XpackSecurity

Raj_Kumar · June 1, 2017, 1:55pm

Hi All,
I registered for Xpack security Elearning video ,I followed exactly how they demonstrated and I created a same regular use for testing purpose to check if it works for me

I created a regular role with only index and read access to one index,and then i created a regular user, added this regular role to it.

To confirm if works,i logged out from elastic user and I logged in to regular user.

Iam able to login but when i clicked on dev tools to see if i can get or read that index but am getting this error

Config: Error 403 Forbidden: [security_exception] action [indices:data/write/update] is unauthorized for user [regular]

and am not even tried to delete , i know if I delete the documents in indexes I will get 403 exception error but am not even able to get in dev tools .

Please anyone let me know what has to be done

Thanks in advance,
Raj

Mike.Barretta · June 1, 2017, 3:15pm

Can you share the output of:

GET /_xpack/security/role

and

GET /_xpack/security/user

?

Raj_Kumar · June 1, 2017, 4:45pm

GET /_xpack/security/role

Sorry its bit long

{
"watcher_admin": {
"cluster": [
"manage_watcher"
],
"indices": [
{
"names": [
".watches",
".triggered_watches",
".watcher-history-"
],
"privileges": [
"read"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"logstash_system": {
"cluster": [
"monitor",
"cluster:admin/xpack/monitoring/bulk"
],
"indices": [],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"kibana_user": {
"cluster": [],
"indices": [
{
"names": [
".kibana"
],
"privileges": [
"manage",
"read",
"index",
"delete"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"machine_learning_user": {
"cluster": [
"monitor_ml"
],
"indices": [
{
"names": [
".ml-anomalies*",
".ml-notifications"
],
"privileges": [
"view_index_metadata",
"read"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"remote_monitoring_agent": {
"cluster": [
"manage_index_templates",
"manage_ingest_pipelines",
"monitor",
"cluster:admin/xpack/watcher/watch/get",
"cluster:admin/xpack/watcher/watch/put",
"cluster:admin/xpack/watcher/watch/delete"
],
"indices": [
{
"names": [
".marvel-es-",
".monitoring-"
],
"privileges": [
"all"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"machine_learning_admin": {
"cluster": [
"manage_ml"
],
"indices": [
{
"names": [
".ml-"
],
"privileges": [
"view_index_metadata",
"read"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"watcher_user": {
"cluster": [
"monitor_watcher"
],
"indices": [
{
"names": [
".watches",
".watcher-history-"
],
"privileges": [
"read"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"monitoring_user": {
"cluster": [],
"indices": [
{
"names": [
".marvel-es-",
".monitoring-"
],
"privileges": [
"read"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"reporting_user": {
"cluster": [],
"indices": [
{
"names": [
".reporting-"
],
"privileges": [
"read",
"write"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"kibana_system": {
"cluster": [
"monitor",
"cluster:admin/xpack/monitoring/bulk"
],
"indices": [
{
"names": [
".kibana",
".reporting-"
],
"privileges": [
"all"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"transport_client": {
"cluster": [
"transport_client"
],
"indices": [],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"superuser": {
"cluster": [
"all"
],
"indices": [
{
"names": [
""
],
"privileges": [
"all"
]
}
],
"run_as": [
""
],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"ingest_admin": {
"cluster": [
"manage_index_templates",
"manage_pipeline"
],
"indices": [],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"regular_user": {
"cluster": [],
"indices": [
{
"names": [
"logstash_netflow-"
],
"privileges": [
"index",
"read"
],
"field_security": {
"grant": [
""
]
}
}
],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
},
"advanced_user": {
"cluster": [],
"indices": [
{
"names": [
"logstash_netflow-"
],
"privileges": [
"write"
],
"field_security": {
"grant": [
"*"
]
}
}
],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
}

GET /_xpack/security/user

{
"elastic": {
"username": "elastic",
"roles": [
"superuser"
],
"full_name": null,
"email": null,
"metadata": {
"_reserved": true
},
"enabled": true
},
"kibana": {
"username": "kibana",
"roles": [
"kibana_system"
],
"full_name": null,
"email": null,
"metadata": {
"_reserved": true
},
"enabled": true
},
"logstash_system": {
"username": "logstash_system",
"roles": [
"logstash_system"
],
"full_name": null,
"email": null,
"metadata": {
"_reserved": true
},
"enabled": true
},
"regular": {
"username": "regular",
"roles": [
"regular_user"
],
"full_name": "Regular User",
"email": "regular@company.net",
"metadata": {},
"enabled": true
},
"advanced": {
"username": "advanced",
"roles": [
"advanced_user",
"regular_user"
],
"full_name": "Advanced User",
"email": "advanced@company.net",
"metadata": {},
"enabled": true
}
}

skearns · June 1, 2017, 5:55pm

Hi Raj,

Are you trying to use the regular user in Kibana? If yes, you will need to also assign that user the kibana_user role.

Thanks,
Steve

Raj_Kumar · June 1, 2017, 8:04pm

Hi Skearns,

Thanks for the quick and fast info and sorry for the confusion ,actually in the video it was not mentioned to add kibana_user

Now after adding kibana_user role to regular user am able to access Dev tools, now I was trying to PUT a new index to test
but am getting this message

and then I tried to add to one more privilege to it create_index

still when I PUT new index same error message.

Please do let me know what has to be done.

Thanks,
Raj

skearns · June 2, 2017, 1:29am

Hi Raj,

The create_index privilege is an index-level privilege (meaning you have to create a role that grants you create_index privileges on the index you want to create).

From your role definition there, you have granted privileges to create indexes that begin with logstash_netflow, because you added the create_index privilege to the logstash_netflow* index.

So if you want the ability to create an index called course_index, you will need to click the blue + button next to Granted Fields, to add another "Index Privilege" section, where you can enter course_index as the index name (don't worry that the index name type-ahead doesn't find it - it hasn't yet been created!), then add the read/write/create_index privileges.

Raj_Kumar · June 2, 2017, 8:34am

Hi Skearns,

Thank you so much for the info and it works

Thanks,
Raj

system · June 30, 2017, 8:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Security_exeption Xpack Elasticsearch	4	3923	August 15, 2017
Permission issue Elasticsearch	5	2229	April 12, 2018
[security_exception] action [indices:data/read/search] Elasticsearch elastic-stack-security	2	3969	July 29, 2019
Xpack - How to create kibana user Elasticsearch elastic-stack-security	6	399	August 22, 2019
X-Pack Role Based Access to Index/Indices Elasticsearch	3	371	July 16, 2018

XpackSecurity

Related Topics