Limited access to the Security features and Management

In my use case (release 1.10.1), different teams share a cluster.

I want to provide full access to both, however they should only see their stuff. On Discover/Dashboards/Vizualize levels that is handled by tenants, cool.

Now, I want to give them access to the Security plugin, however each one has to see their own users and roles. So, just mapping users to security_rest_api_access role does not help as they see each other’s business. I want to limit that role somehow, so that each one sees his stuff only.

Same for Management section (ISM, DevTools StackManagement). For example a simple GET /_cat/indices in DevTools should not return all indices, but only the ones that the user is supposed to have access to, according to its tenancy. But now the only option I see is to give them the admin backend role which will give them unlimited power to touch each other’s business. Note that I have seen security API access control docs, however that’s to limit actions (GET, POST, etc.), rather than visibility (seeing only team’s data).

Is this use cases somehow covered? Thanks in advance for your time.

I’m assuming that you don’t want to give them full access to the cluster but full access to their own indexes.

So I would create a role for each team. And for each team I would create index-patterns that matches the indexes that they need to have access to and I would give the pattern the allowed_action: indices_all https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/default-action-groups/

I find it easier to understand by looking at the API example

I would not use the “Access control for the API” for this.

Thanks a lot for your prompt reply.

This is exactly what I have done so far actually. Let’s take the example of sample data.

I created a flights_role where I map users of the flights team and a logs_role for the logs users. Of course I indicate the appropriate indices to these roles, giving them indices_all access.

Now, I want my users to also be able to use DevTool for example. So, I need to give them appropriate permissions. For now, the only way I could make them run anything in DevTool is to give them the admin backend role. But then, running GET _cat/indices as flights_user I also see the logs indices.

Same goes actually for the rest (Index Management, Security, etc.). I want both flights and logs users to be able to use these tools, but at the same time restrict them access to each other’s data.

I hope I made it more clear. Please let me know if there are any questions on my setup.

You want to give roles access to specific index patterns . For example:

"index_patterns": [ 'logstash-flight-logs-*' ]

So how does your role look like?

GET _opendistro/_security/api/roles/flights_role
GET _opendistro/_security/api/roles/logs_role

Also do you have some example of index name the roles should have access to?

Flights role:

{
  "flights_rw" : {
    "reserved" : false,
    "hidden" : false,
    "cluster_permissions" : [
      "cluster_all"
    ],
    "index_permissions" : [
      {
        "index_patterns" : [
          "kibana_sample_data_flights*"
        ],
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "indices_all"
        ]
      }
    ],
    "tenant_permissions" : [
      {
        "tenant_patterns" : [
          "flights*"
        ],
        "allowed_actions" : [
          "kibana_all_read",
          "kibana_all_write"
        ]
      }
    ],
    "static" : false
  }
}

Logs role:

{
  "logs_rw" : {
    "reserved" : false,
    "hidden" : false,
    "cluster_permissions" : [
      "cluster_all"
    ],
    "index_permissions" : [
      {
        "index_patterns" : [
          "kibana_sample_data_logs*"
        ],
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "indices_all"
        ]
      }
    ],
    "tenant_permissions" : [
      {
        "tenant_patterns" : [
          "logs*"
        ],
        "allowed_actions" : [
          "kibana_all_read",
          "kibana_all_write"
        ]
      }
    ],
    "static" : false
  }
}

flights_rw role mapping:

{
  "flights_rw" : {
    "hosts" : [ ],
    "users" : [
      "flights*"
    ],
    "reserved" : false,
    "hidden" : false,
    "backend_roles" : [ ],
    "and_backend_roles" : [ ]
  }
}

logs_rw role mapping:

{
  "logs_rw" : {
    "hosts" : [ ],
    "users" : [
      "logs*"
    ],
    "reserved" : false,
    "hidden" : false,
    "backend_roles" : [ ],
    "and_backend_roles" : [ ]
  }
}

And then I have users like flights_rw, flights_ro, logs_rw, logs_ro.

Logging in with flights_rw user I see the Dashboard of the flights index and on Discover I can see the documents of flights and only them. That works fine.

Then, still as flights_rw I go to DevTool and issue GET _cat/indices, getting this:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "no permissions for [indices:monitor/settings/get] and User [name=flights_rw, backend_roles=[], requestedTenant=flights_space]"
      }
    ],
    "type" : "security_exception",
    "reason" : "no permissions for [indices:monitor/settings/get] and User [name=flights_rw, backend_roles=[], requestedTenant=flights_space]"
  },
  "status" : 403
}

No matter what extra permission I give to flights_rw role, I keep getting the security exception. So, in order to let him run that thing, I give him admin backend role, running as an admin user:

PUT _opendistro/_security/api/internalusers/flights_rw
{
  "backend_roles": ["admin"]
}

Of course, now flights_rw user can run GET _cat/indices and he gets as a result all kind of indices, including indices of flights, logs, security, etc.

Obviously I need to limit him, as having admin access isn’t great. I want him to be able to issue GET _cat/indices and get as a result only the flights-related indices.

With the same logic, I want flights_rw user to also be able to access Security plugin. There I want him to be able to create a user for example. However, when logs_rw logs in, I don’t want him to view the users created by flights_rw and vice versa.

So, in conclusion I am trying to create a limited administrator role that will let user administer their part of the cluster only.

It was a bit of a wall of text but I now hope I understood your problem.

Basically you would want to allow your users to do

GET _cat/indices

and it would return a list of all the indices that they have access to . - This is not possible AFAIK, please correct me if I’m wrong because I would love this feature.

What your users should ATM be able to do is:
GET _cat/indices/kibana_sample_data_logs*
or
GET _cat/indices/kibana_sample_data_flights*

Worth keeping in mind seeing index name != seeing index content.

Did I understand your issue correctly?

These are the allowed action I used to test this:

"allowed_actions": [ "read", "indices:monitor/*" ] },

BTW: This is not related to your issue but I can see that it could be your next problem https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/issues/529#issuecomment-712161223

1 Like

Thanks a lot for your time already! Indeed you got my problem and indeed it seems like there is no work-around for this. If I ever find a way I’ll let you know. Also indeed it works with the indices:monitor/* as you said, given that I turn index pattern to * as you mentioned on the reference issue.

Thanks again!

1 Like