LDAP groups error with different index

Hi, i’m searching a solution for different groups of LDAP that one of them see an index and other one see other index. I have followed this manual to integrate ldap groups with authorization:

The problem is that, i can login without problems with users of LDAP and if i define a backend role with a with a wildcard (*) at index all work properly.

But if i filter by an index (for example security*) and then login with my user of LDAP i see a blank page on Discover and this error at Timelion:

“no permissions for [indices:data/read/search] and User [name=CN=XXX…”

Need help please…thanks a lot.

Hi @Orion, permissions errors like this one typically mean you’re authenticating successfully, but that your user/backend role isn’t mapped to the right role(s), or those role(s) don’t have the right permissions. Can you try mapping the kibanauser role to the backend role from LDAP? Then you can map additional roles (with permissions to specific indices) to the backend role, as well, but to use Kibana without errors, you need that kibanauser role (or an equivalent set of permissions).

Hi @aetter , I had the same exaact issue …

Getting 403 security exception on :
/api/saved_objects/_find?type=index-pattern&fields=title&search=*&search_fields=title&per_page=1

error: "Forbidden"
message: "no permissions for [indices:data/read/search] and User [name=ldap_ads_user, roles=[PRC-USER-GROUP], requestedTenant=null]: [security_exception] no permissions for [indices:data/read/search] and User [name=ldap_ads_user, roles=[PRC-USER-GROUP], requestedTenant=null]"
statusCode: 403

Role for PRC-USER-GROUP:

{
  "cluster": [],
  "indices": {
    "index1-*": {
      "*": [
        "READ"
      ]
    }
  },
  "tenants": {}
}

Role Mapping :

 { 
      "backendroles": [
      "PRC-USER-GROUP"
      ],
     "hosts": [],
      "users": []
    }

LDAP login is working fine with the auth info api call populating backend roles array with the above PRC group.

is there any other additional step missing in mapping the role to appropriate indices ?
EDIT 1:

If i replace the mapping with it works fine.

{
      "cluster": [],
      "indices": {
        "*": {
          "*": [
            "READ"
          ]
        }
      },
      "tenants": {}
    }

Even the specific Index name also , experiencing the same failure:

{
      "cluster": [],
      "indices": {
        "index1-2342": {
          "*": [
            "READ"
          ]
        }
      },
      "tenants": {}
    }

After trial runs , Found the solution :

{
  "cluster": [],
  "indices": {
    "index1-*": {
      "*": ["READ"]
    },
    "?kibana*": {
      "*": ["READ"]
    }
  },
  "tenants": {}
}

Add the second pattern as well and it gave access to the pattern of the indices that is needed to build in management. Having kibanauser in the backend role didnt fix the issue for my case.

@mkiran18, yeah, that achieves basically the same purpose. Upon logging in, your user/backend role needs to inherit two security roles: your custom one that has permissions to your index, and kibana_user so that you can do basic Kibana things. If you add the Kibana permissions into your custom role, that’s fine, too, just a little harder to maintain.

Thanks @aetter, May be i didnt do it correctly, do you have sample json that i can compare the backend role assignment along with custom role for kibana user.

Tried this :

{ 
      "backendroles": [
      "PRC-USER-GROUP","kibanauser"
      ],
     "hosts": [],
      "users": []
    }

Above sample wont work as the LDAP might not have kibanauser assigned in the Active Directory as the user designated role for the users.