Wildcard indices rights

everglade · April 25, 2019, 12:25pm

Too manage who has access to the indices I have made the following role:
Group1:
readonly: false
cluster:
- UNLIMITED
indices:
'logstash-*':
'*':
- READ
- GET
- SEARCH
This role gives my rights on the logstash-* indices. But now I want to change logstash-* to logstash-test*. Only this does not grant me any right. In kibana it says I don’t any right to access the indices. How can I give right to logstash-test* ?

ThibaudF · April 25, 2019, 1:01pm

Hello everglade !

indices:
‘logstash- ’:

I think you have to modify this line to :

indices:
'logstash-*':

You forgot to add the * wildcard.
Right now you only gave rights to indexes named logstash-

Hope I helped
Thi

everglade · April 25, 2019, 1:31pm

Hello ThibaudF,

Thank you for responding. I see that pasting code went wrong. I have changed it. The solution you over offering for works for logstash-* but doesn’t work for logstash-test*. How can I give rights on logstash-test*?

ThibaudF · April 25, 2019, 1:44pm

You are welcome !

I can’t help you further without proper logs or more explanations about what you are trying to do.
Normally, indices logstash-test* are included in logstash-*.

Have you checked your role mappings ?
And if you don’t use the Kibana user interface to manage the settings, don’t forget to use the securityadmin.sh script to update your configuration. (You can find it in /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh)

Thi

everglade · April 25, 2019, 2:10pm

The role mappings is as follows:

Group1:
  readonly: true
  backendroles:
    - Group1

I am try to give Group1 rights on logstash-test*. A second group named Group2 needs rights on logstash-production*. The two groups don’t needs access on each others data.

The logging:

[2019-04-25T15:58:27,708][INFO ][c.a.o.s.p.PrivilegesEvaluator] [elk1] No index-level perm match for User [name=test, roles=[Group1], requestedTenant=test] Resolved [aliases=[], indices=[logstash-test-2019.04.25-6.5.0,logstash-production-2019.04.25-6.5.0]
[2019-04-25T15:58:27,708][INFO ][c.a.o.s.p.PrivilegesEvaluator] [elk1] No permissions for [indices:data/read/search]
    at https://elk1/bundles/commons.bundle.js:1:488270
    at Function.Promise.try (https://elk1/bundles/commons.bundle.js:1:317811)
    at https://elk1/bundles/commons.bundle.js:1:317180
    at Array.map (<anonymous>)
    at Function.Promise.map (https://elk1/bundles/commons.bundle.js:1:317138)
    at callResponseHandlers (https://elk1/bundles/commons.bundle.js:1:487282)
    at https://elk1/bundles/commons.bundle.js:1:470337
    at processQueue (https://elk1/dlls/vendors.bundle.dll.js:293:199687)
    at https://elk1/dlls/vendors.bundle.dll.js:293:200650
    at Scope.$digest (https://elk1/dlls/vendors.bundle.dll.js:293:210412)

With logstash-* I have access to logstash-test-2019.04.25-6.5.0 but with logstash-test* I don’t. The settings are managed by the securityadmin.sh script.

ThibaudF · April 25, 2019, 2:27pm

I think your role mapping should be like that?

---
Group1:
  backendroles: []
  hosts: []
  users:
  - "test"

Not sure but maybe you can try logstash-test-* ?

Did you give kibanauser role to test account?
I am sorry if these don’t work I have no more ideas.

Thi

everglade · April 26, 2019, 12:01pm

Thx. You were right. Adding the - solved the issue.

ThibaudF · April 26, 2019, 12:02pm

Glad I helped !
Have a good day.

Thi

Topic		Replies	Views
Logstash does not have index permissions Security	1	890	May 5, 2021
Wildcards in permissions Security	6	710	May 23, 2023
Setup readonly users Security	2	538	August 16, 2021
Read Only Accounts Security configure	5	224	February 14, 2024
Can't give access to specific indices to a user Security	1	745	December 10, 2021

Wildcard indices rights

Related Topics