Kibana read-only role (7.9.0)

I'm trying to achieve a generic read-only role in kibana (7.9.0), and since the kibana_user role is deprecated (and not really replaced with a new one) one would assume that it should be pretty simple.

However I'm bumping in to some issues. I'm getting errors like this in the UI:

[security_exception] action [indices:data/read/search] is unauthorized for user [niklas.kurvinen]

This happens on all SIEM pages. The weird thing is that this error isn't present in the kibana logs (verbose logging) neither in the elasticsearch logs. And that line is all I get in the UI.

This is my role:

{
  "read_only" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "filebeat-*",
          "metricbeat-*",
          "auditbeat-*",
          "packetbeat-*"
        ],
        "privileges" : [
          "read",
          "view_index_metadata"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "feature_discover.read",
          "feature_visualize.read",
          "feature_dashboard.read",
          "feature_canvas.read",
          "feature_maps.read",
          "feature_infrastructure.read",
          "feature_logs.read",
          "feature_apm.read",
          "feature_uptime.read",
          "feature_siem.read"
        ],
        "resources" : [
          "space:default"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

And here's my user:

{
  "niklas.kurvinen" : {
    "username" : "niklas.kurvinen",
    "roles" : [
      "read_only"
    ],
    "full_name" : "Niklas Kurvinen",
    "email" : "my@email",
    "metadata" : {
      "type" : "kibana_user"
    },
    "enabled" : true
  }
}

I've tried adding read permissions for other indices (system indices that is), but the only thing I've found that actually resolves it is the superuser role - which obviously isn't a good solution in this situation.

If anyone could help me out here it would be really appreciated.

Have you tried adding read access to data/read/search index?

Oh, is there an actual index called "data/read/search"?

Either something is really poorly documented, or there's no such index. I interpret the error message as a generic "permission denied" message that usually comes with more details than this.

Since it's only (as far as I can see) happening in the SIEM part of kibana - is there maybe some setup missing that SIEM relies on, such as indices or index patterns that needs to be created?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.