Unable to download CSV reports from Kibana using Read-Only user

Security
1

We have created a Read-only Kibana user which have read access to all indices, but while trying to generate CSV report from a saved search its showing insufficient privileges error. Tried adding the missing privileges as mentioned in the error, but still unable to download. It works only with admin privileges. Can anyone please help to resolve this issue.

Below is the error in the logs,

"{ Error: [security_exception] no permissions for [cluster:admin/opendistro/reports/menu/download]

Opendistro Version : opendistro-es-1.13.2

Thank you,
Jaise

2

Moved to the security category.

3

@jaise Could you share the Read-Only user’s role config?

Also, please share your kibana.yml file.

4

@jaise I did some testing and I’ve found that the following permissions allow downloading CVS reports.

cluster:

cluster:admin/opendistro/reports/menu/download

index:

read, indices:monitor/settings/get
5

Hi @pablo ,

Thank you for looking into this.

Tried the permissions mentioned, but still unable to download CSVs. Followed the below steps to configure Read-only user,

I created a new tenant “kibanaro” and backend role “kibanaro” with below permissions,

For Cluster Permissions,

cluster:admin/opendistro/reports/menu/download

For Index Permissions,

Index - fluentd*, .kibana

Index Permissions -
read, indices:monitor/settings/get

For tenant permissions,

Tenant - kibanaro

Then assigned “kibanaro, readall” backend roles to “kibanaro” user.
But still unable to generate CSVs and getting below error,

{“type”:“log”,“@timestamp”:“2022-02-01T09:02:40Z”,“tags”:[“error”,“plugins”,“opendistroReportsKibana”],“pid”:1,“message”:“{ Error: [security_exception] no permissions for [cluster:admin/opendistro/reports/menu/download] and User [name=kibanaro, backend_roles=[kibanaro, readall], requestedTenant=user]\n at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:349:15)\n at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:306:7)\n at HttpConnector. (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)\n at IncomingMessage.wrapper (/usr/share/kibana/node_modules/lodash/lodash.js:4949:19)\n at IncomingMessage.emit (events.js:203:15)\n at endReadableNT (_stream_readable.js:1145:12)\n at process._tickCallback (internal/process/next_tick.js:63:19)\n status: 403,\n displayName: ‘AuthorizationException’,\n message:\n ‘[security_exception] no permissions for [cluster:admin/opendistro/reports/menu/download] and User [name=kibanaro, backend_roles=[kibanaro, readall], requestedTenant=user]’,\n path: ‘/_opendistro/_reports/on_demand’,\n query: {},\n body:\n { error:\n { root_cause: [Array],\n type: ‘security_exception’,\n reason:\n ‘no permissions for [cluster:admin/opendistro/reports/menu/download] and User [name=kibanaro, backend_roles=[kibanaro, readall], requestedTenant=user]’ },\n status: 403 },\n statusCode: 403,\n response:\n ‘{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [cluster:admin/opendistro/reports/menu/download] and User [name=kibanaro, backend_roles=[kibanaro, readall], requestedTenant=user]"}],"type":"security_exception","reason":"no permissions for [cluster:admin/opendistro/reports/menu/download] and User [name=kibanaro, backend_roles=[kibanaro, readall], requestedTenant=user]"},"status":403}’,\n toString: [Function],\n toJSON: [Function] }”}

6

@jaise Try to remove the kibanaro role from the backend roles in the kibanaro user’s profile? Then in the kibanaro role, map the kibanaro user.

image
image594×650 36.2 KB

image
image775×552 35.9 KB

image
image434×575 32.3 KB

7

Thank you @pablo !!

User mapping was not done properly that caused the issue.
Followed your steps exactly and able to generate CSVs for Read-Only User.

Thank you again for the help!!!