Kibana multiple user problem

Aniket_Pant · March 5, 2021, 11:03am

I have setup two users one user is super and other one is non superuser
for non superuser
i have a custom role for user user2(non superuser)

GET /_security/role/pb_log
{
  "pb_log" : {
    "cluster" : [
      "manage",
      "manage_index_templates"
    ],
    "indices" : [
      {
        "names" : [
          "log-pb-*"
        ],
        "privileges" : [
          "read",
          "manage",
          "manage_ilm"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "feature_dashboard.all",
          "feature_discover.all",
          "feature_canvas.all",
          "feature_maps.all",
          "feature_ml.all",
          "feature_visualize.all",
          "feature_logs.all",
          "feature_infrastructure.all",
          "feature_apm.all",
          "feature_uptime.all",
          "feature_dev_tools.all",
          "feature_advancedSettings.all",
          "feature_indexPatterns.all",
          "feature_savedObjectsManagement.all"
        ],
        "resources" : [
          "space:default"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

user2 information

GET /_security/user/user2
{
 "user2" : {
    "username" : "user2",
    "roles" : [
      "pb_log",
      "monitoring_user"
    ],
    "full_name" : "USER2",
    "email" : "",
    "metadata" : { },
    "enabled" : true
  }

user2 can access only log-pb-* indices and user1 can access all
but i am facing some issue
in elasticsearch logs


[2021-03-05T16:19:16,148][INFO ][o.e.x.i.IndexLifecycleRunner] [em1] policy [winlogbeat_sysmon_policy] for index [log-wlb-sysmon-2021.03.02-000023] on an error step due to a transient error, moving back to the failed step [check-rollover-ready] for execution. retry attempt [28]
security_exception: action [indices:admin/rollover] is unauthorized for user [user2]

i am using winlogbeat and packetbeat logs.user2 can use packetbeat and user1 can use both so i have setup another role for logstash
role name is pb_logstash

{
  "pb_logstash" : {
    "cluster" : [
      "manage",
      "manage_index_templates",
      "monitor",
      "manage_ilm"
    ],
    "indices" : [
      {
        "names" : [
          "log-pb-*"
        ],
        "privileges" : [
          "write",
          "manage",
          "manage_ilm",
          "read",
          "create_index",
          "create"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

but when i login with user1 there is an error showing in kibana stack management

The question is that user2 can access only packetbeat indices but cannot winlogbeat but why it is showing user2 is unauthorised

Marius_Dragomir · March 5, 2021, 1:34pm

from what i see in the role definitions for user2 (which I assume is the one from the screenshots) doesn't have any permissions for the log-wlb* indices. I only see log-pb-* there.

Aniket_Pant · March 5, 2021, 2:19pm

user1 is superuser that means it can access any index and user2 can access log-plb-*

Marius_Dragomir · March 5, 2021, 2:40pm

Ok, and user 2 is showing unauthorized on "log-wlb-sysmon....", which seems to be as intended, right?

Aniket_Pant · March 5, 2021, 4:10pm

Yes.

system · April 2, 2021, 4:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.