Cannot import template in elasticsearch

Hi
I have an Elasticsearch with SearchGuard mechanism on.
In searchguard configuration there is pmadmin role with the below permissions in sg_roles.yml :
sgs_pmadmin_role:
cluster_permissions:
- SGS_CLUSTER_MONITOR
- SGS_CLUSTER_COMPOSITE_OPS_RO
index_permissions:
- index_patterns:
- "pm*"
- ".kibana*"
allowed_actions:
- SGS_CRUD
- SGS_CREATE_INDEX
- SGS_MANAGE

...and in sg_roles_mapping.yml:
sgs_pmadmin_role:
reserved: true
users:
- "pmadmin"

I am trying to import a template for a non existing index pm-counters* and I get the below:

curl -X PUT -k "https://:9200/_index_template/template_1?pretty" -H 'Content-Type: application/json' -d'{"index_patterns": "pm-counters*","template":{"settings": { "number_of_shards": 1 } } } '
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "no permissions for [indices:admin/index_template/put] and User [name=pmadmin, backend_roles=, requestedTenant=null]"
}
],
"type" : "security_exception",
"reason" : "no permissions for [indices:admin/index_template/put] and User [name=pmadmin, backend_roles=, requestedTenant=null]"
},
"status" : 403
}

I change the configuration to the below:
sgs_pmadmin_role:
cluster_permissions:
- SGS_CLUSTER_MANAGE_INDEX_TEMPLATES
- SGS_CLUSTER_MONITOR
- SGS_CLUSTER_COMPOSITE_OPS_RO
- SGS_CLUSTER_ALL
index_permissions:
- index_patterns:
- "pm-counters*"
- ".kibana*"
allowed_actions:
- SGS_CRUD
- SGS_CREATE_INDEX
- SGS_MANAGE
- SGS_INDICES_ALL

but with same results.

I tried the same command with "admin" and succeed,
where admin :
_sg_meta:
type: "rolesmapping"
config_version: 2
SGS_ALL_ACCESS:
reserved: true
hidden: false
backend_roles:
- "admin"

What should be the permissions or the configuration generally for pmadmin to be able to import a template?
Thank you in advance!

Hello Voula,

Have a look here: Security privileges | Elasticsearch Reference [7.11] | Elastic

You need the manage_index_templates cluster privilege although I do not know how that maps to Search Guard.

Best regards
Wolfram

Hi,

Thank you for the prompt answer.
I get some error responses as below:
no permissions for [indices:data/write/index]
no permissions for [indices:admin/index_template/put]
What are "data" and "admin" in the above errors?
Is there any page I can get more info about that?
Thanks again!

Hi,

I guess that this is to differentiate between data(documents) and metadata(mapping, templates,...).

In the link I posted above there are the following descriptions:
For write:

Privilege to perform all write operations to documents, which includes the permission to index, update, and delete documents as well as performing bulk operations, and allows the dynamic mapping updates as a result of these.

For manage:

All monitor privileges plus index and data stream administration (aliases, analyze, cache clear, close, delete, exists, flush, mapping, open, force merge, refresh, settings, search shards, templates, validate).

So you might need those too. On which version are you anyway?

Also, you could have a look into the REST API documentation: Put index template API | Elasticsearch Reference [7.11] | Elastic

  • If the Elasticsearch security features are enabled, you must have the manage_index_templates or manage cluster privilege to use this API.

I don't know if this is valid if you have SearchGuard instead of Elastic Security on...

Best regards
Wolfram

I'd recommend you run our free, native Security functionality as we can provide direct assistance with that.

Otherwise you will need to contact searchguard sorry.