Forbidden for creating component templates

coutoPL · September 6, 2023, 4:03pm

@Diana the first log is related to your test on env with ELK 7.17.2 (the allowed one) and the second one for the env with ELK 8.6.x (the forbidden one)? Is it correct?

In the first log, I see: CGR:full-admin. It means on the UI side the selected tenancy was the full-admin.
In the second log, I see: CGR:<N/A>. It means that no tenancy was picked. Which is strange.

Are you able to send us all logs from the log-in step to the issue occurrence?

Diana · September 7, 2023, 9:30am

Hello,

Yes, you are correct.
In the 1st log, the selected tenancy was not full-admin, i was on the rwgroup tenancy.
And in the 2nd log the same, on the rwgroup tenancy.

I will redo the test today and send you a message with all the logs.

coutoPL · September 7, 2023, 5:56pm

Thanks, will take a look

coutoPL · September 7, 2023, 6:23pm

@Diana I need one more thing. In your logs I see that block “Full Admin Users” was matched. But I don’t see the block in the config you attach in one of your posts above.

Could you please send me the config you used in these two tests I have the logs from?

coutoPL · September 11, 2023, 6:38pm

@Diana this should be a workaround for your issue:

 - name: "rwgroup 0"
    groups: ["rwgroup"]
    indices: ["elast*", "diana*"]
    actions: ["indices:data/read/*", "indices:admin/*", "indices:data/write/*", "indices:monitor/data_stream/stats"]

I’m still investigating why we see this different behaviour between these ES versions.

coutoPL · September 11, 2023, 8:00pm

@Diana I think the workaround I gave you above, is a proper solution. IMO without the additional action it doesn’t work in the case of ES 8.6.2 and 7.17.2 too (for the newest ROR).

I’ve created a local env to reproduce your issue: [RORDEV-989] data streams issue? by coutoPL · Pull Request #15 · beshu-tech/ror-sandbox · GitHub
If you still think there is something wrong with it, you can show me using this example how to reproduce your issue.

Diana · September 13, 2023, 9:24am

Hello,

Indeed, the workaround works ok.
One more question, in this moment we have some rules we usually use for our clusters, and all are related to indices only. Should we consider treating data streams separately from indices?

coutoPL · September 13, 2023, 5:34pm

It depends on the business use case.
We have a data_streams rule which can restrict data streams based on names. It’s similar to repositories and snapshots rules.

But at the same time, a data stream is based on indices. So, you are able to use the indices rule as well in case of the data streams.

andrii.yermakov · November 9, 2023, 2:03pm

Hello, if I set “rw” access to the group, how the users can put some templates in dev-tools for example?
I need to restrict to see ROR settings and allow to create the templates for indexes for users, does it possible anyhow?