Host isolation permission issue

I’m trying to grant host isolate perms configuring the "Role Mappings" but without success.
Tried the same configuration steps (same rule) for regular Kibana users and it works like a charm.
Have I missed something?

Thanks.

Hi, when you create a role mapping in the "Role Mappings" page, you select an existing role and add rules that assign roles to users. If you have an existing role that grants the Kibana application privilege to perform host isolation actions, you should select that role in the Role Mappings page.

1. It's not clear what you mean when you say use are using the "same rule" for "regular Kibana users." Does this mean that the privilege works when role mapping isn't involved?
2. Are you using file-based role management, or has the role been created using the API? If you used the Kibana Stack Management pages to create the role, it has been created using the API.
3. Can you provide the JSON of the role declaration?

Hi Tim,
thanks for reply.

"If you have an existing role that grants the Kibana application privilege to perform host isolation actions, you should select that role in the Role Mappings page”

Yes, I did it. I created a specific role called “host_isolation” and “All” for:
. Endpoint List, Trusted Applications, Host Isolation Exceptions, Blocklist, Event Filter, Elastic Defender Policy History and Host Isolation, in Security Section and None for everything else.

When I create an local user and use the same role it works. So I’m assuming the host_isolation Role is correct and the issue is something related to Role Mapping itself.

I have to add I’m already using Role Mapping for others tasks with success.
Any hits?
Thanks Again

Hi, a couple questions to narrow this down:

1. What exactly is not working? Given a user that's supposed to have the host_isolation role are you able to SSO into Kibana, but getting authorization errors when trying to execute host isolation related actions, or something else?
2. What stack version are you using?
3. Can you SSO into Kibana with a user that should get role mapped to host_isolation and call GET /_security/authenticate from Dev Tools? If you're okay with sharing these publicly, could you post the list of roles you get in the response? It's also fine to just confirm if host_isolation is among them or not. Also, it's worth looking at the user metadata; does it match what you would expect, based on your role mapping rules?
4. What realm is the user that is meant to get mapped to host_isolation authenticating with? There's additional logging we can enable to get more info, but it helps to know the authentication realm first.
5. As @tsullivan mentions, the role declaration (i.e., the output of GET /_security/role/host_isolation) and role mapping rule (GET /_security/role_mapping/<mapping-name>) would help, if you're willing to share them.

Hi Nikolaj,
thanks for the replay.

1. "Not working" means works for local kibana users and not for SSO ones.

2. 8.11.4

3. I called GET .../authenticate and host_isolation isn't showed up.
   That is the output sanitized[1]:

4. As I said others Role_Mapping are already working well for SSO users (custom_reporting i.e.) so, I'm assuming the authentication portion is ok.

5. Please find it in bellow [2] and [3] respectively the sanitized output.
   Also to compare, I'm sending [4] the custom_reporting role (works with SSO).

Thanks again.

[1] - GET _security/authenticate
{
"username": "5510487348",
"roles": [
"viewer",
"editor"
],
"full_name": "user@domain.com",
"email": "user@domain.com",
"metadata": {
"saml_email": [
"user@domain.com"
],
"saml_nameid_format": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
"saml(
http://saml.elastic-cloud.com/attributes/principal)":
[
"5510487348"
],
"saml_roles": [
"editor",
"viewer"
],
"saml_principal": [
"5510487348"
],
"saml_nameid": "_56aed318267b78e185d34c0a5cca8f2507814f23",
"saml(
http://saml.elastic-cloud.com/attributes/name)":
[
"user@domain.com"
],
"saml(
http://saml.elastic-cloud.com/attributes/email)":
[
"user@domain.com"
],
"saml(
http://saml.elastic-cloud.com/attributes/roles)":
[
"editor",
"viewer"
],
"saml_name": [
"user@ldomain.com"
]
},
"enabled": true,
"authentication_realm": {
"name": "cloud-saml-kibana",
"type": "saml",
"domain": "cloud-default"
},
"lookup_realm": {
"name": "cloud-saml-kibana",
"type": "saml",
"domain": "cloud-default"
},
"authentication_type": "token"
}

[2] - GET _security/role/host_isolation
{
"host_isolation": {
"cluster": ,
"indices": [
{
"names": [
".items-",
".lists-",
".alerts-security.alerts-",
".alerts-security.alerts-default,apm--transaction*,auditbeat-,endgame-,filebeat-,logs-,packetbeat-,traces-apm,winlogbeat-,-elastic-cloud-logs-",
"metrics-,metricbeat-,.monitoring-",
"logs-network_traffic."
],
"privileges": [
"read",
"write",
"view_index_metadata",
"maintenance",
"all"
],
"field_security": {
"grant": [
""
]
},
"allow_restricted_indices": false
}
],
"applications": [
{
"application": "kibana-.kibana",
"privileges": [
"feature_siem.minimal_all",
"feature_siem.endpoint_list_all",
"feature_siem.trusted_applications_all",
"feature_siem.host_isolation_exceptions_all",
"feature_siem.blocklist_all",
"feature_siem.event_filters_all",
"feature_siem.policy_management_all",
"feature_siem.actions_log_management_all",
"feature_siem.host_isolation_all"
],
"resources": [
"*"
]
}
],
"run_as": ,
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
}

[3] - GET _security/role_mapping/dom-map
{
"DOM-MAP": {
"enabled": true,
"roles": [
"custom_reporting",
"host_isolation"
],
"rules": {
"all": [
{
"field": {
"groups": "dc=domain,dc=com"
}
}
]
},
"metadata": {}
}
}

[4] - GET _security/role/custom_reporting

{
"custom_reporting": {
"cluster": ,
"indices": [
{
"names": [
"logs-"
],
"privileges": [
"read",
"view_index_metadata",
"all"
],
"field_security": {
"grant": [
""
],
"except":
},
"allow_restricted_indices": false
}
],
"applications": [
{
"application": "kibana-.kibana",
"privileges": [
"feature_discover.all",
"feature_dashboard.all",
"feature_canvas.all",
"feature_maps.all",
"feature_ml.all",
"feature_graph.all",
"feature_visualize.all",
"feature_dev_tools.all"
],
"resources": [
"*"
]
}
],
"run_as": ,
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
}

Thanks!

One request regarding the JSON payloads:

Could you edit your message to format those with the </> icon or pairs of triple backticks (```), and check the preview window to make sure it's properly formatted?

It's quite difficult to read otherwise.

Regarding the role mapping issue --

Based on the role-mapping definition you are mapping users based on:

"field": {
  "groups": "dc=domain,dc=com"
}

However, in the authenticate response you posted I don't see any saml metadata fields that would match this. Could you check your SAML realm settings for attribute mapping, in particular that you have correctly configured attributes.groups? This field needs to point to a SAML attribute that contains the value you expect in the field.groups field of your role mapping definition. Note also that "groups": "dc=domain,dc=com" is a literal match, so if you have a SAML attribute like "cn=users,dc=domain,dc=com" the rule will not match.

One more useful debugging resource is our SAML trouble-shooting guide: Common SAML issues | Elasticsearch Guide [8.12] | Elastic

Hi Nikolai,

That role_mapping already works for "custom_reporting" role, so the SAML attributes are matching.
I added a new role " host_isolation" with:

"application": "kibana-.kibana",
"privileges": [
"feature_siem.minimal_all",
"feature_siem.endpoint_list_all",
"feature_siem.trusted_applications_all",
"feature_siem.host_isolation_exceptions_all",
"feature_siem.blocklist_all",
"feature_siem.event_filters_all",
"feature_siem.policy_management_all",
"feature_siem.actions_log_management_all",
"feature_siem.host_isolation_all"

And it doesn't work.

Thanks again.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.