Deployment issue with dedicated user - how to limit permissions?

Dawid_WWW · December 24, 2018, 10:41am

Hello,
I have a problem with permissions access for elastic deployment with dedicated user. When I use superuser role for sample_user, deployment works properly. The issue is begin with create new role. I wanted permission reduction but when I am creating new role with maximum setting it returns me this error -

fatal: [host-g]: FAILED! => changed=true 
  cmd: docker run -v /srv/docker/volumes/metricbeat/metricbeat-setup.yml:/usr/share/metricbeat/metricbeat.yml --rm --network host 10.X.X.X:443/sdwan/metricbeat:b01faf49dfa8 setup
  delta: '0:00:02.033285'
  end: '2018-12-17 14:27:03.325520'
  invocation:
    module_args:
      _raw_params: docker run -v /srv/docker/volumes/metricbeat/metricbeat-setup.yml:/usr/share/metricbeat/metricbeat.yml --rm --network host 10.X.X.X:443/sdwan/metricbeat:b01faf49dfa8 setup
      _uses_shell: true
      argv: null
      chdir: null
      creates: null
      executable: null
      removes: null
      stdin: null
      warn: true
  msg: non-zero return code
  rc: 1
  start: '2018-12-17 14:27:01.292235'
  stderr: |-
    Exiting: Error importing Kibana dashboards: fail to import the dashboards in Kibana: Error importing directory /usr/share/metricbeat/kibana: Failed to import index-pattern: Failed to load directory /usr/share/metricbeat/kibana/6/index-pattern:
      error loading /usr/share/metricbeat/kibana/6/index-pattern/metricbeat.json: action [indices:data/write/bulk[s]] is unauthorized for user [aiops]. Response: {"objects":[{"id":"metricbeat-*","type":"index-pattern","error":{"message":"action [indices:data/write/bulk[s]] is unauthorized for user [aiops]"}}]}
  stderr_lines:
  - 'Exiting: Error importing Kibana dashboards: fail to import the dashboards in Kibana: Error importing directory /usr/share/metricbeat/kibana: Failed to import index-pattern: Failed to load directory /usr/share/metricbeat/kibana/6/index-pattern:'
  - '  error loading /usr/share/metricbeat/kibana/6/index-pattern/metricbeat.json: action [indices:data/write/bulk[s]] is unauthorized for user [aiops]. Response: {"objects":[{"id":"metricbeat-*","type":"index-pattern","error":{"message":"action [indices:data/write/bulk[s]] is unauthorized for user [aiops]"}}]}'
  stdout: |-
    Loaded index template
    Loading dashboards (Kibana must be running and reachable)
  stdout_lines: <omitted>

If I see it correctly, I chose all available indicies.

and this is how the superuser role looks like

Where else can I make a mistake?

Regards,
Dawid

ikakavas · December 24, 2018, 5:53pm

Hi @Dawid_WWW,

Please don't post images of text as they are hard to read, may not display
correctly for everyone, and not searchable.

Instead paste the text and format it with </> icon, and check the preview
window to make sure it's properly formatted before posting it. This makes it
more likely that your question will receive a useful answer.

For example, don't post a screenshot of how your role looks like in the UI, but do share the output of a call to the Get Roles API for this role.

A few additional comments:

Please describe what you are trying to do and what you are trying to do in more concrete terms. elastic deployement with dedicated user is unfortunately not enough for us to understand your environment and what you are trying to achieve.
The issue is begin with create new role. I wanted permission reduction but when I am creating new role with maximum setting it returns me this error

How do you actually try to create this new role? We do not have access to your ansible playbook so you need to share the relevant parts of that with us before we can assist in any way, or try to do the same using the API directly.
Since it looks like you want to run metricbeat in Docker, have you read through our relevant documentation ?
action [indices:data/write/bulk[s]] is unauthorized for user [aiops].

Which user is this aiops user? What roles and permissions do they have ?
I guess this is for testing purposes but when you assign all for privileges, it is redundant to add any others explicitly.

It would be great if you could update your post to solve the issues I mentioned and add all the missing information. This will highly affect your chances of getting a swift and meaningful answer.

system · January 7, 2019, 5:53pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.