Cannot create role through Kibana interface

#1

I’m currently testing opendistro, and I’m stuck with creating roles via the Kibana Security GUI. The affect seems to be that the role I create grants no permissions. For example:

Expected Result #1:

$ curl localhost:9200
Unauthorized

Expected Result #2:

$ curl -u logstash:logstash localhost:9200
{
“name” : “node-0”,
“cluster_name” : “elasticsearch”,

Expected Result #3:
Create new user user1 in the GUI and give him the role logstash

curl -u user1:password123 localhost:9200
{
“name” : “node-0”,
“cluster_name” : “elasticsearch”,

Unexpected Result:
Copy role logstash as role cloned. Expect to see the cluster info message, get 403

$ curl -u user1:password123 localhost:9200
{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for [cluster:monitor/main] and User [name=user1, roles=[cloned], requestedTenant=null]”}],“type”:“security_exception”,“reason”:“no permissions for [cluster:monitor/main] and User [name=user1, roles=[cloned], requestedTenant=null]”},“status”:403}

I see an ES error when I try to curl the endpoint, but I’m not sure what the issue root issue is:

[2019-03-29T16:54:47,880][INFO ][c.a.o.s.p.PrivilegesEvaluator] [node-0] No cluster-level perm match for User [name=user1, roles=[cloned], requestedTenant=null] Resolved [aliases=, indices=, allIndices=, types=, isAll()=false, isEmpty()=false] [Action [cluster:monitor/main]] [RolesChecked [own_index]]
[2019-03-29T16:54:47,880][INFO ][c.a.o.s.p.PrivilegesEvaluator] [node-0] No permissions for [cluster:monitor/main]

Is there something missing in my process?

#2

Querying the roles API endpoint shows I should have permissions:

$ curl -u admin:admin http://localhost:9200/_opendistro/_security/api/roles/cloned
{“cloned”:{“cluster”:[“CLUSTER_MONITOR”,“CLUSTER_COMPOSITE_OPS”,“indices:admin/template/get”,“indices:admin/template/put”],“indices”:{“logstash-":{"”:[“CRUD”,“CREATE_INDEX”]},“beat”:{"*":[“CRUD”,“CREATE_INDEX”]}}}}

#3

Solved. Apparently, creating a role also requires creating rolemapping for it to have an affect.

2 Likes