Hello everyone,
It is a pleasure to be here with you. I am new using Open Distro (1.2) and have some doubts that I can’t solve by myself.
My intention is to make the user in charge of the Kibana service (by default this user is kibanaserver) has more privileges than kibanaserver has.
To do this create a role similar to kibanaserver with the new permissions added and also give it the role of kibanauser.
This is where doubts arise because the role of kibanauser is declared as kibana_user.
Image 1. kibana_user role
curl -XGET "https://localhost:9200/_opendistro/_security/api/roles?pretty" -u admin:admin --insecure -k | sort | grep -i kibana
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 14868 100 14868 0 0 52734 0 --:--:-- --:--:-- --:--:-- 52911
"description" : "Provide the minimum permissions for a kibana user",
"description" : "Provide the minimum permissions for the Kibana server",
".kibana_*"
".kibana_*"
".kibana_*"
".kibana_*"
".kibana"
".kibana"
".kibana"
".kibana",
".kibana-6"
".kibana-6"
".kibana-6"
".kibana-6",
"kibana_all_write"
"kibana_read_only" : {
"kibana_server" : {
"kibana_user" : {
Adding the role to my user as follows:
Image 2. Inoperative user
It causes the following error when starting Kibana:
{"type":"log","@timestamp":"2019-10-16T10:52:16Z","tags":["fatal","root"],"pid":3676,"message":"{ [security_exception] no permissions for [indices:admin/get] and User [name=sito_test_kibana, roles=[test_kibana, kibana_user], requestedTenant=null] :: {\"path\":\"/.kibana\",\"query\":{},\"statusCode\":403,\"response\":\"{\\\"error\\\":{\\\"root_cause\\\":[{\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"no permissions for [indices:admin/get] and User [name=sito_test_kibana, roles=[test_kibana, kibana_user], requestedTenant=null]\\\"}],\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"no permissions for [indices:admin/get] and User [name=sito_test_kibana, roles=[test_kibana, kibana_user], requestedTenant=null]\\\"},\\\"status\\\":403}\"}\n at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:315:15)\n at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:274:7)\n at HttpConnector.<anonymous> (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:166:7)\n at IncomingMessage.wrapper (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/lodash.js:4935:19)\n at IncomingMessage.emit (events.js:194:15)\n at endReadableNT (_stream_readable.js:1103:12)\n at process._tickCallback (internal/process/next_tick.js:63:19)\n status: 403,\n displayName: 'AuthorizationException',\n message:\n '[security_exception] no permissions for [indices:admin/get] and User [name=sito_test_kibana, roles=[test_kibana, kibana_user], requestedTenant=null]',\n path: '/.kibana',\n query: {},\n body:\n { error:\n { root_cause: [Array],\n type: 'security_exception',\n reason:\n 'no permissions for [indices:admin/get] and User [name=sito_test_kibana, roles=[test_kibana, kibana_user], requestedTenant=null]' },\n status: 403 },\n statusCode: 403,\n response:\n '{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:admin/get] and User [name=sito_test_kibana, roles=[test_kibana, kibana_user], requestedTenant=null]\"}],\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:admin/get] and User [name=sito_test_kibana, roles=[test_kibana, kibana_user], requestedTenant=null]\"},\"status\":403}',\n toString: [Function],\n toJSON: [Function] }"}
On the other hand, if I add the role as follows:
Image 3. Effective user
Kibana works perfectly.
So the question is, why should I add the role as kibanauser instead of kibana_user? How do I know what kibanauser has?
As I am new I can only put one image, forgive me for having to do this fusion of images, but I think it helps to explain me better.
Thank you very much in advance,
Alfonso.