Problems configuring Field Level Security and Kibana

security

(oscar) #1

I have the following setup:

  • 4.4.1 Kibana
  • EN 2.2.0
  • Plugin shield (2.3.1)

I have the shield configuration activated with internal realm. I have created several roles and one of them has set the security shield fields.

The configuration I have is this:

kibana4_role1:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
    '.kibana*':
      privileges: indices:admin/create, indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update
    'logstash-indice-a':
      privileges: all
      fields: 
        - ip
        - url

With it, I can not access Kibana, I get an error:

ElasticsearchSecurityException [action [indices: data / read / msearch] is unauthorized for user [agent1]]

If I remove security settings and fields based on the active document, I have no problem. Works and access.

If I remove the security settings in general (or by fields or by documents) I can also access Kiabana smoothly.

NOTE: The basic index information is this:

"_index" : "logstash-indice-a",
"_type" : "logs",
"_id" : "AVToKq_7GEzUiOV5W_7z",
"_score" : 1.0,
"_source" : {
  "message" : "127.0.0.1 - - [25/May/2016:15:46:30 +0200] \"GET /manual/images/left.gif HTTP/1.1\" 304 -\r",
  "@version" : "1",
  "@timestamp" : "2016-05-25T13:46:31.558Z",
  "path" : "C:\\Program Files (x86)\\Apache Group\\Apache2\\logs\\access.log",
  "host" : "BCN-83T55S1",
  "ip" : "127.0.0.1",
  "timestamp" : "25/May/2016:15:46:30",
  "timezone" : "+0200",
  "method" : "GET",
  "url" : "/manual/images/left.gif HTTP/1.1\" 304 -\r"
}

I think when fields based security is enabled, so that Kibana can show indexes, you must put all the indices metadata, but I have tried different configurations without result.

this configuration should work but it is not so...

kibana4_role1:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
    '.kibana*':
      privileges: indices:admin/create, indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update
    'logstash-indice-a':
      privileges: all
      fields: 
        - message
        - \@version
        - \@timestamp
        - path
        - host
        - ip
        - timestamp
        - timezone
        - method
        - url

You can Kibana show indices having an associated security fields?


(Jay Modi) #2

It appears as though you are missing the indices:data/read/msearch for the .kibana* indices in both roles


(system) #3