Issue with role permissions for user role mapping with AAD

Kibana version: 8.4.2

Elasticsearch version: 8.4.2

APM Server version: 8.4.2

APM Agent language and version: Java Agent, Version 1.33.0

Browser version: Microsoft Edge, Version 106.0.1370.47

Fresh install or upgraded from other version? Fresh install

Description of the problem including expected versus actual behavior. Please include screenshots (if relevant):

In order to allow users to login after being authenticated to AAD. For this I created an Enterprise Application in AAD and configured SAML with my Elastic Cloud deployment.
Then I created role-mapping for "superuser", "editor" and "reader". The same value has been assigned to App Role in the Enterprise Application of Azure Active Directory (AAD). The user added to the Enterprise Application are able to login to the Kibana dashboard using the AAD.

However, when the user with role-mapped as "superuser", "editor" and "reader" tries to access APM, dashboard and Discover tab is getting the below error message:
Error fetching fields for data view -elastic-cloud-logs-,.alerts-security.alerts-default,apm--transaction,auditbeat-,endgame-,filebeat-,logs-,packetbeat-,traces-apm,winlogbeat-* (ID: security-solution-default)

[object Object]: security_exception: [security_exception] Reason: action [indices:data/read/field_caps] is unauthorized for user [Gaurav.Kumar1@landmarkgroup.com] with roles [reader,kibana_admin], this action is granted by the index privileges [view_index_metadata,manage,read,all]

The logged in user has been added to App Role "superuser". Ideally this user should have all the permission to administrate. The same is happening for users in App roles "editor" and "viewer".

Also, please note that we want to avoid giving "kibana_admin" permission to users who are "editor" and "viewer".

Errors in browser console (if relevant):

Error fetching fields for data view -elastic-cloud-logs-,.alerts-security.alerts-default,apm--transaction,auditbeat-,endgame-,filebeat-,logs-,packetbeat-,traces-apm,winlogbeat-* (ID: security-solution-default)

[object Object]: security_exception: [security_exception] Reason: action [indices:data/read/field_caps] is unauthorized for user [Gaurav.Kumar1@landmarkgroup.com] with roles [reader,kibana_admin], this action is granted by the index privileges [view_index_metadata,manage,read,all]

The error message says your user have only the roles reader and kibana_admin. It does not have the superuser role. It's eitehr a role mapping problem. Or it might be a caching problem which can be solved by clearing the realm cache with something like

POST /_security/realm/*/_clear_cache

We also had a similar issue after upgrading to major version 8. Even as superuser we got this error.
Our issue was similar to yours and Receiving org.elasticsearch.action.search.SearchPhaseExecutionException: all shards failed after 7.17.1 to 8.2.3 upgrade

We were able to resolve it by removing an excess comma within the data view definition.
In Stack Management -> Data Views we searched for the ID given in the error message. Editing this data view showed that Kibana was not able to correctly parse the given index pattern due to the additional comma. Once fixed it showed the correct indices on the right hand side.
After saving the data view the issue was resolved for us.

Seeing your error, I think there may be something wrong with the data view too, unless you have indices start with a dash (as the pattern begins with -elastic-cloud-logs- in the error message)

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.