Permissions issue with `Kibana_admin` role and OpenIDConnect provider

Hi there,

I am using ES Cloud and trying to setup "SSO" with OpenID Connect.

I have managed to connect my IdentityProvider (GitHub) to ElasticSearch through Auth0 (Which does the translation to provide ES with OpenID JWT).

In the end, when I log-in as a User with OpenID authentication realm:

  • I can not see any documents from the indices I have (filebeat-*, logs-*, metricbeat-*), which I can see when logged as SuperUser

Here are some info I get from the DevTools

GET /_security/_authenticate
{
  "username" : "xakraz@gmail.com",
  "roles" : [
    "monitoring_user",
    "machine_learning_user",
    "kibana_admin"
  ],
  "full_name" : null,
  "email" : null,
  "metadata" : {
    "oidc(iss)" : "https://MY-DOMAIN.eu.auth0.com/",
    "oidc(email)" : "xakraz@gmail.com",
    "oidc(sub)" : "github|1590399",
    "oidc(name)" : "Xavier Krantz",
    "oidc(picture)" : "https://avatars0.githubusercontent.com/u/1590399?v=4",
    "oidc(aud)" : [ REDACTED  ],
    "oidc(CUSTOM_CLAIM_1)" : [ ],
    "oidc(id_token_hint)" : "REDACTED",
    "oidc(nickname)" : "xakraz",
    "oidc(CUSTOM_CLAIM_2)" : [ ],
    "oidc(CUSTOM_CLAIM_3)" : [ ],
    "oidc(CUSTOM_CLAIM_3)" : [ ],
    "oidc(updated_at)" : "2020-08-25T10:32:41.412Z"
  },
  "enabled" : true,
  "authentication_realm" : {
    "name" : "MY_REALM",
    "type" : "oidc"
  },
  "lookup_realm" : {
    "name" : "MY_REALM",
    "type" : "oidc"
  }
}

Any idea ?

So, PEBCAK again ...

it turns out that kibana_admin role let you "only" edit dashboards, SavedSearches, Visualizations ("SavedObjects"), access to "workspaces" or other "app" features (Logs, Monitoring, SIEM, ...) proper to Kibana.

For indices queries you need an additional role ... So I have created a basic incides_reader

/_security/role/indices_reader
{
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "*"
        ],
        "privileges" : [
          "view_index_metadata",
          "read_cross_cluster",
          "read"
        ],
        "field_security" : {
          "grant" : [
            "*"
          ],
          "except" : [ ]
        },
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
 }

Without this kind of role you can not do anything out of the box, except if you are SuperUser