moassafiri
November 11, 2022, 5:10am
1
Hi Team,
Is it possible to create custom App Search roles? We're looking to give a user Read-Only access to all the elements that a Developer can see (Crawlers, Curations etc) - but not give them write access.
Thanks,
moassafiri
November 22, 2022, 5:57am
2
So looked into using a Pipeline with a custom role to solve this particular problem - without any luck.
The pipeline works when using the simulator, but when attempting to do it via the App Search GUI, it appears the pipeline just doesn't set the set_security_user correctly.
The pipeline definitely runs because if there is no condition on the fail process - the pipeline works as expected and blocks out any changes - however it needs to be conditional based on the user executing the change.
Is there a way to log the ctx object anywhere when it's run through the AppSearch pipeline?
[
{
"set_security_user": {
"field": "_security",
"properties": [
"roles"
]
}
},
{
"fail": {
"message": "Cannot Run",
"if": "ctx._security.roles.contains(\"developer-tester\")"
}
},
{
"remove": {
"field": "_security"
}
}
]
Failure proceedure:
[
{
"remove": {
"field": "_security"
}
},
{
"script": {
"source": "ctx.op = \"noop\";"
}
}
]
moassafiri
November 22, 2022, 10:45pm
3
I wrote the CTX back to the Document and I'm getting this regardless of the user that's logged into Kibana via the GUI.
Is there anyway to get the authenticated user from the Set Security User process instead of just the Kibana System information?
"roles": [
"kibana_system",
"cloud-internal-enterprise_search-server"
],
"realm": {
"name": "found",
"type": "file"
},
"authentication_type": "REALM",
"username": "cloud-internal-enterprise_search-server"
}
moassafiri
November 23, 2022, 4:37am
4
Raised an Issue:
opened 04:30AM - 23 Nov 22 UTC
bug
needs-team
**Kibana version:**
8.4.3
**Elasticsearch version:**
8.4.3
**Server OS v… ersion:**
Cloud
**Browser version:**
Chrome
**Browser OS version:**
107
**Original install method (e.g. download page, yum, from source, etc.):**
Cloud
**Describe the bug:**
Elastic Search Ingest Pipelines `Set Security User` is being obscured by Kibana user, when should be returning the end user making the changes. This is critical to pass user information to Painless for additional logic / logging.
**Steps to reproduce:**
1. Create an Ingest Pipeline with `Set Security User` and add it to Default pipeline on an Enterprise Search Index (eg: `.ent-search-actastic-engines_v26`). Set Security User to a field like `ctx._security`.
3. Make a change to Enterprise Search via Kibana
4. Open the document and find the `document['_security']` that was written from the Ingest Pipeline.
```
{
"roles": [
"kibana_system",
"cloud-internal-enterprise_search-server"
],
"realm": {
"name": "found",
"type": "file"
},
"authentication_type": "REALM",
"username": "cloud-internal-enterprise_search-server"
}
```
**Expected behavior:**
Expected Behavior is having the End User as the Security User being sent through the Ingest Pipeline, not the default Kibana username/roles.
When using the Ingest Pipeline simulator directly on ElasticSearch, this is the response which is the correct response:
```
"_security": {
"metadata": {
"saml_email": [
"redacted"
],
"saml_nameid_format": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
"saml(http://saml.elastic-cloud.com/attributes/principal)": [
"redacted"
],
"saml_roles": [
"superuser"
],
"saml_principal": [
"redacted"
],
"saml_nameid": "redacted",
"saml(http://saml.elastic-cloud.com/attributes/name)": [
"redacted"
],
"saml(http://saml.elastic-cloud.com/attributes/email)": [
"redacted"
],
"saml(http://saml.elastic-cloud.com/attributes/roles)": [
"superuser"
],
"saml_name": [
"redacted"
]
},
"full_name": "redacted",
"roles": [
"superuser"
],
"realm": {
"name": "cloud-saml-kibana",
"type": "saml"
},
"authentication_type": "TOKEN",
"email": "redacted",
"username": "redacted"
```
**Screenshots (if relevant):**
The `ctx` when doing an action via Kibana
https://imgur.com/a/umI4Jn1
When simulating via the Pipeline:
https://imgur.com/a/UtlOYJI
**Errors in browser console (if relevant):**
None
**Provide logs and/or server output (if relevant):**
**Any additional context:**
This seems like a bug to me.
Kibana should be passing through the actual user making the change on the Enterprise Search engines - not the Kibana_system user.
system
December 21, 2022, 4:37am
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.