XpackSecurity


(Raj) #1

Hi All,
I registered for Xpack security Elearning video ,I followed exactly how they demonstrated and I created a same regular use for testing purpose to check if it works for me

I created a regular role with only index and read access to one index,and then i created a regular user, added this regular role to it.

To confirm if works,i logged out from elastic user and I logged in to regular user.

Iam able to login but when i clicked on dev tools to see if i can get or read that index but am getting this error

Config: Error 403 Forbidden: [security_exception] action [indices:data/write/update] is unauthorized for user [regular]

and am not even tried to delete , i know if I delete the documents in indexes I will get 403 exception error but am not even able to get in dev tools .

Please anyone let me know what has to be done

Thanks in advance,
Raj


(Mike Barretta) #2

Can you share the output of:

GET /_xpack/security/role

and

GET /_xpack/security/user

?


(Raj) #3

GET /_xpack/security/role

Sorry its bit long :slight_smile:

{
"watcher_admin": {
"cluster": [
"manage_watcher"
],
"indices": [
{
"names": [
".watches",
".triggered_watches",
".watcher-history-"
],
"privileges": [
"read"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"logstash_system": {
"cluster": [
"monitor",
"cluster:admin/xpack/monitoring/bulk"
],
"indices": [],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"kibana_user": {
"cluster": [],
"indices": [
{
"names": [
".kibana
"
],
"privileges": [
"manage",
"read",
"index",
"delete"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"machine_learning_user": {
"cluster": [
"monitor_ml"
],
"indices": [
{
"names": [
".ml-anomalies*",
".ml-notifications"
],
"privileges": [
"view_index_metadata",
"read"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"remote_monitoring_agent": {
"cluster": [
"manage_index_templates",
"manage_ingest_pipelines",
"monitor",
"cluster:admin/xpack/watcher/watch/get",
"cluster:admin/xpack/watcher/watch/put",
"cluster:admin/xpack/watcher/watch/delete"
],
"indices": [
{
"names": [
".marvel-es-",
".monitoring-
"
],
"privileges": [
"all"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"machine_learning_admin": {
"cluster": [
"manage_ml"
],
"indices": [
{
"names": [
".ml-"
],
"privileges": [
"view_index_metadata",
"read"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"watcher_user": {
"cluster": [
"monitor_watcher"
],
"indices": [
{
"names": [
".watches",
".watcher-history-
"
],
"privileges": [
"read"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"monitoring_user": {
"cluster": [],
"indices": [
{
"names": [
".marvel-es-",
".monitoring-
"
],
"privileges": [
"read"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"reporting_user": {
"cluster": [],
"indices": [
{
"names": [
".reporting-"
],
"privileges": [
"read",
"write"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"kibana_system": {
"cluster": [
"monitor",
"cluster:admin/xpack/monitoring/bulk"
],
"indices": [
{
"names": [
".kibana
",
".reporting-"
],
"privileges": [
"all"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"transport_client": {
"cluster": [
"transport_client"
],
"indices": [],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"superuser": {
"cluster": [
"all"
],
"indices": [
{
"names": [
"
"
],
"privileges": [
"all"
]
}
],
"run_as": [
""
],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"ingest_admin": {
"cluster": [
"manage_index_templates",
"manage_pipeline"
],
"indices": [],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"regular_user": {
"cluster": [],
"indices": [
{
"names": [
"logstash_netflow-
"
],
"privileges": [
"index",
"read"
],
"field_security": {
"grant": [
""
]
}
}
],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
},
"advanced_user": {
"cluster": [],
"indices": [
{
"names": [
"logstash_netflow-
"
],
"privileges": [
"write"
],
"field_security": {
"grant": [
"*"
]
}
}
],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
}

GET /_xpack/security/user

{
"elastic": {
"username": "elastic",
"roles": [
"superuser"
],
"full_name": null,
"email": null,
"metadata": {
"_reserved": true
},
"enabled": true
},
"kibana": {
"username": "kibana",
"roles": [
"kibana_system"
],
"full_name": null,
"email": null,
"metadata": {
"_reserved": true
},
"enabled": true
},
"logstash_system": {
"username": "logstash_system",
"roles": [
"logstash_system"
],
"full_name": null,
"email": null,
"metadata": {
"_reserved": true
},
"enabled": true
},
"regular": {
"username": "regular",
"roles": [
"regular_user"
],
"full_name": "Regular User",
"email": "regular@company.net",
"metadata": {},
"enabled": true
},
"advanced": {
"username": "advanced",
"roles": [
"advanced_user",
"regular_user"
],
"full_name": "Advanced User",
"email": "advanced@company.net",
"metadata": {},
"enabled": true
}
}


(Steve Kearns) #4

Hi Raj,

Are you trying to use the regular user in Kibana? If yes, you will need to also assign that user the kibana_user role.

Thanks,
Steve


(Raj) #5

Hi Skearns,

Thanks for the quick and fast info and sorry for the confusion ,actually in the video it was not mentioned to add kibana_user

Now after adding kibana_user role to regular user am able to access Dev tools, now I was trying to PUT a new index to test
but am getting this message

and then I tried to add to one more privilege to it create_index

still when I PUT new index same error message.

Please do let me know what has to be done.

Thanks,
Raj


(Steve Kearns) #6

Hi Raj,

The create_index privilege is an index-level privilege (meaning you have to create a role that grants you create_index privileges on the index you want to create).

From your role definition there, you have granted privileges to create indexes that begin with logstash_netflow, because you added the create_index privilege to the logstash_netflow* index.

So if you want the ability to create an index called course_index, you will need to click the blue + button next to Granted Fields, to add another "Index Privilege" section, where you can enter course_index as the index name (don't worry that the index name type-ahead doesn't find it - it hasn't yet been created!), then add the read/write/create_index privileges.


(Raj) #7

Hi Skearns,

Thank you so much for the info and it works :slight_smile:

Thanks,
Raj


(system) #8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.