User with several roles

rlevitsky · October 11, 2022, 2:14pm

Hi guys,
I have user that mapped several roles:

% curl https://logs.co.com:9200/_opendistro/_security/api/roles/ELK_rVision_INT_DB | jq '.[].index_permissions[].dls'
"{ \"match_phrase\": { \"host\": \"cv248.co.com\" } }"

% curl https://logs.co.com:9200/_opendistro/_security/api/roles/ELK_EPCF_PROD | jq '.[].index_permissions[].dls'
"{ \"match_phrase\": { \"host\": \"cv196.co.com\" } }"

% curl https://logs.co.com:9200/_opendistro/_security/api/roles/ELK_DMB | jq '.[].index_permissions[].dls'
"{ \"bool\": { \"must\": [], \"filter\": [ { \"bool\": { \"should\": [  { \"bool\": { \"should\": [ { \"match_phrase\": { \"host\": \"cv244.co.com\" } } ], \"minimum_should_match\": 1 } }, { \"bool\": { \"should\": [ { \"match_phrase\": { \"host\": \"cv319.co.com\" } } ], \"minimum_should_match\": 1 } }], \"minimum_should_match\": 1 } } ] } }"

The issue is k that user, even using the ELK_DMB tenant, is unable to see the logs from mentioned hosts. Instead, he sees the logs from the other tenant.

Could you please help to solve this issue?

pablo · October 11, 2022, 2:38pm

@rlevitsky Could you share the config of these roles?

The tenancy doesn’t control index access but OpenSearch Dashboard objects (i.e. visualisations, dashboards). Index access is controlled by the role.

rlevitsky · October 11, 2022, 3:12pm

Thank you for your reply @pablo , here they are:

% curl https://logs.co.com:9200/_opendistro/_security/api/roles/ELK_rVision_INT_DB | jq '.'

{
  "ELK_rVision_INT_DB": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [],
    "index_permissions": [
      {
        "index_patterns": [
          "applications-*"
        ],
        "dls": "{ \"match_phrase\": { \"host\": \"cv248.co.com\" } }",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      },
      {
        "index_patterns": [
          ".kibana_*_elkrvisionintdb*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "crud"
        ]
      },
      {
        "index_patterns": [
          "kibana_sample_*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      }
    ],
    "tenant_permissions": [
      {
        "tenant_patterns": [
          "ELK_rVision_INT_DB"
        ],
        "allowed_actions": [
          "kibana_all_write"
        ]
      }
    ],
    "static": false
  }
}

% curl https://logs.co.com:9200/_opendistro/_security/api/roles/ELK_EPCF_PROD | jq .

{
  "ELK_EPCF_PROD": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [],
    "index_permissions": [
      {
        "index_patterns": [
          "applications-*"
        ],
        "dls": "{ \"match_phrase\": { \"host\": \"cv196.co.com\" } }",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      },
      {
        "index_patterns": [
          ".kibana_*_elkepcfprod*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "crud"
        ]
      },
      {
        "index_patterns": [
          "kibana_sample_*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      }
    ],
    "tenant_permissions": [
      {
        "tenant_patterns": [
          "ELK_EPCF_PROD"
        ],
        "allowed_actions": [
          "kibana_all_write"
        ]
      }
    ],
    "static": false
  }
}

% curl https://logs.co.com:9200/_opendistro/_security/api/roles/ELK_DMB | jq .

{
  "ELK_DMB": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [],
    "index_permissions": [
      {
        "index_patterns": [
          "applications-*"
        ],
        "dls": "{ \"bool\": { \"must\": [], \"filter\": [ { \"bool\": { \"should\": [  { \"bool\": { \"should\": [ { \"match_phrase\": { \"host\": \"cv244.co.com\" } } ], \"minimum_should_match\": 1 } }, { \"bool\": { \"should\": [ { \"match_phrase\": { \"host\": \"cv319.co.com\" } } ], \"minimum_should_match\": 1 } }], \"minimum_should_match\": 1 } } ] } }",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      },
      {
        "index_patterns": [
          ".kibana_*_elkdmb*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "crud"
        ]
      },
      {
        "index_patterns": [
          "kibana_sample_*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      }
    ],
    "tenant_permissions": [
      {
        "tenant_patterns": [
          "ELK_DMB"
        ],
        "allowed_actions": [
          "kibana_all_write"
        ]
      }
    ],
    "static": false
  }
}

rlevitsky · October 12, 2022, 1:31pm

Users are able to see cv196 logs only.

pablo · October 12, 2022, 2:04pm

@rlevitsky Just to confirm. Are these roles assigned to a single user?

Is there a chance that you could share a single document for each cv248.co.com, cv196.co.com, cv244.co.com. If not, then maybe index mappings.

rlevitsky · December 14, 2022, 4:14pm

Actually, the issue was that some hosts’ logs didn’t get the mentioned server.
After fixing it, users can search their logs just fine.
So sorry for bothering you.

Topic		Replies	Views
Read Only Accounts Security configure	5	361	February 14, 2024
Index Level Permission of security plugin is not working with list of indices in role Security troubleshoot	12	1118	February 18, 2024
Multi-tenancy for different indices Open Source Elasticsearch and Kibana	11	2460	February 21, 2021
Multitenancy - index permission error Security	1	1114	July 12, 2019
Adding role to user breaks his access Security	2	291	February 5, 2024

User with several roles

Related topics