I have a dashboard to monitor web service calls. This dashboard displays a time serie graph of the WS calls and a summary table (TSVB table) . All displayed datas are from one index called “infinite”.
I am trying to secure access to this dashboard according to a role previously defined. When a user, authenticated with this role, displays the dashboard, all the data appears fine except the table :
The reason given by the audit log being a MISSING_PRIVILEGE access problem
By default, the role only grants access to index “infinite”. If i update my role to grant acces to all indexes (*), this time, the table is correctly displayed
My feeling (not sure) is that TSVB table uses some hidden indices to compute data (the table uses derivative function to compute some displayed data) but, for the moment, I am currently unable to locate them
Below the role definition:
{
"cluster_permissions": [
"cluster_composite_ops_ro"
],
"index_permissions": [{
"index_patterns": [
"infinite"
],
"dls": "",
"fls": [],
"masked_fields": [],
"allowed_actions": [
"read",
"search"
]
}],
"tenant_permissions": [{
"tenant_patterns": [
"infinite-monitoring"
],
"allowed_actions": [
"kibana_all_read"
]
}]
}
the audit message :
{
"_index": "security-auditlog-2021.09.01",
"_type": "_doc",
"_id": "t4l7oXsBntmeAWghK_r_",
"_version": 1,
"_score": null,
"_source": {
"audit_cluster_name": "opensearch",
"audit_transport_headers": {
"X-Opaque-Id": "19b51a5c-a89c-4f34-8940-b38e2ddd46dc"
},
"audit_node_name": "dedtinfa24.ext.tdc",
"audit_trace_task_id": "M4li-W2EQ4KHdaar1KJQCg:57683",
"audit_transport_request_type": "SearchRequest",
"audit_category": "MISSING_PRIVILEGES",
"audit_request_origin": "REST",
"audit_request_body": "{\"size\":0,\"query\":{\"bool\":{\"filter\":[{\"match_all\":{\"boost\":1.0}}],\"adjust_pure_negative\":true,\"must\":[{\"range\":{\"@timestamp\":{\"format\":\"strict_date_optional_time\",\"include_lower\":true,\"include_upper\":true,\"from\":\"2021-08-31T10:38:15.897Z\",\"boost\":1.0,\"to\":\"2021-08-31T10:50:42.831Z\"}}}],\"boost\":1.0}},\"aggregations\":{\"pivot\":{\"terms\":{\"shard_min_doc_count\":0,\"field\":\"env.keyword\",\"size\":10,\"show_term_doc_count_error\":false,\"min_doc_count\":1,\"order\":[{\"_count\":\"desc\"},{\"_key\":\"asc\"}]},\"aggregations\":{\"877bf9c0-0a3b-11ec-8e6a-57debbc326af\":{\"date_histogram\":{\"fixed_interval\":\"5s\",\"field\":\"@timestamp\",\"offset\":0,\"time_zone\":\"Europe/Paris\",\"keyed\":false,\"min_doc_count\":0,\"order\":{\"_key\":\"asc\"},\"extended_bounds\":{\"min\":1630406295897,\"max\":1630407042831}},\"meta\":{\"timeField\":\"@timestamp\",\"intervalString\":\"5s\",\"bucketSize\":5,\"seriesId\":\"877bf9c0-0a3b-11ec-8e6a-57debbc326af\"},\"aggregations\":{\"877bf9c1-0a3b-11ec-8e6a-57debbc326af-denominator\":{\"filter\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1.0}}},\"877bf9c1-0a3b-11ec-8e6a-57debbc326af\":{\"bucket_script\":{\"gap_policy\":\"skip\",\"buckets_path\":{\"numerator\":\"877bf9c1-0a3b-11ec-8e6a-57debbc326af-numerator>_count\",\"denominator\":\"877bf9c1-0a3b-11ec-8e6a-57debbc326af-denominator>_count\"},\"script\":{\"source\":\"params.numerator != null && params.denominator != null && params.denominator > 0 ? params.numerator / params.denominator : 0\",\"lang\":\"painless\"}}},\"877bf9c1-0a3b-11ec-8e6a-57debbc326af-numerator\":{\"filter\":{\"bool\":{\"adjust_pure_negative\":true,\"must\":[{\"query_string\":{\"max_determinized_states\":10000,\"fuzziness\":\"AUTO\",\"auto_generate_synonyms_phrase_query\":true,\"phrase_slop\":0,\"query\":\"wsi_audit.state:STATE_OK\",\"analyze_wildcard\":true,\"fuzzy_transpositions\":true,\"type\":\"best_fields\",\"fuzzy_prefix_length\":0,\"default_operator\":\"or\",\"fuzzy_max_expansions\":50,\"boost\":1.0,\"enable_position_increments\":true,\"fields\":[],\"escape\":false}}],\"boost\":1.0}}}}},\"adfd9c70-0a3b-11ec-8e6a-57debbc326af\":{\"date_histogram\":{\"fixed_interval\":\"5s\",\"field\":\"@timestamp\",\"offset\":0,\"time_zone\":\"Europe/Paris\",\"keyed\":false,\"min_doc_count\":0,\"order\":{\"_key\":\"asc\"},\"extended_bounds\":{\"min\":1630406295897,\"max\":1630407042831}},\"meta\":{\"timeField\":\"@timestamp\",\"intervalString\":\"5s\",\"bucketSize\":5,\"seriesId\":\"adfd9c70-0a3b-11ec-8e6a-57debbc326af\"},\"aggregations\":{\"adfd9c71-0a3b-11ec-8e6a-57debbc326af-denominator\":{\"filter\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1.0}}},\"adfd9c71-0a3b-11ec-8e6a-57debbc326af\":{\"bucket_script\":{\"gap_policy\":\"skip\",\"buckets_path\":{\"numerator\":\"adfd9c71-0a3b-11ec-8e6a-57debbc326af-numerator>_count\",\"denominator\":\"adfd9c71-0a3b-11ec-8e6a-57debbc326af-denominator>_count\"},\"script\":{\"source\":\"params.numerator != null && params.denominator != null && params.denominator > 0 ? params.numerator / params.denominator : 0\",\"lang\":\"painless\"}}},\"adfd9c71-0a3b-11ec-8e6a-57debbc326af-numerator\":{\"filter\":{\"bool\":{\"adjust_pure_negative\":true,\"must\":[{\"query_string\":{\"max_determinized_states\":10000,\"fuzziness\":\"AUTO\",\"auto_generate_synonyms_phrase_query\":true,\"phrase_slop\":0,\"query\":\"wsi_audit.state:STATE_KO\",\"analyze_wildcard\":true,\"fuzzy_transpositions\":true,\"type\":\"best_fields\",\"fuzzy_prefix_length\":0,\"default_operator\":\"or\",\"fuzzy_max_expansions\":50,\"boost\":1.0,\"enable_position_increments\":true,\"fields\":[],\"escape\":false}}],\"boost\":1.0}}}}},\"61ca57f1-469d-11e7-af02-69e470af7417\":{\"date_histogram\":{\"fixed_interval\":\"5s\",\"field\":\"@timestamp\",\"offset\":0,\"time_zone\":\"Europe/Paris\",\"keyed\":false,\"min_doc_count\":0,\"order\":{\"_key\":\"asc\"},\"extended_bounds\":{\"min\":1630406295897,\"max\":1630407042831}},\"meta\":{\"timeField\":\"@timestamp\",\"intervalString\":\"5s\",\"bucketSize\":5,\"seriesId\":\"61ca57f1-469d-11e7-af02-69e470af7417\"},\"aggregations\":{\"61ca57f2-469d-11e7-af02-69e470af7417\":{\"bucket_script\":{\"gap_policy\":\"skip\",\"buckets_path\":{\"count\":\"_count\"},\"script\":{\"source\":\"count * 1\",\"lang\":\"expression\"}}}}},\"d6edf530-0a3b-11ec-8e6a-57debbc326af\":{\"date_histogram\":{\"fixed_interval\":\"5s\",\"field\":\"@timestamp\",\"offset\":0,\"time_zone\":\"Europe/Paris\",\"keyed\":false,\"min_doc_count\":0,\"order\":{\"_key\":\"asc\"},\"extended_bounds\":{\"min\":1630406295897,\"max\":1630407042831}},\"meta\":{\"timeField\":\"@timestamp\",\"intervalString\":\"5s\",\"bucketSize\":5,\"seriesId\":\"d6edf530-0a3b-11ec-8e6a-57debbc326af\"},\"aggregations\":{\"d6edf531-0a3b-11ec-8e6a-57debbc326af\":{\"bucket_script\":{\"gap_policy\":\"skip\",\"buckets_path\":{\"count\":\"_count\"},\"script\":{\"source\":\"count * 1\",\"lang\":\"expression\"}}},\"076dbab0-0a3c-11ec-8e6a-57debbc326af\":{\"derivative\":{\"gap_policy\":\"skip\",\"unit\":\"1h\",\"buckets_path\":[\"0004e8c0-0a3c-11ec-8e6a-57debbc326af\"]}},\"0004e8c0-0a3c-11ec-8e6a-57debbc326af\":{\"cumulative_sum\":{\"buckets_path\":[\"d6edf531-0a3b-11ec-8e6a-57debbc326af\"]}}}},\"c8821800-0a3b-11ec-8e6a-57debbc326af\":{\"date_histogram\":{\"fixed_interval\":\"5s\",\"field\":\"@timestamp\",\"offset\":0,\"time_zone\":\"Europe/Paris\",\"keyed\":false,\"min_doc_count\":0,\"order\":{\"_key\":\"asc\"},\"extended_bounds\":{\"min\":1630406295897,\"max\":1630407042831}},\"meta\":{\"timeField\":\"@timestamp\",\"intervalString\":\"5s\",\"bucketSize\":5,\"seriesId\":\"c8821800-0a3b-11ec-8e6a-57debbc326af\"},\"aggregations\":{\"c8821801-0a3b-11ec-8e6a-57debbc326af\":{\"avg\":{\"field\":\"wsi_audit.responseTime\"}}}}}}},\"timeout\":\"30000ms\",\"track_total_hits\":2147483647}",
"audit_node_id": "M4li-W2EQ4KHdaar1KJQCg",
"audit_request_layer": "TRANSPORT",
"@timestamp": "2021-09-01T13:10:09.149+00:00",
"audit_format_version": 4,
"audit_request_remote_address": "127.0.0.1",
"audit_request_privilege": "indices:data/read/search",
"audit_node_host_address": "10.59.6.201",
"audit_request_effective_user": "Utilisateur UNEO",
"audit_trace_resolved_indices": [
"security-auditlog-2021.08.20",
".kibana_1902137761_infinitemonitoring_1",
"security-auditlog-2021.09.01",
".kibana_1",
".kibana_-1136205721_kdf42r_1",
"security-auditlog-2021.08.25",
"security-auditlog-2021.08.23",
".kibana_-417030821_cngiacominivincentouinterneousitegreenparkouutilisateursoucegedimactivoutououfrouemeadcemeadccegedimdcgrp_1",
".kibana_-1760851040_utilisateuruneo_1",
".opendistro-reports-definitions",
".kibana_810970405_giacominivincent_1",
"security-auditlog-2021.08.24",
".kibana_1139703716_giacominigiacomini_1",
".opendistro-reports-instances",
".kibana_318017984_signessignes_1",
".kibana_253705784_administrateur_1",
".kibana_92668751_admin_1",
"security-auditlog-2021.08.30",
"security-auditlog-2021.08.31",
".opendistro_security",
"security-auditlog-2021.08.26",
".kibana_-1623283867_vincentgiacomini_1",
"security-auditlog-2021.08.27",
"infinite"
],
"audit_node_host_name": "10.59.6.201"
},
"fields": {
"@timestamp": [
"2021-09-01T13:10:09.149Z"
]
},
"highlight": {
"audit_request_effective_user": [
"Utilisateur @opensearch-dashboards-highlighted-field@UNEO@/opensearch-dashboards-highlighted-field@"
]
},
"sort": [
1630501809149
]
}