Shield issue

Giuseppe_Merlo · June 6, 2017, 2:25pm

Hi.

I want to try Shield features and i want to give different roles for my users.

In my scenario, there are two users: "admin" and "pippo".

admin has got admin privileges, pippo has got user privileges. So, with "admin" i can use every Rest API GET, PUT, POST and DELETE. Instead user can't do anything, while i expected that he can get every index. What am i doing wrong?

This is my roles.yml

 # All cluster rights
# All operations on all indices
admin:
  cluster:
    - all
  indices:
    - names: '*'
      privileges:
        - all

# monitoring cluster privileges
# All operations on all indices
power_user:
  cluster:
    - monitor
  indices:
    - names: '*'
      privileges:
        - all

# Read-only operations on indices
user:
  indices:
    - names: '*'
      privileges:
        - read

# Defines the required permissions for transport clients
transport_client:
  cluster:
      - transport_client

# The required permissions for the kibana 4 server
kibana4_server:
  cluster:
      - monitor
  indices:
    - names: '.kibana*'
      privileges:
        - all
    - names: '.reporting-*'
      privileges:
        - all

# The required role for logstash users
logstash:
  cluster:
    - manage_index_templates
  indices:
    - names: 'logstash-*'
      privileges:
        - write
        - read
        - create_index

# Marvel user role. Assign to marvel users.
marvel_user:
  indices:
    - names: '.marvel-es-*'
      privileges: [ "read" ]
    - names: '.kibana'
      privileges:
        - view_index_metadata
        - read

# Marvel remote agent role. Assign to the agent user on the remote marvel cluster
# to which the marvel agent will export all its data
remote_marvel_agent:
  cluster: [ "manage_index_templates" ]
  indices:
    - names: '.marvel-es-*'
      privileges: [ "all" ]

This is my roles_mapping.yml

# Role mapping configuration file which has elasticsearch roles as keys
# that map to one or more user or group distinguished names

#roleA:   this is an elasticsearch role
#  - groupA-DN  this is a group distinguished name
#  - groupB-DN
#  - user1-DN   this is the full user distinguished name

#power_user:
#  - "cn=admins,dc=example,dc=com"
#user:
#  - "cn=users,dc=example,dc=com"
#  - "cn=admins,dc=example,dc=com"
#  - "cn=John Doe,cn=other users,dc=example,dc=com"

This is the error when i get index with "pippo":

"reason": "action [indices:admin/get] is unauthorized for user [pippo]"

Thank you for the support!

warkolm · June 7, 2017, 9:49am

You haven't mapped that role to anything by the looks of things, so it won't work.

Giuseppe_Merlo · June 7, 2017, 10:34am

Thanks for your reply.

How can i mapping that role?

TimV · June 7, 2017, 10:52am

What realm configuration are you using in your elasticsearch configuration file?

And where are the users "admin" and "pippo" coming from? Are they LDAP/AD users, or did you create them specifically inside Elasticsearch?

Giuseppe_Merlo · June 7, 2017, 10:57am

This is my configuration file:

# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please see the documentation for further information on configuration options:
# <http://www.elastic.co/guide/en/elasticsearch/reference/current/setup-configuration.html>
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: kibi-distribution
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
# node.name: node-1
#
# Add custom attributes to the node:
#
# node.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
# path.data: /path/to/data
#
# Path to log files:
#
# path.logs: /path/to/logs
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
# bootstrap.memory_lock: true
#
# Make sure that the `ES_HEAP_SIZE` environment variable is set to about half the memory
# available on the system and that the owner of the process is allowed to use this limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
# network.host: 192.168.0.1
#
# Set a custom port for HTTP:
#
http.port: 9220
#
# For more information, see the documentation at:
# <http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-network.html>
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when new node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
# discovery.zen.ping.unicast.hosts: ["host1", "host2"]
#
# Prevent the "split brain" by configuring the majority of nodes (total number of nodes / 2 + 1):
#
# discovery.zen.minimum_master_nodes: 3
#
# For more information, see the documentation at:
# <http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-discovery.html>
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
# gateway.recover_after_nodes: 3
#
# For more information, see the documentation at:
# <http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-gateway.html>
#
# ---------------------------------- Various -----------------------------------
#
# Disable starting multiple nodes on a single system:
#
# node.max_local_storage_nodes: 1
#
# Require explicit names when deleting indices:
#
# action.destructive_requires_name: true

transport.tcp.port: 9330
# Analyzer for the snippet field of the Article index for the Crunchbase demo
index:
  analysis:
    analyzer:
      snippet:
        type: custom
        tokenizer: myTokenizer
        filter: [lowerTokens,englishStopWords,removeSmallTokens]
    tokenizer:
      myTokenizer:
        type: standard
    filter:
      lowerTokens:
        type: lowercase
      englishStopWords:
        type: stop
        stopwords: _english_
      removeSmallTokens:
        type: length
        min: 2
# Siren Join plugin: It is recommended to enable index query cache for all queries.
# See https://github.com/sirensolutions/siren-join/ for more details.
index.queries.cache.everything: true

I create users on path elasticsearch/bin/shield/ using this command:

./esusers useradd admin -r admin

./esusers useradd pippo -r user

TimV · June 7, 2017, 11:44am

pippo has the user role.

The user role grants the read privilege on all indices.

But the "get index" action is not a read action. You need to also grant the view_index_metadata privilege if you want to be able to get an index.

Giuseppe_Merlo · June 7, 2017, 12:01pm

That seems not work.

This is my roles.yml:

# All cluster rights
# All operations on all indices
admin:
  cluster:
    - all
  indices:
    - names: '*'
      privileges:
        - all

# monitoring cluster privileges
# All operations on all indices
power_user:
  cluster:
    - monitor
  indices:
    - names: '*'
      privileges:
        - all

# Read-only operations on indices
user:
  indices:
    - names: '*'
      privileges:
        - read
	- view_index_metadata

# Defines the required permissions for transport clients
transport_client:
  cluster:
      - transport_client

# The required permissions for the kibana 4 server
kibana4_server:
  cluster:
      - monitor
  indices:
    - names: '.kibana*'
      privileges:
        - all
    - names: '.reporting-*'
      privileges:
        - all

# The required role for logstash users
logstash:
  cluster:
    - manage_index_templates
  indices:
    - names: 'logstash-*'
      privileges:
        - write
        - read
        - create_index

# Marvel user role. Assign to marvel users.
marvel_user:
  indices:
    - names: '.marvel-es-*'
      privileges: [ "read" ]
    - names: '.kibana'
      privileges:
        - view_index_metadata
        - read

# Marvel remote agent role. Assign to the agent user on the remote marvel cluster
# to which the marvel agent will export all its data
remote_marvel_agent:
  cluster: [ "manage_index_templates" ]
  indices:
    - names: '.marvel-es-*'
      privileges: [ "all" ]

When i run this command:

curl -u pippo -XGET 'http://localhost:9220/index?pretty'

the response after inserting password is:

{
  "error" : {
    "root_cause" : [ {
      "type" : "security_exception",
      "reason" : "action [indices:admin/get] is unauthorized for user [pippo]"
    } ],
    "type" : "security_exception",
    "reason" : "action [indices:admin/get] is unauthorized for user [pippo]"
  },
  "status" : 403
}

TimV · June 9, 2017, 3:50am

It looks like your indentation is incorrect in your roles.yml - you seem to have a mix of tabs and spaces and that's typically a source of problems.

user:
  indices:
    - names: '*'
      privileges:
        - read
	- view_index_metadata

Assuming this has been copied exactly from your file, then view_index_metadata is indented by a tab, but read is indented by 8 spaces.

Try fixing that.

If that doesn't solve your problem, then let's confirm that your user really has the role that you configured it to have.

Use the authenticate API to check your roles

curl -u pippo 'http://localhost:9220/_shield/authenticate'

system · July 7, 2017, 3:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.