Authentication role issues

Sannj · July 20, 2017, 11:16pm

We are trying to use authentication roles to limit the data that is visible based on a value in that data.

It looks like Granted Documents Query is the best option to do so. We have created a new user role -

{
"random_user": {
"cluster": [
"all"
],
"indices": [
{
"names": [
"*",
"customer"
],
"privileges": [
"all"
],
"query": """{"term": {"company": "Google"}}"""
}
],
"run_as": ,
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
}

However, whenever we try to login with these privileges we get -

Unable to fetch mapping. Do you have indices matching the pattern?
and if enter the index name, we get

Could not locate that index-pattern (id: customer)
and
Config: Error 400 Bad Request: [security_exception] Can't execute an update request if field or document level security is enabled.
When we define the role, if we select the proper index rather than '*' and then if we access the kibana page, it only shows the side bar and nothing else. Clicking on any options like discover or visualize doesn't load anything.
Does anyone how to fix this or can identify something that we are missing?

TimV · July 24, 2017, 3:34am

   "indices": [
      {
        "names": [ "*",  "customer" ],
        "privileges": [ "all" ],
        "query": """{"term": {"company": "Google"}}"""
      }
    ],

You shouldn't do this.
There's 2 problems here:

You are applying Document Level Security (DLS) to all indices (names: *) which is a problem. Kibana uses indices to store configuration and dashboards, and you are attempting to restriction the user to documents that have a company of Google (which won't be true for internal Kibana documents). If you want to use DLS then you need to be very careful to only apply it to the correct indices.
You are using privileges: all with DLS. Document Level Security is a read-only feature. (See the "NOTE" at the top of this page) If you are assigning a DLS query to an index pattern within a role, you should only grant read privileges to that index.

Sannj · July 24, 2017, 6:27pm

Hi Tim,
For,
1: As before if don't have * in there, everything is just blank for the user. (see the first image)
2: It works if we do * but otherwise if we select an index we get the following error.

TimV · July 25, 2017, 5:52am

Have you assigned the kibana_user role to the user that you're testing with?

The instructions for using Kibana with X-Pack security are here: Kibana Guide [8.11] | Elastic

Point 2 is:

Assign the kibana_user role to grant Kibana users the privileges they need to use Kibana.

Sannj · July 25, 2017, 4:30pm

Got it. That was the mistake I was making. Thank you so much. I missed adding 'kibana_user'.
Thank you, Tim

system · August 22, 2017, 4:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Document level security in Kibana with X Pack Kibana	7	1372	July 7, 2017
Index privileges Elasticsearch elastic-stack-security	5	4841	March 9, 2017
Role Granted Documents Query example Kibana elastic-stack-security	3	3371	February 8, 2021
Allow user only certain documents from certain indices Elasticsearch	2	5184	January 10, 2018
Security Error Kibana Kibana elastic-stack-security	5	358	June 6, 2022

Authentication role issues

Related topics