Custom roles in eck 1.2.1

Can't get to work the custom roles in eck 1.2.1

Here is a fraction of my yaml:

spec:
  version: 7.9.0
  http:
    service:
      spec:
        type: ClusterIP
        selector:
          elasticsearch.k8s.elastic.co/cluster-name: "quickstart"
          elasticsearch.k8s.elastic.co/node-master: "false"
          elasticsearch.k8s.elastic.co/node-data: "false"
          elasticsearch.k8s.elastic.co/node-ingest: "false"
          elasticsearch.k8s.elastic.co/node-ml: "false"
      metadata:
        annotations:
          cloud.google.com/load-balancer-type: Internal
  image: original-790-with-snapshot-plugin/elasticsearch:7.9.0
  secureSettings:
  - secretName: bucket-credentials
  auth:
    fileRealm:
    - secretName: user-tish-filerealm-secret
    roles:
    - secretname: my-roles-secret
  nodeSets:
    ....

The secret is exactly as described in eck documentation

kind: Secret
apiVersion: v1
metadata:
  name: my-roles-secret
stringData:
  roles.yml: |-
    click_admins:
      run_as: [ 'clicks_watcher_1' ]
      cluster: [ 'monitor' ]
      indices:
      - names: [ 'events-*' ]
        privileges: [ 'read' ]
        field_security:
          grant: ['category', '@timestamp', 'message' ]
        query: '{"match": {"category": "click"}}'

or

kind: Secret
apiVersion: v1
metadata:
  name: my-roles-secret
stringData:
  roles.yml: |-
    click_admins:
      cluster: [ 'all' ]

The user realm works. Assigning any role to a user created by the file realm works. I can't create the role. The role doesn't appear in the roles.yaml. I can't list the role through the API at
GET /_security/role/click_admins.

I am not sure I understand your question completely. Can you explain exactly what is not working?

This is normal for file realm. Elasticsearch does not support listing users and roles created using the file realm: https://www.elastic.co/guide/en/elasticsearch/reference/current/file-realm.html

Yes, indeed. I am getting to know the difference and reading about the matter. Thank you for pointing it out.

Why is this role from the secret not appearing in /usr/share/elasticsearch/config/roles.yml ( the default path in the container)? I could see a whole bunch of other default roles in there but not mine that got specified in the secret and referenced in the manifest. Also when I assign this role to the user, I don't seem to have the permissions it grants.
In that case click_admins

click_admins:tish_user
elastic_internal_probe_user:elastic-internal-probe
kibana_admin:tish_user
kibana_system:elastic-system-quickstart-kibana-user
monitoring_user:tish_user
superuser:elastic,elastic-internal

Here is the new secret. I've retreived the permissions from the superuser build in role.

kind: Secret
apiVersion: v1
metadata:
  name: my-roles-secret
stringData:
  roles.yml: |-
    click_admins:
      cluster:
      - "all"
      indices:
      - names:
        - "*"
        privileges:
        - "all"
        allow_restricted_indices: true
      applications:
      - application: "*"
        privileges:
        - "*"
        resources:
        - "*"
      run_as:
      - "*"

And I get 403.

GET /_cluster/health
{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "action [cluster:monitor/health] is unauthorized for user [tish_user]"
      }
    ],
    "type" : "security_exception",
    "reason" : "action [cluster:monitor/health] is unauthorized for user [tish_user]"
  },
  "status" : 403
}

If I PUT a json version of the exact same role to /_security/role/ then it works and I get authorized.

Have you disabled the file realm by any chance? Otherwise, I see no reason why this would fail.

I followed the instructions at https://www.elastic.co/guide/en/cloud-on-k8s/1.2/k8s-users-and-roles.html and was able to get your example working.

$ cat roles.yml

click_admins:
  cluster:
    - "all"
  indices:
    - names:
        - "*"
      privileges:
        - "all"
      allow_restricted_indices: true
  applications:
    - application: "*"
      privileges:
        - "*"
      resources:
        - "*"
  run_as:
    - "*"

$ touch users users_roles
$ docker run -v $(pwd):/usr/share/elasticsearch/config docker.elastic.co/elasticsearch/elasticsearch:7.9.2 bin/elasticsearch-users useradd tish_user -p mypassword -r monitoring_user,click_admins
$ kubectl create secret generic hulk-roles --from-file roles.yml
$ kubectl create secret generic hulk-file-realm --from-file users --from-file users_roles
$ cat <<EOF | kubectl apply -f - 
---
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: hulk
spec:
  version: 7.9.2
  auth:
    fileRealm:
      - secretName: hulk-file-realm
    roles:
      - secretName: hulk-roles
  nodeSets:
    - name: default
      count: 1
      config:
        node.store.allow_mmap: false
EOF

$ curl -k -u 'tish_user:mypassword' 'https://localhost:9200/' 
{
  "name" : "hulk-es-default-0",
  ...
}
1 Like

I've tried your manifest and the way you generate the pass,user_roles etc. I've already been through it but your manifest worked great(thank you). At this point I got really puzzled and started to look for either a config error or a typo. I spent two days dealing with this issue and was desperate. I went for a run this morning and after that I found a typo in the manifest.

It has to be secretName and not secretname.
Once again thank you - you were of a great help.
Cheers,
Tish