Kibana multiple user problem

Elastic Stack Kibana
,
1

I have setup two users one user is super and other one is non superuser
for non superuser
i have a custom role for user user2(non superuser)

GET /_security/role/pb_log
{
  "pb_log" : {
    "cluster" : [
      "manage",
      "manage_index_templates"
    ],
    "indices" : [
      {
        "names" : [
          "log-pb-*"
        ],
        "privileges" : [
          "read",
          "manage",
          "manage_ilm"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "feature_dashboard.all",
          "feature_discover.all",
          "feature_canvas.all",
          "feature_maps.all",
          "feature_ml.all",
          "feature_visualize.all",
          "feature_logs.all",
          "feature_infrastructure.all",
          "feature_apm.all",
          "feature_uptime.all",
          "feature_dev_tools.all",
          "feature_advancedSettings.all",
          "feature_indexPatterns.all",
          "feature_savedObjectsManagement.all"
        ],
        "resources" : [
          "space:default"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

user2 information

GET /_security/user/user2
{
 "user2" : {
    "username" : "user2",
    "roles" : [
      "pb_log",
      "monitoring_user"
    ],
    "full_name" : "USER2",
    "email" : "",
    "metadata" : { },
    "enabled" : true
  }

user2 can access only log-pb-* indices and user1 can access all
but i am facing some issue
in elasticsearch logs


[2021-03-05T16:19:16,148][INFO ][o.e.x.i.IndexLifecycleRunner] [em1] policy [winlogbeat_sysmon_policy] for index [log-wlb-sysmon-2021.03.02-000023] on an error step due to a transient error, moving back to the failed step [check-rollover-ready] for execution. retry attempt [28]
security_exception: action [indices:admin/rollover] is unauthorized for user [user2]

i am using winlogbeat and packetbeat logs.user2 can use packetbeat and user1 can use both so i have setup another role for logstash
role name is pb_logstash

{
  "pb_logstash" : {
    "cluster" : [
      "manage",
      "manage_index_templates",
      "monitor",
      "manage_ilm"
    ],
    "indices" : [
      {
        "names" : [
          "log-pb-*"
        ],
        "privileges" : [
          "write",
          "manage",
          "manage_ilm",
          "read",
          "create_index",
          "create"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

but when i login with user1 there is an error showing in kibana stack management

ha3
ha31360×653 127 KB

The question is that user2 can access only packetbeat indices but cannot winlogbeat but why it is showing user2 is unauthorised

2

from what i see in the role definitions for user2 (which I assume is the one from the screenshots) doesn't have any permissions for the log-wlb* indices. I only see log-pb-* there.

3

user1 is superuser that means it can access any index and user2 can access log-plb-*

4

Ok, and user 2 is showing unauthorized on "log-wlb-sysmon....", which seems to be as intended, right?

5

Yes.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.