Try to define an admin role (used setting similar to superuser) but not work

Elastic Stack Elasticsearch
1

In elasticsearch 7.2.0, I try to define in roles.yml the following role:

admin_role:
cluster: [ "all" ]
indices:
- names : [ " * " ]
priviledges: [ "all" ]
allow_restricted_indices: true
run_as: [ " * " ]
applications:
- application : " * "
privileges : [ " * " ]
resources : [ " * " ]

I assigned an LDAP group (such as LDAP_GROUP_1) to this role in role_mapping.yml.

admin_role:
"cn=LDAP_GROUP_1,ou=groups,o=my_org"

In log, although user1, belonging to the LDAP group, is shown in admin_role:
user [user1], with roles [[admin_role]]

The user1 cannot access the API GET such as
GET /_security/role

The error message is
"reason": "action [cluster:admin/xpack/security/role/get] is unauthorized for user [user1]"

ir I assign the LDAP group in role_mapping.yml as supperuser:
superuser:
"cn=LDAP_GROUP_1,ou=groups,o=my_org"

user1 this time can access all the api such as GET /_security/role

I checked superuser role GET /_security/role/superuser, and it returns same setting as I did for admin_role.

Does anyone know why this happens?

Thank you.

John

2

That's not how you spell privileges.
If that has been directly copied from your roles.yml file, then this role is invalid and will be ignored.
The logs should report that.

1 Like
3

Tim, I am sorry and thank you for finding the wrong spelling.

After corrected the spell to privileges, I run this again. Security roles returned correct.

However, when I issue this (my_index_name_1 is an index in elasticsearch 7.2):

GET my_index_name_1/_search
{
"query": {
"match": {"record" : "12345"}
}
}

I received:
{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "action [indices:data/read/search] is unauthorized for user [user1]"
}
],
"type": "security_exception",
"reason": "action [indices:data/read/search] is unauthorized for user [user1]"
},
"status": 403
}

where user1 is user name.

When I assign the LDAP_GROUP_1 to superuser role , however, it can get the search results.

Did miss something on this role? maybe this role did not have access to my_index_name_1 mentioned above?

It turns out that I need to update data nodes with the role to get the admin_users work.

Thank you.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.