Read-only user not able to download CSV Reports

I have installed ELK OSS version 7.10.2 on CentOS machine. I have installed standalone opendistro reporting plugin. I have a user who has following three roles :

  1. kibana_user
  2. readall
  3. reports_full_access

This user is not able to download CSV Reports from Reporting plugin due to permission issue. I want this user to have only read-only rights. With the same user, I am able to download PNG or PDF reports.

Is there any way I can achieve this ?

Here is kibana log :

Mar 04 06:18:03 ip-**** kibana[24864]: {"type":"log","@timestamp":"2021-03-04T06:18:03Z","tags":["error","plugins","opendistroReportsKibana"],"pid":24864,"message":"{ Error: [security_exception] no permissions for [indices:monitor/settings/get] and User [name=iit280_ro, backend_roles=[kiabanauser, readall], requestedTenant=]\n    at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:349:15)\n    at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:306:7)\n    at HttpConnector.<anonymous> (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)\n    at IncomingMessage.wrapper (/usr/share/kibana/node_modules/lodash/lodash.js:4949:19)\n    at IncomingMessage.emit (events.js:203:15)\n    at endReadableNT (_stream_readable.js:1145:12)\n    at process._tickCallback (internal/process/next_tick.js:63:19)\n  status: 403,\n  displayName: 'AuthorizationException',\n  message:\n   '[security_exception] no permissions for [indices:monitor/settings/get] and User [name=iit280_ro, backend_roles=[kiabanauser, readall], requestedTenant=]',\n  path: '/iit280_tran_log-*/_settings',\n  query: { include_defaults: true },\n  body:\n   { error:\n      { root_cause: [Array],\n        type: 'security_exception',\n        reason:\n         'no permissions for [indices:monitor/settings/get] and User [name=iit280_ro, backend_roles=[kiabanauser, readall], requestedTenant=]' },\n     status: 403 },\n  statusCode: 403,\n  response:\n   '{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:monitor/settings/get] and User [name=iit280_ro, backend_roles=[kiabanauser, readall], requestedTenant=]\"}],\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:monitor/settings/get] and User [name=iit280_ro, backend_roles=[kiabanauser, readall], requestedTenant=]\"},\"status\":403}',\n  toString: [Function],\n  toJSON: [Function] }"}

Based on the exception it seems like you need to make sure that the user belong to a role that have permission indices:monitor/settings/get for the index pattern iit280_tran_log-* .

We have already tried that. But it doesn’t seems to work.
It is throwing below error.
Insufficient permissions. Reach out to your Kibana administrator.

  1. In what role do you give the permission to the index?
  2. Does that user have access to the role?
  3. Can you post the output of the get role api call for the role API - Open Distro for Elasticsearch Documentation ?
    3b. As well of all relevant action groups.
  4. Also the output of the users /_opendistro/_security/authinfo

My guess is that the user does not have permission to the role.

I mistakely gave " indices:monitor/settings/get" role in cluster permissions instead of index permissions.
After giving it in index permissions, I am able to download CSV Reports.

Thanks for the help @oscark

2 Likes