Role-based control does not work

chris2016 · December 22, 2016, 2:19pm

Hi,

 On kibana - manage web interface, I created one new role that give ALL permission to one index and also assigned the new role to one user. When I logged in as this user, all functions do not work. No index was shown on the right side. If I assigned Superuser role to this user, it works fine like built-in user elastic. Note that XPACK has been installed in elasticsearch and kibana.

 By checking the logs, it seems that the connection can not be established between kibana and elasticsearch if it is logged in as this user? 

 Could anyone know what happened?

 Much appreciated.

Cheers,
Chris

2016/12/22 15:09:23 [error] 5771#5771: *1300 connect() failed (111: Connection refused) while connecting to upstream, client: XX.XX.XX.XX, server: YY.YY.YY.YY, request: "GET /api/reporting/jobs/list_completed_since?since=2016-12-22T13:30:14.294Z HTTP/1.1", upstream: "http://[::1]:5601/api/reporting/jobs/list_completed_since?since=2016-12-22T13:30:14.294Z", host: "YY.YY.YY.YY", referrer: "http://YY.YY.YY.YY/app/kibana"

jaymode · December 22, 2016, 3:59pm

Did you give the user the kibana_user role as stated in the documentation?

chris2016 · December 22, 2016, 4:44pm

Hi Jay,

 I did not give this user a role as kibana_user. Instead, I create a new role with the same permission as Superuser does. Also, when I checked the role kibana_user via kibana manage interface, it is strange that it is listed in the roles, but clicking the role "kibana_user" and I got the message "the role kibana_user does not exist". Did you experience the same problem?

Cheers,

Chris.

jaymode · December 22, 2016, 5:08pm

Hi Chris,

Your messages are hard to read with the formatting you've used. Anyway, it seems like the kibana role is being confused with the kibana_user role. Those are two distinct roles.

Jay

chris2016 · December 22, 2016, 6:25pm

Hi Jay,

 Sorry. I resent again. See below:

+++++++++
I did not give this user a role as kibana_user. Instead, I create a new role with the same permission as Superuser does. Also, when I checked the role kibana_user via kibana manage interface, it is strange that it is listed in the roles, but clicking the role "kibana_user" and I got the message "the role kibana_user does not exist". Did you experience the same problem?
+++++++++

 Thanks.

Cheers,
Chris.

chris2016 · December 22, 2016, 6:34pm

Hi,

I also resent my first message (see below). Hope that it is formatted readable. In addition, I use ELK ver 5.1.1.

+++++++++
On kibana - manage web interface, I created one new role that give ALL permission to one index and also assigned the new role to one user. When I logged in as this user, all functions do not work. No index was shown on the right side. If I assigned Superuser role to this user, it works fine like built-in user elastic. Note that XPACK has been installed in elasticsearch and kibana.

By checking the logs, it seems that the connection can not be established between kibana and elasticsearch if it is logged in as this user?

Could anyone know what happened?

Much appreciated.
++++++++++++++

Cheers,
Kai.

TimV · December 23, 2016, 4:50am

These statements are contradictory. The superuser role has more permissions than just ALL on a single index. If it your second statement is accurate, and your new role only has access to a single index, then those users will not be able to use Kibana. There are additional permissions that are required in order to use Kibana.

The supported method for granting Kibana access to an X-Pack secured Elasticsearch cluster is via the kibana_user role.
Is there a specific reason you're avoiding that advice? You will find your task is much simpler if you follow the official recommendations.

system · January 20, 2017, 4:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.