MISSING_PRIVILEGES prevent displaying TSVB table

vgiacomini · September 1, 2021, 1:46pm

I have a dashboard to monitor web service calls. This dashboard displays a time serie graph of the WS calls and a summary table (TSVB table) . All displayed datas are from one index called “infinite”.

I am trying to secure access to this dashboard according to a role previously defined. When a user, authenticated with this role, displays the dashboard, all the data appears fine except the table :

The reason given by the audit log being a MISSING_PRIVILEGE access problem

By default, the role only grants access to index “infinite”. If i update my role to grant acces to all indexes (*), this time, the table is correctly displayed

My feeling (not sure) is that TSVB table uses some hidden indices to compute data (the table uses derivative function to compute some displayed data) but, for the moment, I am currently unable to locate them
Below the role definition:

{
  "cluster_permissions": [
    "cluster_composite_ops_ro"
  ],
  "index_permissions": [{
    "index_patterns": [
      "infinite"
    ],
    "dls": "",
    "fls": [],
    "masked_fields": [],
    "allowed_actions": [
        "read",
	"search"
    ]
  }],
  "tenant_permissions": [{
    "tenant_patterns": [
      "infinite-monitoring"
    ],
    "allowed_actions": [
      "kibana_all_read"
    ]
  }]
}

the audit message :

{
  "_index": "security-auditlog-2021.09.01",
  "_type": "_doc",
  "_id": "t4l7oXsBntmeAWghK_r_",
  "_version": 1,
  "_score": null,
  "_source": {
    "audit_cluster_name": "opensearch",
    "audit_transport_headers": {
      "X-Opaque-Id": "19b51a5c-a89c-4f34-8940-b38e2ddd46dc"
    },
    "audit_node_name": "dedtinfa24.ext.tdc",
    "audit_trace_task_id": "M4li-W2EQ4KHdaar1KJQCg:57683",
    "audit_transport_request_type": "SearchRequest",
    "audit_category": "MISSING_PRIVILEGES",
    "audit_request_origin": "REST",
    "audit_request_body": "{\"size\":0,\"query\":{\"bool\":{\"filter\":[{\"match_all\":{\"boost\":1.0}}],\"adjust_pure_negative\":true,\"must\":[{\"range\":{\"@timestamp\":{\"format\":\"strict_date_optional_time\",\"include_lower\":true,\"include_upper\":true,\"from\":\"2021-08-31T10:38:15.897Z\",\"boost\":1.0,\"to\":\"2021-08-31T10:50:42.831Z\"}}}],\"boost\":1.0}},\"aggregations\":{\"pivot\":{\"terms\":{\"shard_min_doc_count\":0,\"field\":\"env.keyword\",\"size\":10,\"show_term_doc_count_error\":false,\"min_doc_count\":1,\"order\":[{\"_count\":\"desc\"},{\"_key\":\"asc\"}]},\"aggregations\":{\"877bf9c0-0a3b-11ec-8e6a-57debbc326af\":{\"date_histogram\":{\"fixed_interval\":\"5s\",\"field\":\"@timestamp\",\"offset\":0,\"time_zone\":\"Europe/Paris\",\"keyed\":false,\"min_doc_count\":0,\"order\":{\"_key\":\"asc\"},\"extended_bounds\":{\"min\":1630406295897,\"max\":1630407042831}},\"meta\":{\"timeField\":\"@timestamp\",\"intervalString\":\"5s\",\"bucketSize\":5,\"seriesId\":\"877bf9c0-0a3b-11ec-8e6a-57debbc326af\"},\"aggregations\":{\"877bf9c1-0a3b-11ec-8e6a-57debbc326af-denominator\":{\"filter\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1.0}}},\"877bf9c1-0a3b-11ec-8e6a-57debbc326af\":{\"bucket_script\":{\"gap_policy\":\"skip\",\"buckets_path\":{\"numerator\":\"877bf9c1-0a3b-11ec-8e6a-57debbc326af-numerator>_count\",\"denominator\":\"877bf9c1-0a3b-11ec-8e6a-57debbc326af-denominator>_count\"},\"script\":{\"source\":\"params.numerator != null && params.denominator != null && params.denominator > 0 ? params.numerator / params.denominator : 0\",\"lang\":\"painless\"}}},\"877bf9c1-0a3b-11ec-8e6a-57debbc326af-numerator\":{\"filter\":{\"bool\":{\"adjust_pure_negative\":true,\"must\":[{\"query_string\":{\"max_determinized_states\":10000,\"fuzziness\":\"AUTO\",\"auto_generate_synonyms_phrase_query\":true,\"phrase_slop\":0,\"query\":\"wsi_audit.state:STATE_OK\",\"analyze_wildcard\":true,\"fuzzy_transpositions\":true,\"type\":\"best_fields\",\"fuzzy_prefix_length\":0,\"default_operator\":\"or\",\"fuzzy_max_expansions\":50,\"boost\":1.0,\"enable_position_increments\":true,\"fields\":[],\"escape\":false}}],\"boost\":1.0}}}}},\"adfd9c70-0a3b-11ec-8e6a-57debbc326af\":{\"date_histogram\":{\"fixed_interval\":\"5s\",\"field\":\"@timestamp\",\"offset\":0,\"time_zone\":\"Europe/Paris\",\"keyed\":false,\"min_doc_count\":0,\"order\":{\"_key\":\"asc\"},\"extended_bounds\":{\"min\":1630406295897,\"max\":1630407042831}},\"meta\":{\"timeField\":\"@timestamp\",\"intervalString\":\"5s\",\"bucketSize\":5,\"seriesId\":\"adfd9c70-0a3b-11ec-8e6a-57debbc326af\"},\"aggregations\":{\"adfd9c71-0a3b-11ec-8e6a-57debbc326af-denominator\":{\"filter\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1.0}}},\"adfd9c71-0a3b-11ec-8e6a-57debbc326af\":{\"bucket_script\":{\"gap_policy\":\"skip\",\"buckets_path\":{\"numerator\":\"adfd9c71-0a3b-11ec-8e6a-57debbc326af-numerator>_count\",\"denominator\":\"adfd9c71-0a3b-11ec-8e6a-57debbc326af-denominator>_count\"},\"script\":{\"source\":\"params.numerator != null && params.denominator != null && params.denominator > 0 ? params.numerator / params.denominator : 0\",\"lang\":\"painless\"}}},\"adfd9c71-0a3b-11ec-8e6a-57debbc326af-numerator\":{\"filter\":{\"bool\":{\"adjust_pure_negative\":true,\"must\":[{\"query_string\":{\"max_determinized_states\":10000,\"fuzziness\":\"AUTO\",\"auto_generate_synonyms_phrase_query\":true,\"phrase_slop\":0,\"query\":\"wsi_audit.state:STATE_KO\",\"analyze_wildcard\":true,\"fuzzy_transpositions\":true,\"type\":\"best_fields\",\"fuzzy_prefix_length\":0,\"default_operator\":\"or\",\"fuzzy_max_expansions\":50,\"boost\":1.0,\"enable_position_increments\":true,\"fields\":[],\"escape\":false}}],\"boost\":1.0}}}}},\"61ca57f1-469d-11e7-af02-69e470af7417\":{\"date_histogram\":{\"fixed_interval\":\"5s\",\"field\":\"@timestamp\",\"offset\":0,\"time_zone\":\"Europe/Paris\",\"keyed\":false,\"min_doc_count\":0,\"order\":{\"_key\":\"asc\"},\"extended_bounds\":{\"min\":1630406295897,\"max\":1630407042831}},\"meta\":{\"timeField\":\"@timestamp\",\"intervalString\":\"5s\",\"bucketSize\":5,\"seriesId\":\"61ca57f1-469d-11e7-af02-69e470af7417\"},\"aggregations\":{\"61ca57f2-469d-11e7-af02-69e470af7417\":{\"bucket_script\":{\"gap_policy\":\"skip\",\"buckets_path\":{\"count\":\"_count\"},\"script\":{\"source\":\"count * 1\",\"lang\":\"expression\"}}}}},\"d6edf530-0a3b-11ec-8e6a-57debbc326af\":{\"date_histogram\":{\"fixed_interval\":\"5s\",\"field\":\"@timestamp\",\"offset\":0,\"time_zone\":\"Europe/Paris\",\"keyed\":false,\"min_doc_count\":0,\"order\":{\"_key\":\"asc\"},\"extended_bounds\":{\"min\":1630406295897,\"max\":1630407042831}},\"meta\":{\"timeField\":\"@timestamp\",\"intervalString\":\"5s\",\"bucketSize\":5,\"seriesId\":\"d6edf530-0a3b-11ec-8e6a-57debbc326af\"},\"aggregations\":{\"d6edf531-0a3b-11ec-8e6a-57debbc326af\":{\"bucket_script\":{\"gap_policy\":\"skip\",\"buckets_path\":{\"count\":\"_count\"},\"script\":{\"source\":\"count * 1\",\"lang\":\"expression\"}}},\"076dbab0-0a3c-11ec-8e6a-57debbc326af\":{\"derivative\":{\"gap_policy\":\"skip\",\"unit\":\"1h\",\"buckets_path\":[\"0004e8c0-0a3c-11ec-8e6a-57debbc326af\"]}},\"0004e8c0-0a3c-11ec-8e6a-57debbc326af\":{\"cumulative_sum\":{\"buckets_path\":[\"d6edf531-0a3b-11ec-8e6a-57debbc326af\"]}}}},\"c8821800-0a3b-11ec-8e6a-57debbc326af\":{\"date_histogram\":{\"fixed_interval\":\"5s\",\"field\":\"@timestamp\",\"offset\":0,\"time_zone\":\"Europe/Paris\",\"keyed\":false,\"min_doc_count\":0,\"order\":{\"_key\":\"asc\"},\"extended_bounds\":{\"min\":1630406295897,\"max\":1630407042831}},\"meta\":{\"timeField\":\"@timestamp\",\"intervalString\":\"5s\",\"bucketSize\":5,\"seriesId\":\"c8821800-0a3b-11ec-8e6a-57debbc326af\"},\"aggregations\":{\"c8821801-0a3b-11ec-8e6a-57debbc326af\":{\"avg\":{\"field\":\"wsi_audit.responseTime\"}}}}}}},\"timeout\":\"30000ms\",\"track_total_hits\":2147483647}",
    "audit_node_id": "M4li-W2EQ4KHdaar1KJQCg",
    "audit_request_layer": "TRANSPORT",
    "@timestamp": "2021-09-01T13:10:09.149+00:00",
    "audit_format_version": 4,
    "audit_request_remote_address": "127.0.0.1",
    "audit_request_privilege": "indices:data/read/search",
    "audit_node_host_address": "10.59.6.201",
    "audit_request_effective_user": "Utilisateur UNEO",
    "audit_trace_resolved_indices": [
      "security-auditlog-2021.08.20",
      ".kibana_1902137761_infinitemonitoring_1",
      "security-auditlog-2021.09.01",
      ".kibana_1",
      ".kibana_-1136205721_kdf42r_1",
      "security-auditlog-2021.08.25",
      "security-auditlog-2021.08.23",
      ".kibana_-417030821_cngiacominivincentouinterneousitegreenparkouutilisateursoucegedimactivoutououfrouemeadcemeadccegedimdcgrp_1",
      ".kibana_-1760851040_utilisateuruneo_1",
      ".opendistro-reports-definitions",
      ".kibana_810970405_giacominivincent_1",
      "security-auditlog-2021.08.24",
      ".kibana_1139703716_giacominigiacomini_1",
      ".opendistro-reports-instances",
      ".kibana_318017984_signessignes_1",
      ".kibana_253705784_administrateur_1",
      ".kibana_92668751_admin_1",
      "security-auditlog-2021.08.30",
      "security-auditlog-2021.08.31",
      ".opendistro_security",
      "security-auditlog-2021.08.26",
      ".kibana_-1623283867_vincentgiacomini_1",
      "security-auditlog-2021.08.27",
      "infinite"
    ],
    "audit_node_host_name": "10.59.6.201"
  },
  "fields": {
    "@timestamp": [
      "2021-09-01T13:10:09.149Z"
    ]
  },
  "highlight": {
    "audit_request_effective_user": [
      "Utilisateur @opensearch-dashboards-highlighted-field@UNEO@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    1630501809149
  ]
}

pablo · September 1, 2021, 2:54pm

@vgiacomini

Have you tried to use do_not_fail_on_forbidden in config.yml?

vgiacomini · September 1, 2021, 3:25pm

tested with do_not_fail_on_forbidden set to true : it’s working

Thx

Topic		Replies	Views
Permissions weird Security	10	448	October 9, 2023
Unrecognized Security Exceptions Security configure	2	529	February 24, 2022
Dashboard Only & Tenancy in 1.3 Security	6	1150	April 19, 2021
Adding privilege doesn't work Security	2	464	April 27, 2021
Permission Issue Setting Up Dashboards Security	2	807	December 23, 2021

MISSING_PRIVILEGES prevent displaying TSVB table

Related Topics