Pre-built Dashboards Not Loading for Users Except Superuser

Elastic Stack Kibana
1

I have encountered an issue with certain pre-built dashboards in our system. These dashboards are failing to load for any users except the superuser. I have verified that all the required permissions are correctly assigned to the affected users, but the problem persists.

One surprising aspect of this issue is that it appears certain dashboards require index pattern update permissions. This raises concerns about violating the principle of least privileges since index pattern updates are typically not necessary for regular users.

Please refer to the attached screenshot for a visual representation of the error. The affected users see an empty or partially loaded dashboard instead of the expected content.

I kindly request any insights or suggestions on how to resolve this problem. Your assistance in resolving this issue would be greatly appreciated.

Steps to reproduce:

  1. Create a new user and assign them all necessary permissions, except for index management where the space permission should be set as "read-only".
  2. Log in to Kibana using the newly created user credentials.
  3. Navigate to the pre-built dashboards, such as "ML HTTP Access: Explorer (ECS)" or "[Metricbeat System] Host overview ECS".
  4. Observe that several visualizations within these dashboards display an error, indicating an issue with loading or rendering the data.

Expected behaviour:
The expected behavior is that pre-built dashboards should not require index pattern update permissions to be viewed. This expectation aligns with the principle of least privilege, where regular users should have the necessary permissions to access and view the pre-built dashboards without the need for elevated privileges related to index pattern updates. By removing the dependency on index pattern update permissions, regular users can experience a streamlined and secure access to the dashboards, ensuring that their access privileges are limited to what is strictly necessary for viewing the content.

elk-acl
elk-acl1920×886 90.4 KB

2

Hey, I have some difficulties replicating it. Can you share with me:

  • your kibana version
  • your exact role configuration? I want both the Elasticsearch and the Kibana configuration.

Thanx a lot.

3

Thank you, @Stratoula_Kalafateli. I'm currently using ELK version 7.9.2, which I understand is a somewhat older version. Unfortunately, due to certain internal dependencies, we are unable to perform an upgrade at this time. I've gone ahead and created a role in Kibana and assigned it to multiple users, but all of them are encountering the same issues. Below, you can find the configuration details for these roles.

{
  "pods" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "*"
        ],
        "privileges" : [
          "read",
          "view_index_metadata"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "feature_discover.read",
          "feature_uptime.read",
          "feature_logs.read"
        ],
        "resources" : [
          "space:default"
        ]
      }
    ],
    "run_as" : [
      "someuser"
    ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}
4

I still can't reproduce it in 7.17.7 (is the version we support actively)

Can you confirm that your ES configuration looks like that:

image
image2352×1352 204 KB

and your kibana ones look like

image
image1478×2410 233 KB

5

The role configurations are accurate; however, for Space privileges, I have only granted 'Read' access to specific tabs while setting 'None' for all others. Initially, this setup was effective for us, but it intermittently encounters issues. Interestingly, granting admin access to the user seems to resolve the problem.

Do you happen to know why certain dashboards necessitate index update permissions, as it appears that a particular API is experiencing disruptions?

image
image1398×1038 64.7 KB

6

Do you happen to know why certain dashboards necessitate index update permissions, as it appears that a particular API is experiencing disruptions?

I can't think of any reason especially if your role is configured like mine :thinking: You mean some of the dashboards work for the same user and others not?

7

Yes, that is correct and as I observed I face this issue in filebeat-based dashboards only.

8

It's concerning that certain pre-built dashboards seem to require index pattern update permissions, potentially violating the principle of least privilege. This issue not only impacts user experience but also raises questions about security and access control. Resolving this matter promptly is crucial for maintaining a secure and user-friendly system. AC Football Cases

1 Like
9

@Ankur_Mahajan Have you tried loading the dashboard with the regular user after its been loaded by the superuser? There are some cases where the index pattern needs to be updated. It will update automatically when the dashboard is viewed by a user with index pattern update privileges and then work with users who lack that privilege. Perhaps you've already done this but its still best for me to verify.

It should be noted that index patterns work a bit differently in > v7.11due to this change - [Index patterns] Remove field cache by mattkime · Pull Request #82223 · elastic/kibana · GitHub

Are there any errors visible in the console? I see the error message "Cannot read properties of undefined". Hopefully we can find something that relates directly to that.

Can you upload a har file that captures the failure to render the dashboard? This might be helpful if you haven't done this before - https://support.site24x7.com/portal/en/kb/articles/how-to-generate-a-har-file

Thank you @Ankur_Mahajan - we'll work through this.

10

@mattkime, certainly, I will upload the information you've requested. Additionally, I had previously submitted an issue on Github some time ago, but it appears to have been closed, though I'm unsure of the details.

Yes, I've tested that approach, and it works well. After logging in with the admin user initially, I can log out and subsequently log in with the least privileged user. However, it's worth noting that this behavior shouldn't occur, as we should be able to directly login with low-privileged users without this workaround.

I have included the console logs from my browser for your reference. Hopefully, they will provide more information about the issue. Please let me know if you require any further details.

image (9)
image (9)2834×612 148 KB

11

@Ankur_Mahajan In Kibana <7.11, the field list is saved to the saved object. Without saving the field list to the saved object, there's no field list and the index pattern isn't useful. Yes, this does require permissions to edit the index pattern. This has been fixed in 7.11 and greater via [Index patterns] Remove field cache by mattkime · Pull Request #82223 · elastic/kibana · GitHub - the field list is no longer saved with the index pattern, therefore there's no need for a full privileged to use the index pattern before less privileged users.

12

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.