Closed mkiran18 closed 2 years ago
Hey @mkiran18, I'm actually not able to reproduce. Can you double-check the role and mapping?
On a more meta note, I'd recommend against tagging me on new issues unless it's specifically something that I've worked on. Other people on the team and in the community might assume that I'm "on it" and not chime in with more better, more timely information than I can provide. 😃
My role mapping
{
"new-role": {
"reserved": false,
"hidden": false,
"backend_roles": [],
"hosts": [],
"users": [
"new-user"
],
"and_backend_roles": []
}
}
My role
{
"new-role": {
"reserved": false,
"hidden": false,
"cluster_permissions": [],
"index_permissions": [
{
"index_patterns": [
"index1-*-*-*"
],
"dls": "",
"fls": [],
"masked_fields": [],
"allowed_actions": [
"read",
"kibana_all_read"
]
}
],
"tenant_permissions": [],
"static": false
}
}
My user
{
"new-user": {
"hash": "",
"reserved": false,
"hidden": false,
"backend_roles": [],
"attributes": {},
"static": false
}
}
The following queries all return results:
GET index1-*-*-*/_search
GET index1-45673-item1-2019-09-20/_search
GET index1-45673-*/_search
GET index1-45673-**/_search
Hi @aetter ,
Apologies for tagging, i see that you are very active in security space of OD thought of tagging for quick check.
to your point , the issue is happening with elasticsearch API as well. Make your role
{
"new-role": {
"reserved": false,
"hidden": false,
"cluster_permissions": [],
"index_permissions": [
{
"index_patterns": [
"index1-45673-*"
],
"dls": "",
"fls": [],
"masked_fields": [],
"allowed_actions": [
"read",
"kibana_all_read"
]
}
],
"tenant_permissions": [],
"static": false
}
}
Create two indices , that matches the pattern. Ex: index1-45673-app1-2019-09-23 & index1-78965-app2-2019-09-23
And
try : GET index1-*/_search
API Error
{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "no permissions for [indices:data/read/search] and User [name=user, roles=[user-role, kibanauser], requestedTenant=null]"
}
],
"type": "security_exception",
"reason": "no permissions for [indices:data/read/search] and User [name=user, roles=[user-role, kibanauser], requestedTenant=null]"
},
"status": 403
}
Error when used a as patterns , happen with index1-*-*-\ as well.
With full index name rather than pattern : no issues and data is displayed.
The expectation is kibana will auto filter all other indices where the loggedin-user do not have permission to.
very similar to: https://discuss.elastic.co/t/kibana-defining-access-to-multi-customers-sharing-same-dashboard/158567
this was used in elasticsearch+kibana before , trying to replicate the same behaviour on Open Distro as well.
Thanks
Ah, I think I see. So the expected behavior here is that the security plugin filters out any indices that a) match your pattern and b) you don't have access to prior to performing the search? Is the description below an accurate summary of your concern?
Steps to reproduce:
New role, index permissions of index1-45673-*
, action group read
, save.
New user.
Map new role to new user.
Map kibana_user
to new user.
Create two indices:
PUT index1-45673-app1-2019-09-23/_doc/1
{"some document": "and its data"}
PUT index1-78965-app2-2019-09-23/_doc/1
{"some document": "and its data"}
Log in to Kibana as the new user.
Dev tools
GET index1-45673-*/_search
Success.
GET index1-78965-*/_search
Expected failure.
GET index1-*/_search
Failure. Expected behavior is that the search would still find documents in index1-45673-app1-2019-09-23
, which the user has permissions to.
Yup.... thats exactly what i am trying to achieve :)
I have followed the steps what i have done for xpack + elasticsearch, I am not sure if there are any different steps for Open distro as the security plugin is different in this case.
Thanks in advance.
Roger that. I'm worried that there's some fundamental architectural decision that explains why this feature doesn't work the way we expect, but I'll leave it to the development team to confirm/deny and classify as a bug or as-designed.
Adding @hardik-k-shah and @elfisher for their thoughts.
Thanks .,., This feature enables to have one kibana/elastic index pattern for all the users but still have control on what they see based on the roles.
Otherwise we will have many different patterns in the kibana -> discover, Index pattern dropdown and when users switch they will see the error
And to mention maintenance of them is a tedious process.
Hi, Any update ? just wanted to know if this is as per design or actually an issue.
The same issue with No permissions for ... No index-level perm match for User [name= ... in elasticsearch.log. Opendistro 1.2.0.
yes, its an issue, simply by going to role server and add the index pattern which you want to show. just like this here ...
It is an expected behavior that when a kibana index pattern or a query pattern includes one or more indices that a user does not have necessary permission(s), the query fails with security exception. Note that security plugin does not do any query re-write and submits the original query pattern to ES for execution. Should that pattern include any index that the user does not have permission(s) for, it would be a security violation. It will be an enhancement request to support query re-write and I am not even sure that it is possible in all cases as an intersection of a query pattern and indices with granted permissions may be a disjoin set not easily expressed by a single index or by another index match pattern.
Hi @vrozov , Thats an issue when we create one index pattern in kibana for shared users on the same tenancy . We ended up creating a lot of index patterns as work around to this security limitation and had to educate the users to switch to their specific pattern upon login.
Thanks for looking in to it.
@mkiran18 roger-that. This is current design limitation and, afaik, there are no other workarounds other than to define different index patterns for different roles. Possibly kibana plugin can help by limiting user access to their specific index pattern(s).
Instead of query re-write we may try to filter out all documents for indices that a user does not have permission for during query execution, but that may impact performance, so we will have to see what option is the best. In any case, likely we will have to provide a configuration settings that will enable new behavior and keep the old behavior for users that are not affected by that limitation or prefer old behavior for any reason.
There seems to be an option to enable the desired behavior. Please see do_not_fail_on_forbidden
in kibana multi-tenancy
I'm not sure if I'm experiencing the same or a different issue. I have a role like so:
my_role:
reserved: true
hidden: false
cluster_permissions:
- "cluster_composite_ops_ro"
index_permissions:
- index_patterns:
- "logstash-*"
allowed_actions:
- "read"
tenant_permissions:
- tenant_patterns:
- "global_tenant"
allowed_actions:
- "kibana_all_read"
static: false
and plenty of indices like:
logstash-myapp-2021-01.25
logstash-myapp-2021-01.26
logstash-myapp-2021-01.27
In the Global tenant, I create an index pattern like so:
I expect that the user sees all of them. However, in the Discovery tab, the user sees nothing:
In the logs I get:
[2021-01-25T15:46:03,840][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:03,845][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:03,846][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe.example.com] No index-level perm match for User [name=MyUser, backend_roles=[****], requestedTenant=] Resolved [aliases=[.kibana], allIndices=[.kibana_2], types=[*], originalRequested=[.kibana], remoteIndices=[]] [Action [indices:data/read/get]] [RolesChecked [my_role]]
[2021-01-25T15:46:03,846][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe.example.com] No permissions for [indices:data/read/get]
[2021-01-25T15:46:05,668][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:05,674][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:05,674][WARN ][stderr ] [odfe.example.com] java.lang.UnsupportedOperationException
[2021-01-25T15:46:05,674][WARN ][stderr ] [odfe.example.com] at java.base/java.util.Collections$UnmodifiableMap.put(Collections.java:1473)
[2021-01-25T15:46:05,674][WARN ][stderr ] [odfe.example.com] at com.amazon.opendistroforelasticsearch.security.dlic.rest.api.PermissionsInfoAction$1.accept(PermissionsInfoAction.java:110)
[2021-01-25T15:46:05,674][WARN ][stderr ] [odfe.example.com] at com.amazon.opendistroforelasticsearch.security.dlic.rest.api.PermissionsInfoAction$1.accept(PermissionsInfoAction.java:95)
[2021-01-25T15:46:05,674][WARN ][stderr ] [odfe.example.com] at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:115)
[2021-01-25T15:46:05,674][WARN ][stderr ] [odfe.example.com] at com.amazon.opendistroforelasticsearch.security.filter.OpenDistroSecurityRestFilter$1.handleRequest(OpenDistroSecurityRestFilter.java:116)
[2021-01-25T15:46:05,674][WARN ][stderr ] [odfe.example.com] at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:236)
[2021-01-25T15:46:05,674][WARN ][stderr ] [odfe.example.com] at org.elasticsearch.rest.RestController.tryAllHandlers(RestController.java:318)
[2021-01-25T15:46:05,674][WARN ][stderr ] [odfe.example.com] at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:176)
[2021-01-25T15:46:05,674][WARN ][stderr ] [odfe.example.com] at com.amazon.opendistroforelasticsearch.security.ssl.http.netty.ValidatingDispatcher.dispatchRequest(ValidatingDispatcher.java:63)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at org.elasticsearch.http.AbstractHttpServerTransport.dispatchRequest(AbstractHttpServerTransport.java:318)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at org.elasticsearch.http.AbstractHttpServerTransport.handleIncomingRequest(AbstractHttpServerTransport.java:372)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at org.elasticsearch.http.AbstractHttpServerTransport.incomingRequest(AbstractHttpServerTransport.java:308)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:42)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:28)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at org.elasticsearch.http.netty4.Netty4HttpPipeliningHandler.channelRead(Netty4HttpPipeliningHandler.java:58)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:324)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:296)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1518)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:615)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:578)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
[2021-01-25T15:46:05,675][WARN ][stderr ] [odfe.example.com] at java.base/java.lang.Thread.run(Thread.java:832)
[2021-01-25T15:46:05,693][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:05,696][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:06,246][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:06,250][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:06,327][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:06,333][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:06,335][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe.example.com] No index-level perm match for User [name=MyUser, backend_roles=[****], requestedTenant=] Resolved [aliases=[.kibana], allIndices=[.kibana_2], types=[*], originalRequested=[.kibana, .kibana_2], remoteIndices=[]] [Action [indices:data/read/mget[shard]]] [RolesChecked [my_role]]
[2021-01-25T15:46:06,335][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe.example.com] No permissions for [indices:data/read/mget[shard]]
[2021-01-25T15:46:06,440][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:06,444][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:06,445][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe.example.com] No index-level perm match for User [name=MyUser, backend_roles=[****], requestedTenant=] Resolved [aliases=[.kibana], allIndices=[.kibana_2], types=[*], originalRequested=[.kibana], remoteIndices=[]] [Action [indices:data/read/search]] [RolesChecked [my_role]]
[2021-01-25T15:46:06,445][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe.example.com] No permissions for [indices:data/read/search]
When I change the permissions to:
index_permissions:
- index_patterns:
- "*"
it works:
and in the logs I get:
[2021-01-25T15:48:39,499][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:48:39,518][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:48:41,433][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:48:41,435][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] java.lang.UnsupportedOperationException
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at java.base/java.util.Collections$UnmodifiableMap.put(Collections.java:1473)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at com.amazon.opendistroforelasticsearch.security.dlic.rest.api.PermissionsInfoAction$1.accept(PermissionsInfoAction.java:110)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at com.amazon.opendistroforelasticsearch.security.dlic.rest.api.PermissionsInfoAction$1.accept(PermissionsInfoAction.java:95)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:115)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at com.amazon.opendistroforelasticsearch.security.filter.OpenDistroSecurityRestFilter$1.handleRequest(OpenDistroSecurityRestFilter.java:116)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:236)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at org.elasticsearch.rest.RestController.tryAllHandlers(RestController.java:318)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:176)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at com.amazon.opendistroforelasticsearch.security.ssl.http.netty.ValidatingDispatcher.dispatchRequest(ValidatingDispatcher.java:63)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at org.elasticsearch.http.AbstractHttpServerTransport.dispatchRequest(AbstractHttpServerTransport.java:318)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at org.elasticsearch.http.AbstractHttpServerTransport.handleIncomingRequest(AbstractHttpServerTransport.java:372)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at org.elasticsearch.http.AbstractHttpServerTransport.incomingRequest(AbstractHttpServerTransport.java:308)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:42)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:28)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at org.elasticsearch.http.netty4.Netty4HttpPipeliningHandler.channelRead(Netty4HttpPipeliningHandler.java:58)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:324)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:296)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1518)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:615)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:578)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
[2021-01-25T15:48:41,436][WARN ][stderr ] [odfe.example.com] at java.base/java.lang.Thread.run(Thread.java:832)
[2021-01-25T15:48:41,459][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:48:41,464][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:48:41,987][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:48:41,994][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:48:42,060][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:48:42,063][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:48:42,159][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
@vrozov is right.
In order to ignore indices the user has no permission to you can set do_not_fail_on_forbidden: true
in your plugins/opendistro_security/securityconfig/config.yml
Closing as do_not_fail_on_forbidden
addresses this issue's use case.
Hi @aetter ,
Kibana is not displaying any data for a pattern match, But works fine when full index name is selected under Management -> Index Patterns
role:
role mapping:
user:
Kibana Index Patterns:
Below are the two kibana index patterns
Wild Card Pattern is not able to match to the index that role has permission to, but works fine with the exact index name.
Thanks