Authentication role issues


(Sanjana Badam) #1

We are trying to use authentication roles to limit the data that is visible based on a value in that data.

It looks like Granted Documents Query is the best option to do so. We have created a new user role -

{
"random_user": {
"cluster": [
"all"
],
"indices": [
{
"names": [
"*",
"customer"
],
"privileges": [
"all"
],
"query": """{"term": {"company": "Google"}}"""
}
],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
}

However, whenever we try to login with these privileges we get -

Unable to fetch mapping. Do you have indices matching the pattern?
and if enter the index name, we get

Could not locate that index-pattern (id: customer)
and
Config: Error 400 Bad Request: [security_exception] Can't execute an update request if field or document level security is enabled.
When we define the role, if we select the proper index rather than '*' and then if we access the kibana page, it only shows the side bar and nothing else. Clicking on any options like discover or visualize doesn't load anything.
Does anyone how to fix this or can identify something that we are missing?


(Tim Vernum) #2
   "indices": [
      {
        "names": [ "*",  "customer" ],
        "privileges": [ "all" ],
        "query": """{"term": {"company": "Google"}}"""
      }
    ],

You shouldn't do this.
There's 2 problems here:

  1. You are applying Document Level Security (DLS) to all indices (names: *) which is a problem. Kibana uses indices to store configuration and dashboards, and you are attempting to restriction the user to documents that have a company of Google (which won't be true for internal Kibana documents). If you want to use DLS then you need to be very careful to only apply it to the correct indices.
  2. You are using privileges: all with DLS. Document Level Security is a read-only feature. (See the "NOTE" at the top of this page) If you are assigning a DLS query to an index pattern within a role, you should only grant read privileges to that index.

(Sanjana Badam) #3

Hi Tim,
For,
1: As before if don't have * in there, everything is just blank for the user. (see the first image)
2: It works if we do * but otherwise if we select an index we get the following error.


(Tim Vernum) #4

Have you assigned the kibana_user role to the user that you're testing with?

The instructions for using Kibana with X-Pack security are here: https://www.elastic.co/guide/en/x-pack/current/kibana.html

Point 2 is:

Assign the kibana_user role to grant Kibana users the privileges they need to use Kibana.


(Sanjana Badam) #5

Got it. That was the mistake I was making. Thank you so much. I missed adding 'kibana_user'.
Thank you, Tim :slight_smile:


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.