Role-based control does not work


(Chris Wu) #1

Hi,

 On kibana - manage web interface, I created one new role that give ALL permission to one index and also assigned the new role to one user. When I logged in as this user, all functions do not work. No index was shown on the right side. If I assigned Superuser role to this user, it works fine like built-in user elastic. Note that XPACK has been installed in elasticsearch and kibana.

 By checking the logs, it seems that the connection can not be established between kibana and elasticsearch if it is logged in as this user? 

 Could anyone know what happened?

 Much appreciated.

Cheers,
Chris

2016/12/22 15:09:23 [error] 5771#5771: *1300 connect() failed (111: Connection refused) while connecting to upstream, client: XX.XX.XX.XX, server: YY.YY.YY.YY, request: "GET /api/reporting/jobs/list_completed_since?since=2016-12-22T13:30:14.294Z HTTP/1.1", upstream: "http://[::1]:5601/api/reporting/jobs/list_completed_since?since=2016-12-22T13:30:14.294Z", host: "YY.YY.YY.YY", referrer: "http://YY.YY.YY.YY/app/kibana"


(Jay Modi) #2

Did you give the user the kibana_user role as stated in the documentation?


(Chris Wu) #3

Hi Jay,

 I did not give this user a role as kibana_user. Instead, I create a new role with the same permission as Superuser does. Also, when I checked the role kibana_user via kibana manage interface, it is strange that it is listed in the roles, but clicking the role "kibana_user" and I got the message "the role kibana_user does not exist". Did you experience the same problem?

Cheers,

Chris.


(Jay Modi) #4

Hi Chris,

Your messages are hard to read with the formatting you've used. Anyway, it seems like the kibana role is being confused with the kibana_user role. Those are two distinct roles.

Jay


(Chris Wu) #5

Hi Jay,

 Sorry. I resent again. See below:

+++++++++
I did not give this user a role as kibana_user. Instead, I create a new role with the same permission as Superuser does. Also, when I checked the role kibana_user via kibana manage interface, it is strange that it is listed in the roles, but clicking the role "kibana_user" and I got the message "the role kibana_user does not exist". Did you experience the same problem?
+++++++++

 Thanks.

Cheers,
Chris.


(Chris Wu) #6

Hi,

I also resent my first message (see below). Hope that it is formatted readable. In addition, I use ELK ver 5.1.1.

+++++++++
On kibana - manage web interface, I created one new role that give ALL permission to one index and also assigned the new role to one user. When I logged in as this user, all functions do not work. No index was shown on the right side. If I assigned Superuser role to this user, it works fine like built-in user elastic. Note that XPACK has been installed in elasticsearch and kibana.

By checking the logs, it seems that the connection can not be established between kibana and elasticsearch if it is logged in as this user?

Could anyone know what happened?

Much appreciated.
++++++++++++++

Cheers,
Kai.


(Tim Vernum) #7

These statements are contradictory. The superuser role has more permissions than just ALL on a single index. If it your second statement is accurate, and your new role only has access to a single index, then those users will not be able to use Kibana. There are additional permissions that are required in order to use Kibana.

The supported method for granting Kibana access to an X-Pack secured Elasticsearch cluster is via the kibana_user role.
Is there a specific reason you're avoiding that advice? You will find your task is much simpler if you follow the official recommendations.


(system) #8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.