Wildcard indices rights

#1

Too manage who has access to the indices I have made the following role:
Group1:
readonly: false
cluster:
- UNLIMITED
indices:
'logstash-*':
'*':
- READ
- GET
- SEARCH
This role gives my rights on the logstash-* indices. But now I want to change logstash-* to logstash-test*. Only this does not grant me any right. In kibana it says I don’t any right to access the indices. How can I give right to logstash-test* ?

#2

Hello everglade !

indices:
‘logstash- ’:

I think you have to modify this line to :

indices:
'logstash-*':

You forgot to add the * wildcard.
Right now you only gave rights to indexes named logstash-

Hope I helped
Thi

#3

Hello ThibaudF,

Thank you for responding. I see that pasting code went wrong. I have changed it. The solution you over offering for works for logstash-* but doesn’t work for logstash-test*. How can I give rights on logstash-test*?

#4

You are welcome !

I can’t help you further without proper logs or more explanations about what you are trying to do.
Normally, indices logstash-test* are included in logstash-*.

Have you checked your role mappings ?
And if you don’t use the Kibana user interface to manage the settings, don’t forget to use the securityadmin.sh script to update your configuration. (You can find it in /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh)

Thi :slight_smile:

#5

The role mappings is as follows:

Group1:
  readonly: true
  backendroles:
    - Group1

I am try to give Group1 rights on logstash-test*. A second group named Group2 needs rights on logstash-production*. The two groups don’t needs access on each others data.

The logging:

[2019-04-25T15:58:27,708][INFO ][c.a.o.s.p.PrivilegesEvaluator] [elk1] No index-level perm match for User [name=test, roles=[Group1], requestedTenant=test] Resolved [aliases=[], indices=[logstash-test-2019.04.25-6.5.0,logstash-production-2019.04.25-6.5.0]
[2019-04-25T15:58:27,708][INFO ][c.a.o.s.p.PrivilegesEvaluator] [elk1] No permissions for [indices:data/read/search]
    at https://elk1/bundles/commons.bundle.js:1:488270
    at Function.Promise.try (https://elk1/bundles/commons.bundle.js:1:317811)
    at https://elk1/bundles/commons.bundle.js:1:317180
    at Array.map (<anonymous>)
    at Function.Promise.map (https://elk1/bundles/commons.bundle.js:1:317138)
    at callResponseHandlers (https://elk1/bundles/commons.bundle.js:1:487282)
    at https://elk1/bundles/commons.bundle.js:1:470337
    at processQueue (https://elk1/dlls/vendors.bundle.dll.js:293:199687)
    at https://elk1/dlls/vendors.bundle.dll.js:293:200650
    at Scope.$digest (https://elk1/dlls/vendors.bundle.dll.js:293:210412)

With logstash-* I have access to logstash-test-2019.04.25-6.5.0 but with logstash-test* I don’t. The settings are managed by the securityadmin.sh script.

#6

I think your role mapping should be like that?

---
Group1:
  backendroles: []
  hosts: []
  users:
  - "test"

Not sure but maybe you can try logstash-test-* ?

Did you give kibanauser role to test account?
I am sorry if these don’t work I have no more ideas. :sweat_smile:

Thi

#7

Thx. You were right. Adding the - solved the issue. :smiley:

#8

Glad I helped !
Have a good day.

Thi