Try to define an admin role (used setting similar to superuser) but not work

In elasticsearch 7.2.0, I try to define in roles.yml the following role:

admin_role:
cluster: [ "all" ]
indices:
- names : [ " * " ]
priviledges: [ "all" ]
allow_restricted_indices: true
run_as: [ " * " ]
applications:
- application : " * "
privileges : [ " * " ]
resources : [ " * " ]

I assigned an LDAP group (such as LDAP_GROUP_1) to this role in role_mapping.yml.

admin_role:
"cn=LDAP_GROUP_1,ou=groups,o=my_org"

In log, although user1, belonging to the LDAP group, is shown in admin_role:
user [user1], with roles [[admin_role]]

The user1 cannot access the API GET such as
GET /_security/role

The error message is
"reason": "action [cluster:admin/xpack/security/role/get] is unauthorized for user [user1]"

ir I assign the LDAP group in role_mapping.yml as supperuser:
superuser:
"cn=LDAP_GROUP_1,ou=groups,o=my_org"

user1 this time can access all the api such as GET /_security/role

I checked superuser role GET /_security/role/superuser, and it returns same setting as I did for admin_role.

Does anyone know why this happens?

Thank you.

John

That's not how you spell privileges.
If that has been directly copied from your roles.yml file, then this role is invalid and will be ignored.
The logs should report that.

1 Like

Tim, I am sorry and thank you for finding the wrong spelling.

After corrected the spell to privileges, I run this again. Security roles returned correct.

However, when I issue this (my_index_name_1 is an index in elasticsearch 7.2):

GET my_index_name_1/_search
{
"query": {
"match": {"record" : "12345"}
}
}

I received:
{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "action [indices:data/read/search] is unauthorized for user [user1]"
}
],
"type": "security_exception",
"reason": "action [indices:data/read/search] is unauthorized for user [user1]"
},
"status": 403
}

where user1 is user name.

When I assign the LDAP_GROUP_1 to superuser role , however, it can get the search results.

Did miss something on this role? maybe this role did not have access to my_index_name_1 mentioned above?

It turns out that I need to update data nodes with the role to get the admin_users work.

Thank you.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.