In Kibana Getting [indices/data/read/msearch] Even this access is given in Roles.yml file for shield

security

(balaji) #1

Hi Everyone,

I am using
ElasticSerach 2.4
Shield 2.3
Kibana 4.5.4

We have configured shield in roles.yml file in the following way..

developer:
indices:
'devtes,devdesi':
privileges:
- indices:admin/mappings/fields/get
- indices:admin/validate/query
- indices:data/read/search
- indices:data/read/msearch
- indices:data/read/field_stats
- indices:admin/get
query:
term:
dev_name: something

kibana:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
'.kibana*,kibana-test,kibana-local':
- indices:admin/exists
- indices:admin/mapping/put
- indices:admin/mappings/fields/get
- indices:admin/refresh
- indices:admin/validate/query
- indices:data/read/get
- indices:data/read/mget
- indices:data/read/search
- indices:data/read/msearch
- indices:data/write/delete
- indices:data/write/index
- indices:data/write/update
- indices:admin/create

Created users for the roles:admin,developer,kibana
Assigned the developer role user to the kibana role..

Now in kibana.yml file configured the KIbana role User..

Now when we logged in the user Other than Admin.
..We are getting Security Exception [indicesata/read/msearch] When there is No data for that Particular Date

So please Anyone help me Out How To solve This Issue..

Thanks


(Lee Drengenberg) #2

I didn't think you could assign one role to another role. Do you mean you assigned the developer and kibana roles to a user?

In your kibana.yml you should have a user with a kibana_server role which I think is built-in role in your roles.yml. Do you have a kibana_server role?

Then you have a kibana user (not in the kibana.yml) which has needs some privileges on .kibana index as well as privs on the indexes which contain your data.

Here's a reference;
https://www.elastic.co/guide/en/shield/current/kibana.html

Regards,
Lee


(balaji) #3

Hi Lee,

Thanks For Your reply...

No i mean, I assigned the Particular User Of the Develope role To the Kibana Role...

I created User1 To the Developer Role..

NOw i assigned in this way
esusers roles User1 -a kibana

Hope You got my point...

Yes lee i have kibana_server....But i have only access to .kibana index in that role.....So shall i give all my indices there also??...Please suggest


(Lee Drengenberg) #4

On my 4.6.0 Kibana instance I have this kibana server role which is only used in the kibana.yml file;

kibana4_server:
  cluster:
      - monitor
  indices:
    - names: '.kibana*'
      privileges:
        - all
    - names: '.reporting-*'
      privileges:
        - all

and this kibana user role. In this case I have indices - names: '*' but that one could be 'dev*' or whatever you need. And for the indices that contain the data they need view_index_metadata and read.

But that kibanaUser role also includes '.kibana*' manage, read, and index ;

kibanaUser:
  cluster:
      - monitor
  indices:
    - names: '*'
      privileges:
        - view_index_metadata
        - read
    - names: '.kibana*'
      privileges:
        - manage
        - read
        - index

Here's my simple test setup user/roles;

root@ubuntu32:/usr/share/elasticsearch:> /usr/share/elasticsearch/bin/shield/esusers list
admin          : admin
user           : kibanaUser
kibana4        : kibana4_server

#5

Hi everyone.

In my case I need a kibana user role for access to only one alias (named "rfc"). So, I've configured my role in roles.yml in the following way:

analytics_rfcUser:
cluster:
- monitor
indices:
- names: 'rfc*'
privileges:
- view_index_metadata
- read
- names: '.kibana*'
privileges:
- manage
- read
- index

Is't similar to "my_kibana_user" role that appears in https://www.elastic.co/guide/en/shield/current/kibana.html

But it doesn't works. I don't know if there's a sintax error or if the problem is that I need to use an alias.

Thanks a lot.
AB


(Lee Drengenberg) #6

Hi AB,

Could you please tell us which version of Kibana you are using?

I think there was an issue about Kibana not fully supporting index alias names. If rfc is an alias for some other index name, could you try using the actual name?

Another tip, if you paste the section of your roles.yml with three backticks ` before and after it it will be formatted in a more readable way;

  like here
   privileges

Thanks,
Lee


#7

Hello Lee.
Thank you so much for your reply.

The versions I'm using are:

- elasticsearch 2.4.1
- kibana 4.6.1

I tried to use an index but I get the same output.
I read the issue related to Kibana and index alias and It seems the problem was solved; so, I'm not sure I'm having the same problem.

Perhaps I need additional privileges or they're the versions we have in our environment... I don't know.

Thanks again.
AB


(Lee Drengenberg) #8

Hi AB,
Your analytics_rfcUser role definition looks correct. What exactly happens when you log in as a user with that role?

One thing that can happen is that if there is a default index pattern that the new user doesn't have access to, they may see an error message about that index. But in that case you should be able to click OK on the error and continue.

Lee


#9

Hello again...

It worked!!! The problem was, as you thought, the default index pattern. When I click on the error message and select another index pattern to which the user has privileges, kibana returns data correctly...

And it works with aliases too!!! This is great, because I use aliases all the time...

Thank you so much for your help!!!
AB


(Lee Drengenberg) #10

You're Welcome. Glad I could help!


(system) #11