Index_not_found_exception for Shield protected ES/Kibana user with Kibana trying to lookup the default index of the previous logged in user

security

(Sanjeet) #1

Hi,
I'm currently evaluating Kibana with Shield/ES with Shield for our user/dev groups. The requirement is that one group should not have access to other groups' logs. I'm seeing this error when I log in as a second user " [index_not_found_exception] no such index, with: {"index”:”[other users default index]”} , after having logged on as another user and setting a default index.

Versions are:
RPM from elastic.co installed

kibana ver: Version: 4.4.0 (kibana-4.4.0-1) Build: 9689
with kibana shield plugin ver: 2.2.0
ES version: elasticsearch-2.2.0-1
with es shield plugin ver : 2.2.0

Whole text of the error is as follows as can be seen if you do this:
- log in as one user and set in the default index), and log off if you wish but that makes no difference
- now long in as another new user (in the same or another browser, even in incognito mode) and the following error is flagged. It seems that Kibana trying to lookup the default index of the last user (where rightfully the new user will not have access). So why is it trying to see the other users default index. TCP dump also confirms the the http call to Elasticsearch is for looking up the default index in the .kibana index.

[index_not_found_exception] no such index, with: {"index”:”[other users default index]”}
Error: [index_not_found_exception] no such index, with: {"index":”[other users default index*]"}
at respond (https://hostname:8443/bundles/kibana.bundle.js?v=9689:64200:16)
at checkRespForFailure (https://hostname:8443/bundles/kibana.bundle.js?v=9689:64163:8)
at https://hostname:8443/bundles/kibana.bundle.js?v=9689:62781:8
at processQueue (https://hostname:8443/bundles/commons.bundle.js?v=9689:41836:29)
at https://hostname:8443/bundles/commons.bundle.js?v=9689:41852:28
at Scope.$eval (https://hostname:8443/bundles/commons.bundle.js?v=9689:43080:29)
at Scope.$digest (https://hostname:8443/bundles/commons.bundle.js?v=9689:42891:32)
at Scope.$apply (https://hostname:8443/bundles/commons.bundle.js?v=9689:43188:25)
at done (https://hostname:8443/bundles/commons.bundle.js?v=9689:37637:48)
at completeRequest (https://hostname:8443/bundles/commons.bundle.js?v=9689:37835:8)

Not sure if this is/was a know issue and has been patched. This surely is not an ACL issue as the second user does not (and rightfully should no) have access to the previous users default index.

When i log back in as the first user, no error is flagged.
To test this further, I reverted to the defaults and then log in as the second user first, and set a default index. Now if I log in as a first user, this users sees this error where Kibana is trying to search the default index (in the .kibana index) which has been set by the second user this time.

Any help would be appreciated from ES support and the community
Regards
Sanjeet


Default index per-user?
(Steve Kearns) #2

Hi Sanjeet,

Today, the "default index" is a global setting in Kibana, so it applies to all users of the system. There may be a better solution I'm not aware of, but in the short term, I suggest having an index pattern that both users have access to, and setting that as the default.

For example, depending on your data, and how many other indexes you have ES, you could create a single index pattern for *, and rely on Shield to prevent a user from gaining access to any indexes they shouldn't see, and on Kibana to efficiently select which indexes to query.

As you might imagine, we want to improve the ways that Kibana and Shield work together, and improving this behavior is on the list!

Thanks,
Steve


(system) #3