Skip to content
This repository was archived by the owner on Aug 2, 2022. It is now read-only.
This repository was archived by the owner on Aug 2, 2022. It is now read-only.

[Incomplete docs] Define monitor using visual graph only works for admins #106

Open
Open
[Incomplete docs] Define monitor using visual graph only works for admins#106
Labels
enhancementNew feature or requesthelp wantedExtra attention is needed
@MShekow

Description

@MShekow
MShekow
opened on Oct 29, 2019

Hi,

I've assigned non-admin users the permissions to use Kibana, view indices, etc. (so that they can create visualizations and dashboards), and I've also assigned them to the already-existing, reserved role "alerting_full_access" which has the "crud" action group assigned to the indices ".opendistro-alerting-config" and ".opendistro-alerting-alert*", just like described on
https://opendistro.github.io/for-elasticsearch-docs/docs/alerting/security-roles/

As admin user, I can then select the index and time field as expected. However, non-admin users cannot. When checking the logs, I see these entries in ES:
[2019-10-29T09:03:42,422][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe-node1] No index-level perm match for User [name=admin2, roles=[], requestedTenant=] Resolved [aliases=[*], indices=[*], allIndices=[*], types=[*], originalRequested=[], remoteIndices=[]] [Action [indices:monitor/stats]] [RolesChecked [own_index, alerting_full_access, maksim_kibana_user]] [2019-10-29T09:03:42,422][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe-node1] No permissions for [indices:monitor/stats] [2019-10-29T09:03:42,556][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe-node1] No index-level perm match for User [name=admin2, roles=[], requestedTenant=] Resolved [aliases=[*], indices=[*], allIndices=[*], types=[*], originalRequested=[], remoteIndices=[]] [Action [indices:admin/aliases/get]] [RolesChecked [own_index, alerting_full_access, maksim_kibana_user]] [2019-10-29T09:03:42,556][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe-node1] No permissions for [indices:admin/aliases/get]

As the logs indicate, I must grant these permissions to all indices [*] but this is not mentioned in the docs. The docs are outdated anyway, given that they mention phrases such as "Add new index and document type" (the "document type" does not exist in Kibana, maybe it used to?).

I was able to "fix" the problem by duplicating the "alerting_full_access" role, to "my_alerting_full_acess" and adding the missing permissions (indices:monitor/stats, indices:admin/aliases/get) to Index * and adding permission "indices:admin/mappings/get" to my own data indices, to be able to select the time field.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requesthelp wantedExtra attention is needed

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions