Need to give read access .fleet-artifacts system index to non admin user(Developer Role)

SachinJoshi · September 5, 2024, 7:46am

I want to give read access to .fleet-artifacts index to non admin users, these users having developer role. I have given the permission but i am getting following error when i try to access via api.

"type": "security_exception",
"reason": "action [indices:admin/get] is unauthorized for user with effective roles [developer,kibana_user,monitoring_user,reporting_user,vx_beats] on restricted indices [.fleet-artifacts], this action is granted by the index privileges [view_index_metadata,manage,all]"

I can see same index with Admin user but not able to read with non admin user.

Any idea how can i give access to this index to non admin user ?

TimV · September 5, 2024, 11:34am

Are you configuring the role via the API or Kibana (or via files)?

You need to configure the role with allow_restricted_indices: true, but the exact instructions will depend on which method you are using.

SachinJoshi · September 5, 2024, 11:48am

Role is created in Kibana, You can see in below image i have given read access, but i did not see where i have to write allow_restricted_indices: true ?

leandrojmp · September 5, 2024, 12:08pm

You can't set allow_restricted_indices using the UI, Elastic does not expose this setting through the UI.

You will need to create a specific role using the API, and then add this role to your user.

The request would be something like this:

PUT _security/role/grant_system_indices
{
  "indices": [
    {
      "names": [
        ".fleet*"
      ],
      "privileges": [
        "read"
      ],
      "allow_restricted_indices": true
    }
  ]
}

SachinJoshi · September 5, 2024, 12:58pm

I did but retuen false.

{
"role": {
"created": false
}
}

TimV · September 6, 2024, 2:03am

If you updated an existing role, then it was not created

SachinJoshi · September 6, 2024, 11:33am

As you can see in below image i set value true and its showing in role as well, but when i try to access index via non admin use it give same error.

"type": "security_exception",
"reason": "action [indices:admin/get] is unauthorized for user with effective roles [developer,kibana_user,monitoring_user,reporting_user,vx_beats] on restricted indices [.fleet-artifacts], this action is granted by the index privileges [view_index_metadata,manage,all]"

SachinJoshi · September 6, 2024, 11:34am

May there is no any way to go access to system index to non admin user, i mean its restriction from elasticsearch.

leandrojmp · September 6, 2024, 12:29pm

No, it should work if you created the role and added it to your user.

Can you share the full request you made? You didn't share the role name.

Also, did you add the new role to your user?

SachinJoshi · September 6, 2024, 12:36pm

Here is the full request. I created developer role, I did not get added user, how can i do it ? I mean user is part of developer role so I should not add this user.

PUT _security/role/developer
{
    "cluster": [
      "manage_watcher",
      "manage_ingest_pipelines",
      "read_ilm",
      "read_pipeline",
      "read_ccr",
      "read_slm",
      "manage_ml",
      "manage_transform"
    ],
    "indices": [
      {
        "names": [
          "apm-*",
          "winston-*",
          "filebeat-*",
          "metricbeat-*",
          "application-*",
          "log4stash-*",
          "monolog-*",
          "logs-*",
          ".watches",
          ".triggered_watches",
          ".watcher-history-*",
          "traces-*",
          "logs-apm* ",
          "metrics-apm*",
          ".ds*",
          "metrics-*",
          "logs-* ",
          "gco-*",
          ".apm-source-map"
        ],
        "privileges": [
          "read",
          "view_index_metadata",
          "index"
        ],
        "field_security": {
          "grant": [
            "*"
          ],
          "except": []
        },
        "allow_restricted_indices": false
      },
      {
        "names": [
          ".slo-*"
        ],
        "privileges": [
          "all"
        ],
        "field_security": {
          "grant": [
            "*"
          ]
        },
        "allow_restricted_indices": false
      },
      {
        "names": [
          ".fleet-artifacts*"
        ],
        "privileges": [
          "read"
        ],
        "field_security": {
          "grant": [
            "*"
          ]
        },
        "allow_restricted_indices": true
      }
    ],
    "applications": [
      {
        "application": "kibana-.kibana",
        "privileges": [
          "feature_discover.all",
          "feature_dashboard.all",
          "feature_canvas.all",
          "feature_maps.all",
          "feature_ml.all",
          "feature_graph.all",
          "feature_visualize.all",
          "feature_logs.all",
          "feature_infrastructure.all",
          "feature_apm.all",
          "feature_uptime.all",
          "feature_actions.all",
          "feature_stackAlerts.all",
          "feature_savedObjectsTagging.all",
          "feature_dev_tools.all",
          "feature_savedObjectsManagement.all",
          "feature_indexPatterns.all",
          "feature_slo.all"
        ],
        "resources": [
          "*"
        ]
      },
      {
        "application": "kibana-.kibana",
        "privileges": [
          "feature_indexPatterns.all"
        ],
        "resources": [
          "space:eventbus",
          "space:gco"
        ]
      }
    ],
    "run_as": [],
    "metadata": {},
    "transient_metadata": {
      "enabled": true
    }
}

SachinJoshi · September 6, 2024, 1:26pm

Also I created this role mapping as well with my non admin user.

POST /_security/role_mapping/restricted_index
{
  "roles": [ "developer"],
  "enabled": true, 
  "rules": {
    "field" : { "username" : [ "joshis" ] }
  },
  "metadata" : { 
    "version" : 1
  }
}

leandrojmp · September 6, 2024, 1:30pm

I would recommend to have it on a separate rolle and at this role to the role mapping of the user, but this should work as well.

Not sure why it is not working.

How are you making the request? Are you using an API Key?

SachinJoshi · September 6, 2024, 1:48pm

Yes I doing this by API

SachinJoshi · September 6, 2024, 1:49pm

I will try this and Update here, Thanks

leandrojmp · September 6, 2024, 2:27pm

API Key are not updated when you update the role, you need to create a new API Key to reflect the changes.

SachinJoshi · September 13, 2024, 11:21am

Yes it do, it will update it, I checked it after making request.

SachinJoshi · September 13, 2024, 11:23am

I created new role mapping with my user as we are using active dir I created using following request but still not working.

POST /_security/role_mapping/restricted_index

{

  "roles": [ "developer"],

  "enabled": true, 

  "rules": {

    "field" : { "username" : "cn=Sachin`Preformatted text`,dc=XXXX,dc=XXXX" }

  },

  "metadata" : { 

    "version" : 1

  }

}

TimV · September 16, 2024, 4:07am

read allows reading documents, it does not allow access to the index itself.
You need to grant view_index_metadata as well.

Topic		Replies	Views
[indices:admin/flush[s][r]] is unauthorized for user [user] with effective roles [grant_kibana_system_indices,superuser] on restricted indices [my-restricted-index], this action is granted by the index privileges [maintenance,manage,all] Elasticsearch elastic-stack-security	3	510	October 24, 2023
Getting unauthorized when doing GET on indices with a read-only user Kibana elastic-stack-security	4	3493	September 23, 2020
Action [indices:admin/create] is unauthorized for user Elasticsearch elastic-stack-security	3	14588	May 27, 2022
Role Management - Access to 1 index only Elasticsearch	9	2886	June 27, 2018
How to create a role in order to have access in Kibana 4 for some indexes Kibana	5	1223	July 6, 2017

Need to give read access .fleet-artifacts system index to non admin user(Developer Role)

Related topics