Indices:data/write/bulk[s] access denied for reporting user


(Alex) #1

Hello, I've been configuring a user for auto generating and sending reports via watch.

The user is an LDAP user and I have configured the "kibana_user" and "reporting_user" roles via "/etc/elasticsearch/x-pack/role_mappings.yml" but every time I try and run the watch to generate the reports I get a 403 return code.
Looking at elasticsearch_access.log I see:

[2017-06-05T13:56:28,475] [transport] [access_granted] origin_type=[rest], origin_address=[127.0.0.1], principal=[bgu_testuser], action=[cluster:admin/xpack/security/user/authenticate], request=[AuthenticateRequest]
[2017-06-05T13:56:28,478] [transport] [access_granted] origin_type=[rest], origin_address=[127.0.0.1], principal=[bgu_testuser], action=[cluster:admin/xpack/security/user/authenticate], request=[AuthenticateRequest]
[2017-06-05T13:56:28,492] [transport] [access_granted] origin_type=[rest], origin_address=[127.0.0.1], principal=[bgu_testuser], action=[cluster:admin/xpack/security/user/authenticate], request=[AuthenticateRequest]
[2017-06-05T13:56:28,494] [transport] [access_granted] origin_type=[rest], origin_address=[127.0.0.1], principal=[bgu_testuser], action=[indices:data/read/get], indices=[.kibana], request=[GetRequest]
[2017-06-05T13:56:28,495] [transport] [access_granted] origin_type=[local_node], origin_address=[127.0.0.1], principal=[bgu_testuser], action=[indices:data/read/get[s]], indices=[.kibana], request=[GetRequest]
[2017-06-05T13:56:28,502] [transport] [access_granted] origin_type=[rest], origin_address=[127.0.0.1], principal=[bgu_testuser], action=[indices:data/write/index], indices=[.reporting-2017.06.04], request=[IndexRequest]
[2017-06-05T13:56:28,502] [transport] [access_granted] origin_type=[rest], origin_address=[127.0.0.1], principal=[bgu_testuser], action=[indices:data/write/bulk], request=[BulkRequest]
[2017-06-05T13:56:28,502] [transport] [access_denied] origin_type=[rest], origin_address=[127.0.0.1], principal=[bgu_testuser], action=[indices:data/write/bulk[s]], indices=[.reporting-2017.06.04], request=[BulkShardRequest]

I've even tried giving the reporting user the superuser role, and still the same error, but if I try with my own user (LDAP also) everything works find.

Using curl:

curl -v -u reporting_user -XPOST 'https://elk.example.com/api/reporting/generate/dashboard/9ccbe5a0-4902-11e7-b901-6b6ef7aa4db7?_g=(some_stuff)' -H kbn-version:5.4.0

The report is created and I can download it from web UI or via curl.

Here is the watch:

{
"trigger": {
"schedule": {
"interval": "1h"
}
},
"input": {
"none": {}
},
"condition": {
"always": {}
},
"actions": {
"email_bgu": {
"email": {
"profile": "standard",
"to": [
"alex@example.com"
],
"subject": "Report",
"attachments": {
"report.pdf": {
"reporting": {
"url": "https://elk.example.com/api/reporting/generate/dashboard/9ccbe5a0-4902-11e7-b901-6b6ef7aa4db7?_g=(some_settings)",
"auth": {
"basic": {
"username": "reporting_user",
"password": "some_pass"
}
}
}
}
}
}
}
}
}


(Colin Goodheart-Smithe) #2

Since this question is about security, watcher and reporting in x-pack I'm going to move this to the X-Pack category


(Alexander Reelsen) #3

Can you paste the output of the Execute Watch API

This will allow us to check what happens here with a bit more detail. Run the API like this

POST _xpack/watcher/watch/your_watch_id/_execute

--Alex


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.