Permissions issue with `Kibana_admin` role and OpenIDConnect provider

Xavier_Krantz · August 25, 2020, 10:45am

Hi there,

I am using ES Cloud and trying to setup "SSO" with OpenID Connect.

I have managed to connect my IdentityProvider (GitHub) to ElasticSearch through Auth0 (Which does the translation to provide ES with OpenID JWT).

In the end, when I log-in as a User with OpenID authentication realm:

I can not see any documents from the indices I have (filebeat-*, logs-*, metricbeat-*), which I can see when logged as SuperUser

Here are some info I get from the DevTools

GET /_security/_authenticate
{
  "username" : "xakraz@gmail.com",
  "roles" : [
    "monitoring_user",
    "machine_learning_user",
    "kibana_admin"
  ],
  "full_name" : null,
  "email" : null,
  "metadata" : {
    "oidc(iss)" : "https://MY-DOMAIN.eu.auth0.com/",
    "oidc(email)" : "xakraz@gmail.com",
    "oidc(sub)" : "github|1590399",
    "oidc(name)" : "Xavier Krantz",
    "oidc(picture)" : "https://avatars0.githubusercontent.com/u/1590399?v=4",
    "oidc(aud)" : [ REDACTED  ],
    "oidc(CUSTOM_CLAIM_1)" : [ ],
    "oidc(id_token_hint)" : "REDACTED",
    "oidc(nickname)" : "xakraz",
    "oidc(CUSTOM_CLAIM_2)" : [ ],
    "oidc(CUSTOM_CLAIM_3)" : [ ],
    "oidc(CUSTOM_CLAIM_3)" : [ ],
    "oidc(updated_at)" : "2020-08-25T10:32:41.412Z"
  },
  "enabled" : true,
  "authentication_realm" : {
    "name" : "MY_REALM",
    "type" : "oidc"
  },
  "lookup_realm" : {
    "name" : "MY_REALM",
    "type" : "oidc"
  }
}

Any idea ?

Xavier_Krantz · August 25, 2020, 3:10pm

So, PEBCAK again ...

it turns out that kibana_admin role let you "only" edit dashboards, SavedSearches, Visualizations ("SavedObjects"), access to "workspaces" or other "app" features (Logs, Monitoring, SIEM, ...) proper to Kibana.

For indices queries you need an additional role ... So I have created a basic incides_reader

/_security/role/indices_reader
{
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "*"
        ],
        "privileges" : [
          "view_index_metadata",
          "read_cross_cluster",
          "read"
        ],
        "field_security" : {
          "grant" : [
            "*"
          ],
          "except" : [ ]
        },
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
 }

Without this kind of role you can not do anything out of the box, except if you are SuperUser

system · September 22, 2020, 3:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana ECK OIDC with DEX Elastic Cloud on Kubernetes (ECK)	10	2288	August 20, 2020
Action [indices:data/read/search] is unauthorized for user Elasticsearch	1	3357	September 9, 2019
How to set initial login using OpenID Connect Kibana	2	345	April 10, 2020
OIDC role mapping not working Elasticsearch elastic-stack-security	3	283	February 19, 2024
Using OIDC authenticated browser session to query Elasticsearch API Elasticsearch	1	952	March 26, 2020

Permissions issue with `Kibana_admin` role and OpenIDConnect provider

Related topics