403 Error for indexes starting with dot

ravjanga · February 8, 2019, 5:18am

Hello ROR team,

Below is my scenario.

    - name:          "::DEFAULT_CLUSTER_ADMIN_JWT::"
      verbosity:     error
      kibana_access: admin
      kibana_index:  ".kibana-cluster-default"
      jwt_auth:
        name: "CFXDLS_JWT_DEFAULT"
        roles: ["cluster_admin"]

In the above, the user has admin access. In this case, the user is trying to access another index .tenants and he is getting 403 error. Why is he getting 403 error when he has admin access. Do we assume that indexes that start with dot are kibana indexes?

sscarduzio · February 8, 2019, 12:39pm

No, it’s because kibana_access: admin does not mean they can access all indices and all actions.
If you want that kind of privilege, just remove the kibana_access rule all together.

Explained better in see the documentation.

sscarduzio · February 8, 2019, 12:40pm

BTW @ravjanga, could you use the “</>” icon in the forum text editor to wrap your YAML examples as code?

ravjanga · February 9, 2019, 3:56am

sure. Sorry for missing it.

ravjanga · February 9, 2019, 4:00am

Originally we had the rule like below.

     - name:          "::DEFAULT_CLUSTER_ADMIN_JWT::"
      verbosity:     error
      jwt_auth:
        name: "CFXDLS_JWT_DEFAULT"
        roles: ["cluster_admin"]

This was resulting in some unusual behavior. When the user logged into kibana UI, he was seeing some index patterns. In the meanwhile, we have tenant specific user with restrictive access and specific kibana index, who logged in via a SCRIPT to update his dashboards. In the meanwhile we refreshed the UI of the above logged user in the UI, it was showing index patterns of the user who logged in via the script.

Is it ok if I just specify like below.

    - name:          "::DEFAULT_CLUSTER_ADMIN_JWT::"
      verbosity:     error
      kibana_index:  ".kibana-cfxdls-cluster-default"
      jwt_auth:
        name: "CFXDLS_JWT_DEFAULT"
        roles: ["cluster_admin"]

sscarduzio · February 9, 2019, 2:51pm

Well, if you don’t specify their own kibana index, they will fall back to using “.kibana” or whatever is the default kibana index you configured in Kibana.

If you don’t configure a unique kibana index, the user will be associated to the default tenancy.