Permissions issue with `Kibana_admin` role and OpenIDConnect provider

Xavier_Krantz · August 25, 2020, 10:45am

Hi there,

I am using ES Cloud and trying to setup "SSO" with OpenID Connect.

I have managed to connect my IdentityProvider (GitHub) to ElasticSearch through Auth0 (Which does the translation to provide ES with OpenID JWT).

In the end, when I log-in as a User with OpenID authentication realm:

I can not see any documents from the indices I have (filebeat-*, logs-*, metricbeat-*), which I can see when logged as SuperUser

Here are some info I get from the DevTools

GET /_security/_authenticate
{
  "username" : "xakraz@gmail.com",
  "roles" : [
    "monitoring_user",
    "machine_learning_user",
    "kibana_admin"
  ],
  "full_name" : null,
  "email" : null,
  "metadata" : {
    "oidc(iss)" : "https://MY-DOMAIN.eu.auth0.com/",
    "oidc(email)" : "xakraz@gmail.com",
    "oidc(sub)" : "github|1590399",
    "oidc(name)" : "Xavier Krantz",
    "oidc(picture)" : "https://avatars0.githubusercontent.com/u/1590399?v=4",
    "oidc(aud)" : [ REDACTED  ],
    "oidc(CUSTOM_CLAIM_1)" : [ ],
    "oidc(id_token_hint)" : "REDACTED",
    "oidc(nickname)" : "xakraz",
    "oidc(CUSTOM_CLAIM_2)" : [ ],
    "oidc(CUSTOM_CLAIM_3)" : [ ],
    "oidc(CUSTOM_CLAIM_3)" : [ ],
    "oidc(updated_at)" : "2020-08-25T10:32:41.412Z"
  },
  "enabled" : true,
  "authentication_realm" : {
    "name" : "MY_REALM",
    "type" : "oidc"
  },
  "lookup_realm" : {
    "name" : "MY_REALM",
    "type" : "oidc"
  }
}

Any idea ?

Xavier_Krantz · August 25, 2020, 3:10pm

So, PEBCAK again ...

it turns out that kibana_admin role let you "only" edit dashboards, SavedSearches, Visualizations ("SavedObjects"), access to "workspaces" or other "app" features (Logs, Monitoring, SIEM, ...) proper to Kibana.

For indices queries you need an additional role ... So I have created a basic incides_reader

/_security/role/indices_reader
{
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "*"
        ],
        "privileges" : [
          "view_index_metadata",
          "read_cross_cluster",
          "read"
        ],
        "field_security" : {
          "grant" : [
            "*"
          ],
          "except" : [ ]
        },
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
 }

Without this kind of role you can not do anything out of the box, except if you are SuperUser

system · September 22, 2020, 3:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.