Default user role in Shield doesn't appear to work

rawill · July 24, 2015, 9:35pm

We have been looking at Shield in our dev environment for awhile and and thought we would try the latest version to see what changes had been put in place. Just from an initial setup it doesn't appear that the base "user" role works out of the box. If I setup a user that just has the "user" role I get this error: Error: AuthorizationException[action [cluster:monitor/nodes/info] is unauthorized for user [rawill]]

The other base roles appear to work as they should. I know I can define a read only role as I have done in the past, but it would be nice to use the base user role. Has anyone else run into this?

PatrickKik · July 27, 2015, 5:26am

Based on the error I would say that the user role does not have the monitor/nodes/info privilege.
Could you share your roles.yml and the list of configured users (you can use esusers to report the list of users, if you're using the default realm).

jaymode · July 27, 2015, 10:03am

What do you use the user role to do? Are you using it with Kibana?

The default user role is only granted read permissions on indices and has no cluster permissions.

skearns · July 27, 2015, 11:18am

Hi Randall,

I'm going to venture a guess that you're using the Java Transport client. The Transport Client makes a periodic request to check node/cluster health, and as a result it requires additional permissions over using plain HTTP. To address this, we include a transport_client role that you can also assign to any user that will be using the transport client.

Hope that helps!
Steve

rawill · July 27, 2015, 2:04pm

Correct this is using Kibana. We wanted to use as a read only role. We will have multiple indexes and will need to provide different levels of access to different users. It would be much easier to copy the default "user" role change * to the index name, than it would be for create a group with each individual permission for read only access for each index. What step did I miss in setting up a user for read only access. So do I just need to add cluster : all to the user role?

jaymode · July 27, 2015, 3:20pm

Kibana requires several additional permissions for the cluster and a few indices admin operations such as gettng the mapping. The kibana4 role should be listed in your roles.yml file. I have copied the role definition below:

# The required permissions for kibana 4 users.
kibana4:
  cluster: 
      - cluster:monitor/nodes/info
      - cluster:monitor/health 
  indices:
    '*':
      - indices:admin/mappings/fields/get
      - indices:admin/validate/query
      - indices:data/read/search
      - indices:data/read/msearch
      - indices:admin/get 
    '.kibana':
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update
      - indices:admin/create

For your users, you could replace the '*' with the proper indices that they should have permission to.