[security_exception] action [indices:data/read/search] is unauthorized for user [user]

security

#1

Hello,

I followed Grant users access to APM Server indices | APM Server Reference [6.5] | Elastic, yet user (w/ apm_reader role) is unable to access the way superuser does (some parts of apm are visible, while others is not)

user also provided following information that he's got via debug in a browser:

{“statusCode”:403,“error”:“Forbidden”,“message”:“[security_exception] action [indices:data/read/search] is unauthorized for user [user]“}

Please advise.


(Ioannis Kakavas) #2

Hi,

This is to be expected, the superuser has by default/definition access to anything.

Can you be a little more specific? What parts did you expect to be visible that are not?

Did you follow the instructions explicitly? Did you also add the kibana_user role to your user as mentioned there?

Can you share the output of the following two requests from Kibana's dev tools ?

GET _xpack/security/role/apm_reader ( run that while logged in as a superuser)

GET _xpack/security/_authenticate (run that while logged in as user)


#3

sure, more specific (in terms of visibility): everything is accessible except for actual charts (see attached screenshot)

and yes, I followed instruction explicitly. kibana_user role is already part of user's role.

GET _xpack/security/role/apm_reader:

{
  "apm_reader" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "apm-*"
        ],
        "privileges" : [
          "read",
          "view_index_metadata"
        ]
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

GET _xpack/security/_authenticate:

{
  "username" : "user",
  "roles" : [
    "kibana_user",
    "apm_reader"
  ],
  "full_name" : "xxx",
  "email" : "x@x.x",
  "metadata" : { },
  "enabled" : true
}

(Søren Louv Jansen) #4

Hi @alexus,

This is related to a bug that was found in Kibana 6.5: https://github.com/elastic/kibana/issues/23463.
It will be fixed in 6.6.

Until then you will have to give the user permission to access the machine learning anomaly indices: .ml-anomalies-*

You need to define a role that gives the user access to these indices and assign that role to their user.
Read more here: https://www.elastic.co/guide/en/elastic-stack-overview/current/defining-roles.html#roles-indices-priv


(system) closed #5

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.