Hmm, can you see if granting the user access to read the marvel indices .marvel_es-*
resolves the issue? If a request contains indices that a user is not granted access to then the entire request will be denied.
I did that and now I no longer see the access_denied for the marvel index. Now I'm just getting:
[timestamp] [servername] [transport] [access_denied] origin_type=[rest], origin_address=#, principal=[cdfoote], action=[indices:data/read/msearch]
[timestamp] [servername] [transport] [access_denied] origin_type=[rest], origin_address=#, principal=[cdfoote], action=[indices:data/read/msearch]
[timestamp] [servername] [transport] [access_denied] origin_type=[rest], origin_address=#, principal=[cdfoote], action=[indices:data/read/msearch]
[timestamp] [servername] [transport] [access_denied] origin_type=[rest], origin_address=#, principal=[cdfoote], action=[indices:data/read/msearch], request=[MultiSearchRequest]
No indices listed.
The elasticsearch log, as opposed to the access log, is showing what I believe is proper authentication:
[timestamp][DEBUG][shield.authc.support][servername][the roles[[cdfoote_role]], are mapped from the user [ldap] for realm [uid=cdfoote,.../ldap]
[timestamp][DEBUG][shield.authc.ldap ][servername][authenticated user [cdfoote, with roles [[cdfoote_role]]
ElasticsearchSecurityException[action [indices:data/read/msearch] is unauthorized for user [cdfoote]]
Can someone confirm this for me please?
I still don't know why the authorization error occurrs, I've granted cdfoote_role "indices:data/read/msearch".
The log does show the proper authentication and role mapping from what I can tell, for some reason there is something unauthorized about the request Kibana is making. Kibana supports logging everything with the logging.verbose
property https://www.elastic.co/guide/en/kibana/current/kibana-server-properties.html. With that we should be able to see the request and look at that to see why it is failing with your user.
Are you giving privileges to index aliases and use a wildcard index pattern in Kibana? After upgrading to Kibana 4.3.0, some of our users with privileges only on index aliases started to get "action [indices:data/read/msearch] is unauthorized for user ..." in Kibana.
See this issue on github: https://github.com/elastic/kibana/issues/5715
We are not using aliases.
We ended up granting search and msearch privileges on *
Having a similar issue. Logged in in Kibana with a user who has the privilege data/read/msearch, but getting the
error:
Discover: [security_exception] action [indices:data/read/msearch] is unauthorized for user [my_user]
But: the error only shows up when there's no data in the selected timespan in Kibana.
my_user:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
'*end':
privileges:
- indices:admin/mappings/fields/get
- indices:admin/validate/query
- indices:data/read/search
- indices:data/read/msearch
- indices:data/read/field_stats
- indices:admin/get
'.kibana':
privileges:
- indices:admin/exists
- indices:admin/mapping/put
- indices:admin/mappings/fields/get
- indices:admin/refresh
- indices:admin/validate/query
- indices:data/read/get
- indices:data/read/mget
- indices:data/read/search
- indices:data/write/delete
- indices:data/write/index
- indices:data/write/update
I think you need to change .kibana
to .kibana*
as Kibana now tries to search an additional index.
but .kibana is the name of the index? this is copied from the default kibana4 role.
anyway, didn't work.
Kibana searches an additional index, see https://github.com/elastic/kibana/issues/6302
It looks like indices:data/read/msearch
is missing from the .kibana portion. Can you try adding the privilege and changing to .kibana*
?
We've tried to simplify the way permissions are done, you can also use the role in the latest docs: https://www.elastic.co/guide/en/shield/current/kibana.html (see my_kibana_user)
great, now i see. i missed trying to add both things at the same time. thanks!