I have a group that I created for certain users. the users of that group should have the ability to create any visualizations/dashboards, mess around with discover on the index, etc.
I’d like them to be able to create/modify/delete their own indexes but not modify or delete the core data indexes.
I started by creating the group as outlined in the multitenancy docs.
I was getting errors trying to log in as the user so i added actions to the group.
actions:[“indices:admin/create”,"…"] - basically any error i added the action here. and most of the errors went away and the user is okay to log in but then when they try to add an index with Dev Tools i keep getting the error of
The user is connected via sha256 and the action is already in the action line for the group. What am I missing - and how do I limit the user to what I want them to be able to do?
I have to hand transfer and sanitize these FORBIDDEN by default req={ ID:<sting>, TYP:CreateIndexRequest, CGR: TESTGRP, USR:[user not logged], BRS:false, KDX:null, ACT:indices:admin/create, OA:127.0.0.1/32, XFF:x-forwarded for=<src pc>, DA:127.0.0.1/32, IDX:<N/A>, MET:PUT, PTH:/testy?pretty, CNT:<N/A>, HDR:Connection=close, Content-length=0, Host=localhost:9200, authorization=Basic dGV<remainingstring>, x-forwarded-for=<srcpc>, x-forwarded-host=<mykibana>:5601, x-forwarded-port=50451, x-orwarded-proto=https, x-ror-current-group=TESTGRP, HIS:
which then lists all of the groups which all have false except for [::TESTGRP:: ->[groups->true, kibana_access->false]]}
the user is logged in first then tries to create an index in dev tools like PUT testy
Thanks @mdnuts for taking the time to transcript the log line. I see here two things:
We are printing the log line of a request in its final state (FORBIDDEN), at this point we should have evaluated the authorization header, but still we print “USR: [user not logged]”, I see this as a bug. @coutoPL can you confirm?
The configuration issue. You are most likely mixing “kibana_access” with “actions” rules in the same block. This prevents “kibana_access” from working properly. Please add another block identical to the current one, but without “kibana_access” and with the “actions” rule instead.
You can create a block with “type: forbid”. Remember to be very specific (i.e. include “auth_key” rule as well) otherwise you end up blocking other random requests.
can there be only one group with kibana_access: admin?
I was testing this by adding a group of testing_a with kibana_access: admin and a test user of testy who was part of the testing_a group. The test user couldn’t get to discovery. ROR keptputting errors of ACT:incides:data/read/msearch.
If I changed group membership from kibana_a to Admins - the test user could get to discovery just fine. The user wasn’t a member of anything else.
@mdnuts there is no limitation on how many groups or users can be associated to kibana_access: admin.
Probably you had some requests from one session getting matched by some ACL block that was declared before. You can inspect this removing “verbosity: error” from the blocks, using Kibana with the problematic user, and verifying that the requests are “ALLOWED” by the right block names.
Sometimes this can be fixed byre-ordering of the ACL blocks, or making the ACL blocks more specific.