Rule Preview not Working

I have this weird problem where detection engine rules preview is not working for users.

Now the users have roles that grant them read access to .preview.alerts-security.alerts-<space-id> and All Kibana pirvileges on Kibana Security App as mentioned in documentation. Still the preview fails with:

Missing "read" privileges for the ".preview.alerts-security.alerts" or ".internal.preview.alerts-security.alerts" indices. Without these privileges you cannot use the Rule Preview feature.

Now I've tried to debug this by creating a data view to that system index. The admin user can create data view on that index and read the data in it no problem. The affected user says no indices matched. When I try to view or edit the data view with the affected user it says that the pattern in not matching any indices.

However when I go to the Index Management with the affected user (he has monitor privileges) I can list system indices and see that the index .internal.preview.alerts-security.alerts-... exists but trying to read the settings just gives me toast with word Forbidden.

When I try to see the settings for .internal.preview.alerts-security.alerts-... through dev console I get:

action [indices:monitor/settings/get] is unauthorized for user [j91321] with effective roles [...]
on indices [.internal.preview.alerts-security.alerts-something-dev-000001], this action is granted by the index privileges [monitor,view_index_metadata,manage,all]

Seems like the privilege does not get applied for the index. I've tried all of the listed privileges (all, read+view_index_metadata, or read+monitor)

Elasticsearch version is 8.6.1

Hey @j91321, thanks for your question!

I'm looking at the code that returns this error and seeing this:

I'm not sure why access to both the index alias (.preview.alerts-security.alerts) and concrete internal index name (.internal.preview.alerts-security.alerts) are required here, but looks like this check was added in this PR:

I'll reach out to the PR author and the team and we'll figure out if the implementation is wrong or the docs are out-of-date.

Meanwhile, could you please try adding a read privilege to .preview.alerts-security.alerts-<space-id> and .internal.preview.alerts-security.alerts-<space-id> to the user's role and see if it fixes the issue?

Hi the user has read privileges to both, yet the issue persists.

    {
      "names": [
        ".preview.alerts-security.alerts-something-dev"
      ],
      "privileges": [
        "monitor",
        "read",
        "view_index_metadata"
      ],
      "allow_restricted_indices": false
    },
    {
      "names": [
        ".internal.preview.alerts-security.alerts-something-dev"
      ],
      "privileges": [
        "monitor",
        "read",
        "view_index_metadata"
      ],
      "allow_restricted_indices": false
    },

@j91321 Thank you for checking this. Folks on our team confirmed that this is a bug and opened a PR with a fix for it:

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.