Hi, I'm having issue with generated reports.
When use the user with the role that have read access to * index pattern, report is generated with data.
But if a role only have access to specific index pattern eg. mylogs-*
The report is generated but have no data and just error message inside. Role also is specified with Kibana all privileges and index privileges are specified as all.
ELK version: 8.14.1
Error:
"Encountered an unknown error: security_exception
Root causes:
security_exception: action [indices:data/read/search] is unauthorized for user [test] with effective roles [testrole], this action is granted by the index privileges [read,all]"
"Encountered an error with the number of CSV rows generated from the search: expected rows were indeterminable, received 0."
Tried also in addition giving role access to:
.monitoring-*
.ds-*
The only additional information I can provide is that I have a second platform running ELK 8.4.2 with the exact same index, roles, users created and the problem does not exists there.
The role of the user having an issue to export CSV in 8.13.4 (while this work in 8.4.2) was due to the fact that his role gave him access to the indices “log-filebeat-alias”.
I added the “log*” and this suddenly worked back in 8.16.4.
It therefore seems that giving access to indices using aliases is not working anymore.
I ran into the same issue and eventually tracked it down to a side effect of using the shrink operation on indices.
When Elasticsearch performs a shrink, the resulting index name gets a prefix like:
shrink-<node>-<original-index-name>
In our case, the original indices matched the role pattern (for example myawesomeindex*), but after the shrink they became something like:
shrink-xxx-myawesomeindex-...
This caused a subtle problem:
In Kibana Discover, the data is still visible because the data view resolves through the alias/pattern, so the documents appear normally.
But when generating a CSV report, Elasticsearch evaluates permissions against the actual index names involved in the search.
Since the role only allowed myawesomeindex*, it did not match the new shrink-* indices, and the reporting job failed with a security_exception.
The fix was simply to extend the role index permissions to also include the shrink indices, for example:
shrink-*myawesomeindex*
After adding that pattern to the role, CSV reporting worked again.
So if you are using ILM workflows or manual maintenance that involves shrink, it's worth checking whether your role index patterns still match the final index names after the shrink prefix is added.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.