Skip to content

Not sufficient permissions to access license information on remote monitoring cluster #37970

New issue
New issue
Closed
Closed
Not sufficient permissions to access license information on remote monitoring cluster#37970
Assignees
ycombinator
Labels
:Data Management/Monitoring:Security/AuthorizationRoles, Privileges, DLS/FLS, RBAC/ABAC>bug
@radoondas

Description

@radoondas
radoondas
opened on Jan 29, 2019

Elasticsearch version (bin/elasticsearch --version): 6.5.4

Plugins installed: [none]

JVM version (java -version): OpenJDK 64-Bit Server VM 11.0.1

OS version (uname -a if on a Unix-like system): not relevant

Description of the problem including expected versus actual behavior:

When using least privileges for user defined to read monitoring data in remote monitoring cluster, this user is missing some of the permissions to show all information in Monitoring application.

Steps to reproduce:
Production cluster and Monitoring cluster.
Both have valid Gold/Platinum license.
Production cluster is sending data to Remote monitoring cluster.

To allow Production cluster Kibana with Monitoring UI to read monitoring data from remote Monitoring cluster, configuration for least privileges is suggested in the documentation (point 3.)
https://www.elastic.co/guide/en/kibana/current/monitoring-data.html

Correct user is defined in Monitoring cluster and This user is also configured in Production Kibana configuration file according to documentation above.

User definition

"monitor_viewer" : {
    "username" : "monitor_viewer",
    "roles" : [
      "monitoring_user"
    ],
    "full_name" : "Monitor viewer for Kibana",
    "email" : "",
    "metadata" : { },
    "enabled" : true
  }

In Production, we are missing Cluster status due to license issue.
issue

Accessing _xpack endpoint which is required for license check provides following permission error.

curl -k -u monitor_viewer https://<monitoring_hostname>:9200/_xpack/?pretty 
Enter host password for user 'monitor_viewer': 
{ 
 "error" : { 
   "root_cause" : [ 
     { 
       "type" : "security_exception", 
       "reason" : "action [cluster:monitor/xpack/info] is unauthorized for user [monitor_viewer]" 
     } 
   ], 
   "type" : "security_exception", 
   "reason" : "action [cluster:monitor/xpack/info] is unauthorized for user [monitor_viewer]" 
 }, 
 "status" : 403 
}

This means that in Production Kibana Monitoring tab, some of the informations are missing due to limited privileges for the role monitoring_user

I would expect that role monitoring_user have all required permissions.

Metadata

Metadata

Assignees

Labels

:Data Management/Monitoring:Security/AuthorizationRoles, Privileges, DLS/FLS, RBAC/ABAC>bug

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions