Created user role for privileges on Index but user despite login to Kibana unable to access Index

Elastic Stack Kibana
1

I want to create a user who has admin rights (search, read, write) access on testIndex index. For this, I created a role testIndex_admin (ref. kibana screenshot attached here) and assigned the new user this role.

ElasticRole
ElasticRole.PNG724×667 27.8 KB

However after the user logs in he only see an empty screen with a "Help us improve the Elastic Stack by providing basic feature usage statistics?" popup. On the browser console I found the following request being made which failed with 403 error.
Request URL: http://localhost:5601/api/saved_objects/_find?type=index-pattern&per_page=10000
{
"message": "action [indices:data/read/search] is unauthorized for user [user01]: [security_exception] action [indices:data/read/search] is unauthorized for user [user01]",
"statusCode": 403,
"error": "Forbidden"
}

Also there is a "Advanced Setting Error" popup that appears (give below)
ElasticRole2

What can be done so that the user can access only his testIndex with all permission to it?

2

Few portions of log that was generated before login when http://localhost:5601 was visited :

log [11:34:43.343] [debug][plugin] Checking Elasticsearch version
log [11:34:45.854] [debug][plugin] Checking Elasticsearch version
ops [11:34:46.256] memory: 110.1MB uptime: 0:01:43 load: [0.00 0.00 0.00] delay: 3.243
log [11:34:46.261] [debug][kibana-monitoring][monitoring-ui] Received Kibana Ops event data
error [11:34:47.457] [debug][auth][security][session] Error: Unauthorized
at validate (C:\Program Files\Elastic\kibana\6.3.2\node_modules\hapi-auth-cookie\lib\index.js:145:49)
at Object.authenticate (C:\Program Files\Elastic\kibana\6.3.2\node_modules\hapi-auth-cookie\lib\index.js:210:13)
at module.exports.internals.Auth.internals.Auth.test (C:\Program Files\Elastic\kibana\6.3.2\node_modules\hapi\lib\auth.js:96:22)
at Object.test (C:\Program Files\Elastic\kibana\6.3.2\node_modules\hapi\lib\plugin.js:65:64)
at resolve (C:/Program Files/Elastic/kibana/6.3.2/node_modules/x-pack/plugins/security/server/lib/authentication/session.js:56:25)
at new Promise ()
at Session.get (C:/Program Files/Elastic/kibana/6.3.2/node_modules/x-pack/plugins/security/server/lib/authentication/session.js:55:12)
at Authenticator.authenticate (C:/Program Files/Elastic/kibana/6.3.2/node_modules/x-pack/plugins/security/server/lib/authentication/authenticator.js:137:49)
at Object.server.expose.request [as authenticate] (C:/Program Files/Elastic/kibana/6.3.2/node_modules/x-pack/plugins/security/server/lib/authentication/authenticator.js:277:60)
at handler (C:/Program Files/Elastic/kibana/6.3.2/node_modules/x-pack/plugins/security/server/routes/api/v1/authenticate.js:30:68)
at Object.internals.handler (C:\Program Files\Elastic\kibana\6.3.2\node_modules\hapi\lib\handler.js:96:36)
at request._protect.run (C:\Program Files\Elastic\kibana\6.3.2\node_modules\hapi\lib\handler.js:30:23)
at module.exports.internals.Protect.internals.Protect.run (C:\Program Files\Elastic\kibana\6.3.2\node_modules\hapi\lib\protect.js:64:5)
at exports.execute (C:\Program Files\Elastic\kibana\6.3.2\node_modules\hapi\lib\handler.js:24:22)
at each (C:\Program Files\Elastic\kibana\6.3.2\node_modules\hapi\lib\request.js:384:16)
at iterate (C:\Program Files\Elastic\kibana\6.3.2\node_modules\items\lib\index.js:36:13)
at done (C:\Program Files\Elastic\kibana\6.3.2\node_modules\items\lib\index.js:28:25)
at postValidate (C:\Program Files\Elastic\kibana\6.3.2\node_modules\hapi\lib\validation.js:68:20)
at internals.Object._validateWithOptions (C:\Program Files\Elastic\kibana\6.3.2\node_modules\hapi\node_modules\joi\lib\any.js:604:20)
at module.exports.internals.Any.root.validate (C:\Program Files\Elastic\kibana\6.3.2\node_modules\hapi\node_modules\joi\lib\index.js:105:23)
at Object.internals.input (C:\Program Files\Elastic\kibana\6.3.2\node_modules\hapi\lib\validation.js:137:20)
at exports.payload (C:\Program Files\Elastic\kibana\6.3.2\node_modules\hapi\lib\validation.js:42:22)
log [11:34:47.486] [debug][basic][security] Trying to authenticate user request to /api/security/v1/login.
log [11:34:47.486] [debug][basic][security] Trying to authenticate via header.
log [11:34:47.571] [debug][basic][security] Request has been authenticated via header.
respons [11:34:47.445] POST /api/security/v1/login 200 139ms - 9.0B
log [11:34:47.596] [debug][basic][security] Trying to authenticate user request to /.
log [11:34:47.597] [debug][basic][security] Trying to authenticate via header.
log [11:34:47.601] [debug][basic][security] Authorization header is not presented.
log [11:34:47.603] [debug][basic][security] Trying to authenticate via state.
log [11:34:47.606] [debug][basic][security] Request has been authenticated via state.
respons [11:34:47.592] GET / 200 28ms - 9.0B

...
...
...

3

Few portions of log that was generated immediately after login with the new user on http://localhost:5601 :

respons [11:34:48.669] GET /api/security/v1/me 200 11ms - 9.0B
log [11:34:48.717] [debug][basic][security] Trying to authenticate user request to /api/saved_objects/_find?type=index-pattern&per_page=10000.
log [11:34:48.720] [debug][basic][security] Trying to authenticate via header.
log [11:34:48.726] [debug][basic][security] Authorization header is not presented.
log [11:34:48.729] [debug][basic][security] Trying to authenticate via state.
log [11:34:48.734] [debug][basic][security] Request has been authenticated via state.
respons [11:34:48.733] GET /plugins/kibana/assets/discover.svg 304 6ms - 9.0B
respons [11:34:48.733] GET /plugins/kibana/assets/visualize.svg 304 14ms - 9.0B
respons [11:34:48.734] GET /plugins/kibana/assets/dashboard.svg 304 16ms - 9.0B
log [11:34:48.762] [debug][license][xpack] Calling [data] Elasticsearch _xpack API. Polling frequency: 30001
respons [11:34:48.758] GET /plugins/timelion/icon.svg 304 12ms - 9.0B
respons [11:34:48.759] GET /plugins/apm/icon.svg 304 16ms - 9.0B
respons [11:34:48.759] GET /plugins/ml/ml.svg 304 31ms - 9.0B
respons [11:34:48.716] GET /api/saved_objects/_find?type=index-pattern&per_page=10000&page=1 403 79ms - 9.0B
respons [11:34:48.784] GET /plugins/kibana/assets/wrench.svg 304 14ms - 9.0B
respons [11:34:48.783] GET /plugins/graph/icon.png 304 22ms - 9.0B
respons [11:34:48.795] GET /plugins/monitoring/icons/monitoring.svg 304 27ms - 9.0B
respons [11:34:48.797] GET /plugins/kibana/assets/settings.svg 304 39ms - 9.0B
respons [11:34:48.804] GET /plugins/security/images/person.svg 304 40ms - 9.0B
log [11:34:48.864] [debug][basic][security] Trying to authenticate user request to /api/xpack/v1/info.
log [11:34:48.865] [debug][basic][security] Trying to authenticate via header.
log [11:34:48.868] [debug][basic][security] Authorization header is not presented.
log [11:34:48.874] [debug][basic][security] Trying to authenticate via state.
respons [11:34:48.842] GET /plugins/security/images/logout.svg 304 36ms - 9.0B
log [11:34:48.885] [debug][basic][security] Request has been authenticated via state.
respons [11:34:48.843] GET /bundles/ebdca7741674eca4e1fadeca157f3ae6.svg 304 55ms - 9.0B
respons [11:34:48.877] GET /ui/favicons/favicon-32x32.png 304 45ms - 9.0B
respons [11:34:48.896] GET /plugins/kibana/assets/play-circle.svg 304 49ms - 9.0B
respons [11:34:48.843] GET /api/xpack/v1/info 200 114ms - 9.0B
respons [11:34:48.944] GET /ui/favicons/favicon-32x32.png 304 18ms - 9.0B
respons [11:34:49.044] GET /ui/favicons/favicon-16x16.png 304 2ms - 9.0B
log [11:34:50.926] [debug][plugin] Checking Elasticsearch version
ops [11:34:51.256] memory: 113.1MB uptime: 0:01:48 load: [0.00 0.00 0.00] delay: 2.170
log [11:34:51.259] [debug][kibana-monitoring][monitoring-ui] Received Kibana Ops event data
log [11:34:52.736] [debug][kibana-monitoring][monitoring-ui] Fetching data from kibana collector
log [11:34:52.741] [debug][kibana-monitoring][monitoring-ui] Fetching data from kibana_stats collector
log [11:34:52.745] [debug][kibana-monitoring][monitoring-ui] Fetching data from kibana_settings collector
log [11:34:52.751] [debug][kibana-monitoring][monitoring-ui] Fetching data from reporting_stats collector
log [11:34:52.764] [debug][kibana-monitoring][monitoring-ui] not sending [kibana_settings] monitoring document because [undefined] is null or invalid.
log [11:34:52.774] [debug][kibana-monitoring][monitoring-ui] Uploading bulk Kibana monitoring payload

4

If you want the user to be able to use Kibana, then you need to give them the kibana_user role.

2 Likes
5

So do you mean the new user should be given multiple roles, 1 will be the new role and the other will be "kibana_user" ?

6

Another observation
For the new role, I tried, passing the Index name and also the Index pattern but both didn't work. But when I tired * it worked. But that was not my intension as with the * the user can work on any index.

7

do you mean the new user should be given multiple roles

Yes, The kibana_user role grants access to the resources that are required when using Kibana.
You need to grant that role, and whatever additional roles your require in order to get access to the data itself.

I tried, passing the Index name and also the Index pattern but both didn't work

Happy to help debug this, but you'll need to provide a bit more detail - "didn't work" is too abiguous to do much about.

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.