Getting unauthorized when doing GET on indices with a read-only user

Hello,

I am using Kibana/Elasticsearch 7.9.0, and testing enabling security on the stack.

I am starting with a test user that gets the following on the GET API call:

GET _cat/indices

{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "action [indices:monitor/stats] is unauthorized for user [my_bogus_user]"
      }
    ],
    "type" : "security_exception",
    "reason" : "action [indices:monitor/stats] is unauthorized for user [my_bogus_user]"
  },
  "status" : 403
}

The role definition looks like this:

{
  "cluster": ["monitor"],
  "indices": [
    {
      "names": ["*"],
      "privileges": ["read","view_index_metadata"]
    }
  ]
}

the privilege definition looks like this:

{
  "elasticsearch": {
    "cluster": ["monitor"],
    "indices": [
      {
        "names": ["apm-*"],
        "privileges": ["read","view_index_metadata"]
      },
      {
        "names": ["filebeat-*"],
        "privileges": ["read","view_index_metadata"]
      },
      {
        "names": ["metricbeat-*"],
        "privileges": ["read","view_index_metadata"]
      },
      {
        "names": ["packetbeat-*"],
        "privileges": ["read","view_index_metadata"]
      },
      {
        "names": ["heartbeat-*"],
        "privileges": ["read","view_index_metadata"]
      },
      {
        "names": ["auditbeat-*"],
        "privileges": ["read","view_index_metadata"]
      },
      {
        "names": [".ml-anomalies*"],
        "privileges": ["read","view_index_metadata"]
      },
      {
        "names": ["observability-annotations"],
        "privileges": ["read","view_index_metadata"]
      }
    ]
  },
  "kibana": [
    {
      "base": ["read"],
      "spaces": ["*"]
    }
  ]
}

I am not sure what to grant to get the proper access.

Thank you,
Joey

You also need the index monitor privilege



{
  "cluster": ["monitor"],
  "indices": [
    {
      "names": ["*"],
      "privileges": ["read","view_index_metadata", "monitor"]
    }
  ]
}

Awesome, thank you, that fixed it.

What should I do with this one with 403 on the filebeat-* index-pattern? I do not get it for the apm-* index pattern:

{"type":"response","@timestamp":"2020-08-24T15:05:39Z","tags":[],"pid":45,"method":"put","statusCode":403,"req":{"url":"/api/saved_objects/index-pattern/filebeat-*","method":"put","headers":{"host":"localhost:5601","connection":"close","content-length":"907505","kbn-version":"7.9.0","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Edg/84.0.522.63","content-type":"application/json","accept":"*/*","origin":"https://localhost","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://localhost/app/management/kibana/indexPatterns/patterns/filebeat-*","accept-encoding":"gzip, deflate, br","accept-language":"en-CA,en-US;q=0.9,en;q=0.8"},"remoteAddress":"127.0.0.1","userAgent":"127.0.0.1","referer":"https://localhost/app/management/kibana/indexPatterns/patterns/filebeat-*"},"res":{"statusCode":403,"responseTime":37,"contentLength":9},"message":"PUT /api/saved_objects/index-pattern/filebeat-* 403 37ms - 9.0B"}

It seems like it tries to do a PUT, which I don't really want for a read-only user. Maybe i've set up something incorrectly. This 403 happens when I either click on the "filebeat-" index pattern or when I select the "filebeat-" from the Discover app.

Thank you,
Joey

I fixed my 2nd question in this post: