LDAP groups error with different index

Hi, i’m searching a solution for different groups of LDAP that one of them see an index and other one see other index. I have followed this manual to integrate ldap groups with authorization:

The problem is that, i can login without problems with users of LDAP and if i define a backend role with a with a wildcard (*) at index all work properly.

But if i filter by an index (for example security*) and then login with my user of LDAP i see a blank page on Discover and this error at Timelion:

“no permissions for [indices:data/read/search] and User [name=CN=XXX…”

Need help please…thanks a lot.

1 Like

Hi @Orion, permissions errors like this one typically mean you’re authenticating successfully, but that your user/backend role isn’t mapped to the right role(s), or those role(s) don’t have the right permissions. Can you try mapping the kibanauser role to the backend role from LDAP? Then you can map additional roles (with permissions to specific indices) to the backend role, as well, but to use Kibana without errors, you need that kibanauser role (or an equivalent set of permissions).

Hi @aetter , I had the same exaact issue …

Getting 403 security exception on :
/api/saved_objects/_find?type=index-pattern&fields=title&search=*&search_fields=title&per_page=1

error: "Forbidden"
message: "no permissions for [indices:data/read/search] and User [name=ldap_ads_user, roles=[PRC-USER-GROUP], requestedTenant=null]: [security_exception] no permissions for [indices:data/read/search] and User [name=ldap_ads_user, roles=[PRC-USER-GROUP], requestedTenant=null]"
statusCode: 403

Role for PRC-USER-GROUP:

{
  "cluster": [],
  "indices": {
    "index1-*": {
      "*": [
        "READ"
      ]
    }
  },
  "tenants": {}
}

Role Mapping :

 { 
      "backendroles": [
      "PRC-USER-GROUP"
      ],
     "hosts": [],
      "users": []
    }

LDAP login is working fine with the auth info api call populating backend roles array with the above PRC group.

is there any other additional step missing in mapping the role to appropriate indices ?
EDIT 1:

If i replace the mapping with it works fine.

{
      "cluster": [],
      "indices": {
        "*": {
          "*": [
            "READ"
          ]
        }
      },
      "tenants": {}
    }

Even the specific Index name also , experiencing the same failure:

{
      "cluster": [],
      "indices": {
        "index1-2342": {
          "*": [
            "READ"
          ]
        }
      },
      "tenants": {}
    }

After trial runs , Found the solution :

{
  "cluster": [],
  "indices": {
    "index1-*": {
      "*": ["READ"]
    },
    "?kibana*": {
      "*": ["READ"]
    }
  },
  "tenants": {}
}

Add the second pattern as well and it gave access to the pattern of the indices that is needed to build in management. Having kibanauser in the backend role didnt fix the issue for my case.

@mkiran18, yeah, that achieves basically the same purpose. Upon logging in, your user/backend role needs to inherit two security roles: your custom one that has permissions to your index, and kibana_user so that you can do basic Kibana things. If you add the Kibana permissions into your custom role, that’s fine, too, just a little harder to maintain.

Thanks @aetter, May be i didnt do it correctly, do you have sample json that i can compare the backend role assignment along with custom role for kibana user.

Tried this :

{ 
      "backendroles": [
      "PRC-USER-GROUP","kibanauser"
      ],
     "hosts": [],
      "users": []
    }

Above sample wont work as the LDAP might not have kibanauser assigned in the Active Directory as the user designated role for the users.

I added my LDAP group (ES-readall) to the backend roles for the kibana_user in addition to the role with the applicable index permissions, which allowed the correct permissions in kibana. Opendistro 1.1.0/Elastic 7.1.1

roles_mapping.yml
---
kibana_user:
  reserved: false
  hidden: false
  backend_roles:
  - "kibanauser"
  - "ES-readall"
  hosts: []
  users: []
  and_backend_roles: []
  description: "Maps kibanauser to kibana_user"
_meta:
  type: "rolesmapping"
  config_version: 2
readall:
  reserved: false
  hidden: false
  backend_roles:
  - "readall"
  - "ES-readall"
  hosts: []
  users: []
  and_backend_roles: []

Thanks @kiowajoe,

is your user a LDAP user or user specific to elastic only ?

if LDAP can you check on the : /api/v1/auth/authinfo api call response for “backend_roles” attribute, it usually has all the roles from active directory, my understanding is that unless “kibanauser” part of active directory roles, it do not match with the backend_roles of the role_mapping and kibana login will still fail.

Thanks

This is an LDAP user, and maybe I misspoke. My understanding was that adding the appropriate retrieved ldap roles to the backend_roles in the mapping for the kibana_user role was all that was needed. The same permissions in the kibana_user could be added to a custom role, but that would increase management requirements. The backend_roles listed in the authinfo request has the backend_role I map to kibana_user role and readall role. There aresome others that do not map to elasticsearch roles, since I just pull what groups they are members of. But, I have no kibanauser in the backend_roles output from authinfo. Seems to work normally for me with that config.

From https://opendistro.github.io/for-elasticsearch-docs/docs/security-access-control/users-roles/#map-users-to-roles …Specify users, backend roles (roles from from LDAP or Active Directory), and hosts as desired.

Thanks @kiowajoe , Will try with this option as well.