'kibana.out' file.
  1. What were you trying to do?
  • My task is to allow anonymous user login to Kibana (no login page) and ONLY Kibana's Analytic features display (no Stack Management).
  1. What other messages are in the logs?
  • {"type":"log","@timestamp":"2021-03-10T19:54:10-08:00","tags":["warning","plugins","licensing"],"pid":25096,"message":"License information could not be obtained from Elasticsearch due to [security_exception] action [cluster:monitor/xpack/info] is unauthorized for user [anonymous] :: {"path":"/_xpack?accept_enterprise=true","statusCode":403,"response":"{[\](file:///)"error[\](file:///)":{[\](file:///)"root_cause[\](file:///)":[{[\](file:///)"type[\](file:///)":[\](file:///)"security_exception[\](file:///)",[\](file:///)"reason[\](file:///)":[\](file:///)"action [cluster:monitor/xpack/info] is unauthorized for user [anonymous][\](file:///)"}],[\](file:///)"type[\](file:///)":[\](file:///)"security_exception[\](file:///)",[\](file:///)"reason[\](file:///)":[\](file:///)"action [cluster:monitor/xpack/info] is unauthorized for user [anonymous][\](file:///)"},[\](file:///)"status[\](file:///)":403}"} error"}

/* Here are steps to reproduce */

  1. Create a new read only custom role 'CUSTOM_ROLE'.

curl -X PUT http://server:9200/security/role/CUSTOM_ROLE -H 'Content-Type: application/json' -d'
{
"cluster" : ,
"indices" : [
{
"names" : ,
"privileges" : [
"view_index_metadata",
"read"
],
"field_security" : {
"grant" : [
"*"
],
"except" :
},
"allow_restricted_indices" : false
}
],
"applications" : [
{
"application" : "kibana-.kibana",
"privileges" : [
"feature_discover.all",
"feature_dashboard.all",
"feature_canvas.all",
"feature_maps.all",
"feature_ml.all",
"feature_graph.all",
"feature_visualize.all"
],
"resources" : [
"space:default"
]
}
],
"run_as" : ["anonymous"],
"metadata" : { },
"transient_metadata" : {
"enabled" : true
}
}
'

  1. Configure ElasticSearch.yml: assign this role to anonymous user

-xpack.security.authc.anonymous.username: anonymous

- xpack.security.authc.anonymous.roles: CUSTOM_ROLE

- xpack.security.enabled: true

  1. Configure Kibana.yml:
  • Turn off security: xpack.security.enabled: false
  • Add below commands
    ** xpack.security.authc.providers:**
    ** anonymous.anonymous1:**
    ** order: 0**
    ** credentials: "elasticsearch_anonymous_user"**

/*** Actual Results: I got error as type":"log","@timestamp":"2021-03-10T19:54:10-08:00","tags":["warning","plugins","licensing"],"pid":25096,"message":"License information could not be obtained from Elasticsearch due to [security_exception] action [cluster:monitor/xpack/info] is unauthorized for user [anonymous] :: {"path":"/_xpack?accept_enterprise=true","statusCode":403,"response":"{[\](file:///)"error[\](file:///)":{[\](file:///)"root_cause[\](file:///)":[{[\](file:///)"type[\](file:///)":[\](file:///)"security_exception[\](file:///)",[\](file:///)"reason[\](file:///)":[\](file:///)"action [cluster:monitor/xpack/info] is unauthorized for user [anonymous][\](file:///)"}],[\](file:///)"type[\](file:///)":[\](file:///)"security_exception[\](file:///)",[\](file:///)"reason[\](file:///)":[\](file:///)"action [cluster:monitor/xpack/info] is unauthorized for user [anonymous][\](file:///)"},[\](file:///)"status[\](file:///)":403}"} error"}*

/*** Then, I tried to modify my CUSTOM_ROLE with the full privileges as above and assign it to anonymous user. I am able to login Kibana as anonymous user without error '403'.
After that, I convert CUSTOM_ROLE to read_only role as step #1 above. However, there is Stack Management feature still displayed in Kibana.

  • Now, Kibana output file now returns as '{"type":"log","@timestamp":"2021-03-26T13:51:49-07:00","tags":["warning","plugins","monitoring","monitoring","kibana-monitoring"],"pid":27101,"message":"Error: [security_exception] action [cluster:admin/xpack/monitoring/bulk] is unauthorized for user [_anonymous]\n at respond (/elastic/apps/monitoring/kibana/kibana-7.11.1-linux-x86_64/node_modules/elasticsearch/src/lib/transport.js:349:15)\n at checkRespForFailure (/elastic/apps/monitoring/kibana/kibana-7.11.1-linux-x86_64/node_modules/elasticsearch/src/lib/transport.js:306:7)\n at HttpConnector. (/elastic/apps/monitoring/kibana/kibana-7.11.1-linux-x86_64/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)\n at IncomingMessage.wrapper (/elastic/apps/monitoring/kibana/kibana-7.11.1-linux-x86_64/node_modules/lodash/lodash.js:4949:19)\n at IncomingMessage.emit (events.js:327:22)\n at endReadableNT (internal/streams/readable.js:1327:12)\n at processTicksAndRejections (internal/process/task_queues.js:80:21)"}
    {"type":"log","@timestamp":"2021-03-26T13:51:49-07:00","tags":["warning","plugins","monitoring","monitoring","kibana-monitoring"],"pid":27101,"message":"Unable to bulk upload the stats payload to the local cluster"}'

/*** As you can see, there is no more '403' error returned but error ""Error: [security_exception] action [cluster:admin/xpack/monitoring/bulk] is unauthorized for user [_anonymous]\n " is still returned. Read_Only role seems not picking up. My goals is only Analytic feature displayed in Kibana.

/*** I am not sure that I am in the right direction. Please help. Many thanks in advance for your help and time. ***/

Don't do that.
You are running with security enabled in Elasticsearch, you need Kibana to have security as well.

You need to configure Elasticsearch & Kibana to have security, and then enable anonymous access in Kibana.

Thanks so much for your help, Tim.

Hi Tim,

Sorry to bother you again.

Your quote " "You need to configure Elasticsearch & Kibana to have security, and then enable anonymous access in Kibana."

May I ask that you mean I need to set ' xpack.security.enabled: true' in both Elasticsearch and Kibana.yml, and enable anonymous access in Kibana by setting as below in Kibana.yml ?xpack.security.authc.providers:
** anonymous.anonymous1:**
** order: 0**
** credentials: "elasticsearch_anonymous_user"**

Thanks again for your help.

Yes, but more explicitly you should:

  1. Follow the instructions for enabling security on the stack
  2. After that is working, enable Kibana anonymous access

You cannot jump straight to step 2, you need to do them in that order.

Thanks Tim. I will give it a try.

Hi Tim,

Sorry to bother you again.

I follow the instructions and configure as follow:

  1. Update ElasticSearch.yml file as below
    o xpack.security.enabled: true
    o xpack.security.authc.anonymous.username: _anonymous
    o xpack.security.authc.anonymous.roles: CUSTOM_ROLE

  2. Update Kibana.yml file as below
    o elasticsearch.username: "kibana_sytem"
    o elasticsearch.password: "xxxxxxxxx"
    o xpack.security.enabled: true
    o xpack.security.authc.providers:
    anonymous.anonymous1:
    order: 0
    credentials: "elasticsearch_anonymous_user"

/*** I get error as below in kibana.out file. Please advise. Many thanks again for your help.

FATAL Error: [config validation of [xpack.security].authc.providers]: types that failed validation:
- [config validation of [xpack.security].authc.providers.0]: expected value of type [array] but got [null]
- [config validation of [xpack.security].authc.providers.1]: expected a plain object value, but found [null] instead.

Hi Tim,

Please ignore my previous question. I figure out. Thanks for your help always.