Action [indices:data/read/search] is unauthorized for user

jhonko · August 12, 2019, 5:49am

Hello!

I'm currently evaluating Elastic Stack and I have problems related to REST API authorization. I'm not sure if I'm doing something wrong or if there's a bug is Elasticsearch.

I have setup OIDC SSO successfully (using our custom OIDC standards compliant IdP) and I'm able to get access token from Elasticsearch _security/oidc/authenticate endpoint. When I try to use it to invoke kibana_sample_data_ecommerce/_search endpoint, I get following error

The remote server returned an error: (403) Forbidden.. Call: Status code 403 from: POST /kibana_sample_data_ecommerce/_search?typed_keys=true. ServerError: Type: security_exception Reason: "action [indices:data/read/search] is unauthorized for user [admin]"

So it seems that I can authenticate, but authorization fails.

Authenticated user is "admin" like the error message says.
User has access to kibana_sample_data_ecommerce index because I can log in to Kibana as that user and successfully query data using Kibana dev tools.
NEST library is used for search query.
Access token is provided in Authorization header as a Bearer token.
Data is from Kibana eCommerce sample data.

Our IdP returns a profile claim which value I use to assign roles to the authenticated user. Role mapping looks like this

PUT /_security/role_mapping/testrole
{
  "roles": [ "kibana_user", "testrole" ],
  "enabled": true,
  "rules": { "all": [
        { "field": { "realm.name": "oidc1" } },
        { "field": { "groups": "testrole" } }
  ] }
}

Elasticsearch.yml has following configuration

xpack.security.authc.realms.oidc.oidc1:
  order: 2
  ...
  rp.requested_scopes: "openid profile email"
  ...
  claims.principal: preferred_username
  claims.mail: email
  claims.groups: profile

And the actual "testrole" role has kibana_sample_data_ecommerce index with "read" and "view_index_metadata" privileges.

Code part using NEST (C#)

var settings = new ConnectionSettings(new Uri("http://localhost:9200"))
	.GlobalHeaders(new NameValueCollection
	{
		{ "Authorization", $"Bearer {elasticOidcAuthenticateResponse.AccessToken}" }
	})
	.DefaultIndex("kibana_sample_data_ecommerce");

var elasticClient = new ElasticClient(settings);

// BUG: This fails because of the following error.
// The remote server returned an error: (403) Forbidden... 
var elasticSearchResponse = elasticClient.Search<dynamic>();

Any ideas what could be wrong?

system · September 9, 2019, 5:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
About user authentication: action [indices:data/read/search] is unauthorized for user Elasticsearch	4	12711	October 13, 2017
[security_exception] action [indices:data/read/search] Elasticsearch elastic-stack-security	2	3971	July 29, 2019
Getting unauthorized when doing GET on indices with a read-only user Kibana elastic-stack-security	4	3493	September 23, 2020
Es-stack 8.1.0 - [security_exception] action [indices:data/read/search] Kibana elastic-stack-monitoring , docker	2	2748	April 23, 2022
Action [indices:admin/create] is unauthorized for user Elasticsearch elastic-stack-security	3	14585	May 27, 2022

Action [indices:data/read/search] is unauthorized for user

Related topics