Filebeat permissions

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.13.0

Describe the issue:

I want to use no admin user for filebeat (7.10)
When i try to launch daemon - i have a error

talk to server... ERROR 403 Forbidden: {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [cluster:monitor/main] and User [name=filebeat, backend_roles=[develop], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [cluster:monitor/main] and User [name=filebeat, backend_roles=[develop], requestedTenant=null]"},"status":403} 

Configuration:

Develop role is

resource "opensearch_role" "develop" {
  role_name   = "develop"
  description = "Develop role"
  cluster_permissions = [
    "cluster_monitor",
    "cluster_composite_ops",
    "indices:admin/template/get",
    "indices:admin/template/put",
    "cluster:admin/ingest/pipeline/get",
    "cluster:admin/ingest/pipeline/put",
    "cluster:monitor/main",
  ]
  index_permissions {
    index_patterns  = ["*"]
    allowed_actions = ["read", "crud", "create_index", "write"]
  }
}

Relevant Logs or Screenshots:

I try to research this problem and find, that filebeat try root endpoint of each node in config
Of Course, i try curl with username:password

# curl -XGET https://ossec:9200/?pretty -u 'filebeat:password' 
{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "no permissions for [cluster:monitor/main] and User [name=filebeat, backend_roles=[develop], requestedTenant=null]"
      }
    ],
    "type" : "security_exception",
    "reason" : "no permissions for [cluster:monitor/main] and User [name=filebeat, backend_roles=[develop], requestedTenant=null]"
  },
  "status" : 403
}

Hi @DmitriiKuvshinov,

Could you share the output of:

curl -XGET "http://localhost:9200/_plugins/_security/api/roles/develop"

Thanks,
mj

Hey

~# curl -XGET 'https://localhost:9200/_plugins/_security/api/roles/develop?pretty' -u 'admin:password'
{
  "develop" : {
    "reserved" : false,
    "hidden" : false,
    "description" : "Develop role",
    "cluster_permissions" : [
      "cluster_monitor",
      "indices:admin/template/put",
      "indices:admin/template/get",
      "cluster_composite_ops",
      "cluster:admin/ingest/pipeline/get",
      "cluster:admin/ingest/pipeline/put"
    ],
    "index_permissions" : [
      {
        "index_patterns" : [
          "*"
        ],
        "dls" : "",
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "crud",
          "write",
          "read",
          "create_index"
        ]
      }
    ],
    "tenant_permissions" : [ ],
    "static" : false
  }
}

@DmitriiKuvshinov, looks like cluster:monitor/main is not there, could add it and test again?

best,
mj

~# curl -XGET 'https://localhost:9200/_plugins/_security/api/roles/develop?pretty' -u 'admin:password'
{
  "develop" : {
    "reserved" : false,
    "hidden" : false,
    "description" : "Develop role",
    "cluster_permissions" : [
      "indices:data/write/bulk*",
      "indices:admin/template/put",
      "indices:data/write/index",
      "indices:admin/template/get",
      "cluster:monitor/state",
      "cluster_composite_ops",
      "cluster:monitor/main",
      "indices:data/write/bulk",
      "cluster:admin/ingest/pipeline/get",
      "cluster:admin/ingest/pipeline/put"
    ],
    "index_permissions" : [
      {
        "index_patterns" : [
          "*"
        ],
        "dls" : "",
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "crud",
          "write",
          "read",
          "create_index"
        ]
      }
    ],
    "tenant_permissions" : [ ],
    "static" : false
  }
}
~# curl https://localhost:9200?pretty -u 'filebeat:password'
{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "no permissions for [cluster:monitor/main] and User [name=filebeat, backend_roles=[develop], requestedTenant=null]"
      }
    ],
    "type" : "security_exception",
    "reason" : "no permissions for [cluster:monitor/main] and User [name=filebeat, backend_roles=[develop], requestedTenant=null]"
  },
  "status" : 403
}

Hi @DmitriiKuvshinov,

How do you map your backend_roles=[develop] to the internal role develop?

Would you mind sharing the output of the following:

curl --insecure -u <admin_username>:<admin_password> -XGET https://<OS_node>:9200/_plugins/_security/api/rolesmapping?pretty

Thnaks,
mj

1 Like

Hey, Mantas
Via internal_users.yml

filebeat:
  hash: "password"
  reserved: true
  backend_roles:
  - "develop"
  description: "Filebeat user"

So
I don’t find filebeat user in output
It’s little bit strange, but ok…
I just fix terraform code and apply this to cluster’s

resource "opensearch_roles_mapping" "develop" {
  role_name   = opensearch_role.develop.role_name
  description = ""
  users = [
    "filebeat",
  ]
  depends_on = [opensearch_role.develop]
}

after apply - no errors of access in opensearch logs

1 Like