Error when login to KIbana

Hi.

I have problem when login to kibana via proxy authentication

{"statusCode":403,"error":"Forbidden","message":"no permissions for [indices:data/read/search] and User [name=tong, backend_roles=[tong], requestedTenant=null]: security_exception"}
curl -XGET https://localhost:9200/_opendistro/_security/api/rolesmapping/tong?pretty -u 'admin:admin' -k
{
  "tong" : {
    "hosts" : [ ],
    "users" : [
      "admin"
    ],
    "reserved" : false,
    "hidden" : false,
    "backend_roles" : [
      "admin"
    ],
    "and_backend_roles" : [ ]
  }
}

curl -XGET https://localhost:9200/_opendistro/_security/api/roles/tong?pretty -u 'admin:admin' -k
{
  "tong" : {
    "reserved" : false,
    "hidden" : false,
    "cluster_permissions" : [
      "cluster_composite_ops_ro"
    ],
    "index_permissions" : [
      {
        "index_patterns" : [
          "*"
        ],
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "read"
        ]
      }
    ],
    "tenant_permissions" : [ ],
    "static" : false
  }
}

@tong6462

Can you run the below curl and paste in the output:

curl --insecure -u tong:<<password>> -XGET "https://localhost:9200/_opendistro/_security/authinfo?pretty"

It’s possible the user is not mapped to the correct role.

@Anthony

Hi. User tong login via sso so it doesn’t have password. I use sso authentication via proxy
tong is not internal user

@tong6462 in that case, can you add user tong user to role_mappings, as below:

{
  "tong" : {
    "hosts" : [ ],
    "users" : [
      "admin",
      "tong"
    ],
    "reserved" : false,
    "hidden" : false,
    "backend_roles" : [
      "admin"
    ],
    "and_backend_roles" : [ ]
  }
}

Currently you are counting on the fact that backend role “admin” is provided by SSO for user tong, which might not be the case and this will confirm the mapping works.

If it does you will then need to investigate why the “admin” backend role is not being sent by SSO and this depends on the SSO itself.