Shield AD user is unauthorized only from a different subnet

Elastic Stack Elasticsearch
21

Absolutely. Progress.... That allowed it to write to the topbeat and filebeat indexes.

roles.yml snippet:

The required role for logstash users

logstash:
cluster:
- manage_index_templates
indices:

- names: [ 'logstash-', 'filebeat-', 'topbeat-', 'cisco-', 'netsyslog-*' ]

- names: '*'
  privileges:
    - write
    - delete
    - create_index

logstash.log snippet:
client_ip"=>"127.0.0.1", "server"=>"pulp01v", "method"=>"find", "@version"=>"1", "host"=>"pulp01v", "tags"=>["beats_input_raw_event", "_grokparsefailure", "generic_log"], "syslog_severity_code"=>5, "syslog_facility_code"=>1, "syslog_facility"=>"user-level", "syslog_severity"=>"notice"}, "DestinationAddress"]}>>], :response=>{"index"=>{"_index"=>"packetbeat-2016.06.29", "_type"=>"mongodb", "_id"=>nil, "status"=>403, "error"=>{"type"=>"security_exception", "reason"=>"action [indices:admin/create] is unauthorized for user [s_logstash02v]"}}}, :level=>:warn}

elasticsearch.log snippet:
[20:46:25,818][I][node ] [node-01] started
[20:47:33,447][D][shield.authc.activedirectory] [node-01] user not found in cache, proceeding with normal authentication
[20:47:33,699][D][shield.authc.activedirectory] [node-01] group SID to DN search filter: [(|(objectSid=S-1-5-32-545)(objectSid=S-1-5-21-3672824143-1806866617-33
68692887-513)(objectSid=S-1-5-21-3672824143-1806866617-3368692887-1836)(objectSid=S-1-5-21-3672824143-1806866617-3368692887-1371))]
[20:47:33,747][D][shield.authc.activedirectory] [node-01] found these groups [[CN=Users,CN=Builtin,DC=domain,DC=local, CN=Domain Users,CN=Users,DC=domain,DC=loc
al, CN=PentahoRO,CN=Users,DC=domain,DC=local, CN=Desktop Admins,CN=Users,DC=domain,DC=local]] for userDN [CN=s_logstash02v,OU=ServiceAccounts,OU=Employees,DC=do
main,DC=local]
[20:47:33,748][D][shield.authc.support ] [node-01] the roles [[Desktop Admins, Domain Users, PentahoRO, Users]], are mapped from these [active_directory] gr
oups [[CN=Users,CN=Builtin,DC=domain,DC=local, CN=Domain Users,CN=Users,DC=domain,DC=local, CN=PentahoRO,CN=Users,DC=domain,DC=local, CN=Desktop Admins,CN=Users
,DC=domain,DC=local]] for realm [active_directory/active_directory]
[20:47:33,748][D][shield.authc.support ] [node-01] the roles [[logstash]], are mapped from the user [active_directory] for realm [CN=s_logstash02v,OU=Servic
eAccounts,OU=Employees,DC=domain,DC=local/active_directory]
[20:47:33,753][D][shield.authc.activedirectory] [node-01] authenticated user [s_logstash02v], with roles [[logstash, Desktop Admins, Domain Users, PentahoRO, Us
ers]]
[20:47:33,756][D][shield.audit.logfile ] [node-01] [transport] [access_granted] origin_type=[rest], origin_address=[10.1.x.x], principal=[s_logstash02v]
, action=[indices:admin/template/get], request=[GetIndexTemplatesRequest]
[20:47:33,895][D][shield.authc.activedirectory] [node-01] authenticated user [s_logstash02v], with roles [[logstash, Desktop Admins, Domain Users, PentahoRO, Us
ers]]
[20:48:33,803][D][shield.audit.logfile ] [node-01] [transport] [access_granted] origin_type=[rest], origin_address=[10.1.x.x], principal=[s_logstash02v ], action=[indices:data/write/bulk[s]], indices=[topbeat-2016.06.29,topbeat-2016.06.29,topbeat-2016.06.29,topbeat-2016.06.29,topbeat-2016.06.29], request=[BulkS
hardRequest]
[20:48:33,803][D][shield.audit.logfile ] [node-01] [transport] [access_granted] origin_type=[rest], origin_address=[10.1.x.x], principal=[s_logstash02v ], action=[indices:data/write/bulk[s][p]], indices=[topbeat-2016.06.29,topbeat-2016.06.29,topbeat-2016.06.29,topbeat-2016.06.29,topbeat-2016.06.29], request=[Bu
lkShardRequest]
[20:48:33,806][D][shield.audit.logfile ] [node-01] [transport] [access_granted] origin_type=[transport], origin_address=[10.1.x.x], principal=[s_logsta sh02v], action=[indices:data/write/bulk[s][r]], indices=[topbeat-2016.06.29,topbeat-2016.06.29,topbeat-2016.06.29,topbeat-2016.06.29,topbeat-2016.06.29,topbeat-
2016.06.29], request=[BulkShardRequest]
[20:48:33,817][W][action.bulk ] [node-01] [topbeat-2016.06.29][0] failed to perform indices:data/write/bulk[s][r] on node {node-04-kibana}{YpmE06nG
SQm_qXhnYv2NKg}{10.1.x.x}{10.1.x.x:9300}{master=false}
[20:48:33,820][D][shield.audit.logfile ] [node-01] [transport] [access_granted] origin_type=[transport], origin_address=[10.1.x.x], principal=[s_logsta sh02v], action=[indices:data/write/bulk[s][r]], indices=[topbeat-2016.06.29,topbeat-2016.06.29,topbeat-2016.06.29,topbeat-2016.06.29,topbeat-2016.06.29,topbeat-
2016.06.29,topbeat-2016.06.29,topbeat-2016.06.29,topbeat-2016.06.29,topbeat-2016.06.29,topbeat-2016.06.29], request=[BulkShardRequest]

22

I think the index names portion of your role isn't quite correct, it seems to be missing the wildcards and you also have packetbeat data coming in. So I think something like this would work:

- names: [ 'logstash-*', 'filebeat-*', 'topbeat-*', 'cisco-*', 'netsyslog-*', 'packetbeat-*' ]
23

I had the wildcards in the config but not packetbeat-. It could be the packetbeat index requests over-ran everything else and all we saw in the logs were the denied requests for that index. After adding packetbeat- to the roles on the entire cluster, everything looks good but I still don't understand why I didn't see failures / denies when it was on the same subnet.

roles.yml snippet:
logstash:
cluster:
- manage_index_templates
indices:

- names: [ 'logstash-', 'filebeat-', 'topbeat-', 'cisco-', 'netsyslog-*' ]

- names: [ 'logstash-*', 'filebeat-*', 'topbeat-*', 'cisco-*', 'netsyslog-*', 'packetbeat-*', 'winlogbeat-*', 'syslog-*' ]

- names: '*'

  privileges:
    - write
    - delete
    - create_index