Kibana: User with limited privileges is allowed to create an index pattern with `.kibana` . This should NOT be allowed.
Kibana version: BC6
Elasticsearch version: BC6
Server OS version: CentOS7
Browser version: Chrome latest
Browser OS version:
Original install method (e.g. download page, yum, from source, etc.): BC6
Describe the bug: User with limited privileges is allowed to create an index pattern with .kibana . This should NOT be allowed.
Steps to reproduce:
- Login as an user - with limited privileges- just
kibana_userprivilege.
- Navigate to Management > Index pattern > turn on
include system indices, start typing.kibana - As soon, as you start typing, you see that there is an error in the console
vendors.bundle.js:133 POST https://localhost:5601/elasticsearch/_search 404 (Not Found)
(anonymous) @ vendors.bundle.js:133
sendReq @ vendors.bundle.js:133
serverRequest @ vendors.bundle.js:133
processQueue @ vendors.bundle.js:133
(anonymous) @ vendors.bundle.js:133
$digest @ vendors.bundle.js:133
(anonymous) @ vendors.bundle.js:133
completeOutstandingRequest @ vendors.bundle.js:133
(anonymous) @ vendors.bundle.js:133
setTimeout (async)
Browser.self.defer @ vendors.bundle.js:133
$evalAsync @ vendors.bundle.js:133
(anonymous) @ vendors.bundle.js:133
scheduleProcessQueue @ vendors.bundle.js:133
then @ vendors.bundle.js:133
chainInterceptors @ vendors.bundle.js:133
$http @ vendors.bundle.js:133
AngularConnector.request @ vendors.bundle.js:159
(anonymous) @ commons.bundle.js:3
wrapper @ vendors.bundle.js:3
sendReqWithConnection @ vendors.bundle.js:159
_.applyArgs @ vendors.bundle.js:159
bound @ vendors.bundle.js:165
Item.run @ vendors.bundle.js:159
drainQueue @ vendors.bundle.js:159
setTimeout (async)
runTimeout @ vendors.bundle.js:159
process.nextTick @ vendors.bundle.js:159
_.nextTick @ vendors.bundle.js:159
ConnectionPool.select @ vendors.bundle.js:159
Transport.request @ vendors.bundle.js:159
exec @ vendors.bundle.js:159
action @ vendors.bundle.js:159
(anonymous) @ kibana.bundle.js:3
tryCatch @ vendors.bundle.js:133
(anonymous) @ vendors.bundle.js:133
prototype.(anonymous function) @ vendors.bundle.js:133
step @ kibana.bundle.js:3
(anonymous) @ kibana.bundle.js:3
(anonymous) @ kibana.bundle.js:3
(anonymous) @ kibana.bundle.js:3
(anonymous) @ kibana.bundle.js:7
tryCatch @ vendors.bundle.js:133
(anonymous) @ vendors.bundle.js:133
prototype.(anonymous function) @ vendors.bundle.js:133
step @ kibana.bundle.js:7
(anonymous) @ kibana.bundle.js:7
(anonymous) @ kibana.bundle.js:7
(anonymous) @ kibana.bundle.js:7
StepIndexPattern._this.onQueryChanged @ kibana.bundle.js:7
Ja @ vendors.bundle.js:141
invokeGuardedCallback @ vendors.bundle.js:149
invokeGuardedCallbackAndCatchFirstError @ vendors.bundle.js:149
Za @ vendors.bundle.js:141
cb @ vendors.bundle.js:141
gb @ vendors.bundle.js:141
ab @ vendors.bundle.js:141
lb @ vendors.bundle.js:141
sd @ vendors.bundle.js:149
rd @ vendors.bundle.js:141
batchedUpdates @ vendors.bundle.js:141
tc @ vendors.bundle.js:141
vd @ vendors.bundle.js:141
vendors.bundle.js:133 POST https://localhost:5601/elasticsearch/.k/_search 403 (Forbidden)
(anonymous) @ vendors.bundle.js:133
sendReq @ vendors.bundle.js:133
serverRequest @ vendors.bundle.js:133
processQueue @ vendors.bundle.js:133
(anonymous) @ vendors.bundle.js:133
$digest @ vendors.bundle.js:133
(anonymous) @ vendors.bundle.js:133
completeOutstandingRequest @ vendors.bundle.js:133
(anonymous) @ vendors.bundle.js:133
setTimeout (async)
Browser.self.defer @ vendors.bundle.js:133
$evalAsync @ vendors.bundle.js:133
(anonymous) @ vendors.bundle.js:133
scheduleProcessQueue @ vendors.bundle.js:133
then @ vendors.bundle.js:133
chainInterceptors @ vendors.bundle.js:133
$http @ vendors.bundle.js:133
AngularConnector.request @ vendors.bundle.js:159
(anonymous) @ commons.bundle.js:3
wrapper @ vendors.bundle.js:3
sendReqWithConnection @ vendors.bundle.js:159
_.applyArgs @ vendors.bundle.js:159
bound @ vendors.bundle.js:165
Item.run @ vendors.bundle.js:159
drainQueue @ vendors.bundle.js:159
setTimeout (async)
runTimeout @ vendors.bundle.js:159
process.nextTick @ vendors.bundle.js:159
_.nextTick @ vendors.bundle.js:159
ConnectionPool.select @ vendors.bundle.js:159
Transport.request @ vendors.bundle.js:159
exec @ vendors.bundle.js:159
action @ vendors.bundle.js:159
(anonymous) @ kibana.bundle.js:3
tryCatch @ vendors.bundle.js:133
(anonymous) @ vendors.bundle.js:133
prototype.(anonymous function) @ vendors.bundle.js:133
step @ kibana.bundle.js:3
(anonymous) @ kibana.bundle.js:3
(anonymous) @ kibana.bundle.js:3
(anonymous) @ kibana.bundle.js:3
(anonymous) @ kibana.bundle.js:7
tryCatch @ vendors.bundle.js:133
(anonymous) @ vendors.bundle.js:133
prototype.(anonymous function) @ vendors.bundle.js:133
step @ kibana.bundle.js:7
(anonymous) @ kibana.bundle.js:7
(anonymous) @ kibana.bundle.js:7
(anonymous) @ kibana.bundle.js:7
StepIndexPattern._this.onQueryChanged @ kibana.bundle.js:7
Ja @ vendors.bundle.js:141
invokeGuardedCallback @ vendors.bundle.js:149
invokeGuardedCallbackAndCatchFirstError @ vendors.bundle.js:149
sd @ vendors.bundle.js:149
rd @ vendors.bundle.js:141
batchedUpdates @ vendors.bundle.js:141
tc @ vendors.bundle.js:141
vd @ vendors.bundle.js:141
vendors.bundle.js:3 Promise: Detected an unhandled Promise rejection.
[security_exception] action [indices:data/read/search] is unauthorized for user [rashmiwatcher] :: {"path":"/.k/_search","query":{},"body":"{\"size\":0,\"aggs\":{\"indices\":{\"terms\":{\"field\":\"_index\",\"size\":200}}}}","statusCode":403,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"action [indices:data/read/search] is unauthorized for user [rashmiwatcher]\"}],\"type\":\"security_exception\",\"reason\":\"action [indices:data/read/search] is unauthorized for user [rashmiwatcher]\"},\"status\":403}"}
vendors.bundle.js:159 Uncaught (in promise) StatusCodeError聽{status: 403, displayName: "AuthorizationException", message: "[security_exception] action [indices:data/read/search] is unauthorized for user [rashmiwatcher]", path: "/.k/_search", query: {鈥,聽鈥
step @ kibana.bundle.js:7
(anonymous) @ kibana.bundle.js:7
Promise.then (async)
step @ kibana.bundle.js:7
(anonymous) @ kibana.bundle.js:7
StepIndexPattern._this.onQueryChanged @ kibana.bundle.js:7
Ja @ vendors.bundle.js:141
invokeGuardedCallback @ vendors.bundle.js:149
invokeGuardedCallbackAndCatchFirstError @ vendors.bundle.js:149
lb @ vendors.bundle.js:141
sd @ vendors.bundle.js:149
rd @ vendors.bundle.js:141
batchedUpdates @ vendors.bundle.js:141
tc @ vendors.bundle.js:141
vd @ vendors.bundle.js:141
vendors.bundle.js:133 POST https://localhost:5601/elasticsearch/.ki/_search 403 (Forbidden)
(anonymous) @ vendors.bundle.js:133
sendReq @ vendors.bundle.js:133
(anonymous) @ vendors.bundle.js:133
completeOutstandingRequest @ vendors.bundle.js:133
(anonymous) @ vendors.bundle.js:133
setTimeout (async)
Browser.self.defer @ vendors.bundle.js:133
$evalAsync @ vendors.bundle.js:133
(anonymous) @ vendors.bundle.js:133
scheduleProcessQueue @ vendors.bundle.js:133
then @ vendors.bundle.js:133
chainInterceptors @ vendors.bundle.js:133
$http @ vendors.bundle.js:133
AngularConnector.request @ vendors.bundle.js:159
(anonymous) @ commons.bundle.js:3
wrapper @ vendors.bundle.js:3
sendReqWithConnection @ vendors.bundle.js:159
_.applyArgs @ vendors.bundle.js:159
bound @ vendors.bundle.js:165
Item.run @ vendors.bundle.js:159
drainQueue @ vendors.bundle.js:159
setTimeout (async)
runTimeout @ vendors.bundle.js:159
process.nextTick @ vendors.bundle.js:159
_.nextTick @ vendors.bundle.js:159
ConnectionPool.select @ vendors.bundle.js:159
Transport.request @ vendors.bundle.js:159
exec @ vendors.bundle.js:159
action @ vendors.bundle.js:159
(anonymous) @ kibana.bundle.js:3
tryCatch @ vendors.bundle.js:133
(anonymous) @ vendors.bundle.js:133
prototype.(anonymous function) @ vendors.bundle.js:133
step @ kibana.bundle.js:3
(anonymous) @ kibana.bundle.js:3
(anonymous) @ kibana.bundle.js:7
tryCatch @ vendors.bundle.js:133
(anonymous) @ vendors.bundle.js:133
prototype.(anonymous function) @ vendors.bundle.js:133
step @ kibana.bundle.js:7
(anonymous) @ kibana.bundle.js:7
StepIndexPattern._this.onQueryChanged @ kibana.bundle.js:7
Ja @ vendors.bundle.js:141
invokeGuardedCallback @ vendors.bundle.js:149
invokeGuardedCallbackAndCatchFirstError @ vendors.bundle.js:149
rd @ vendors.bundle.js:141
batchedUpdates @ vendors.bundle.js:141
tc @ vendors.bundle.js:141
vd @ vendors.bundle.js:141
vendors.bundle.js:3 Promise: Detected an unhandled Promise rejection.
[security_exception] action [indices:data/read/search] is unauthorized for user [rashmiwatcher] :: {"path":"/.ki/_search","query":{},"body":"{\"size\":0,\"aggs\":{\"indices\":{\"terms\":{\"field\":\"_index\",\"size\":200}}}}","statusCode":403,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"action [indices:data/read/search] is unauthorized for user [rashmiwatcher]\"}],\"type\":\"security_exception\",\"reason\":\"action [indices:data/read/search] is unauthorized for user [rashmiwatcher]\"},\"status\":403}"}
vendors.bundle.js:159 Uncaught (in promise) StatusCodeError聽{status: 403, displayName: "AuthorizationException", message: "[security_exception] action [indices:data/read/search] is unauthorized for user [rashmiwatcher]", path: "/.ki/_search", query: {鈥,聽鈥
step @ kibana.bundle.js:7
(anonymous) @ kibana.bundle.js:7
Promise.then (async)
step @ kibana.bundle.js:7
(anonymous) @ kibana.bundle.js:7
StepIndexPattern._this.onQueryChanged @ kibana.bundle.js:7
Ja @ vendors.bundle.js:141
invokeGuardedCallback @ vendors.bundle.js:149
invokeGuardedCallbackAndCatchFirstError @ vendors.bundle.js:149
rd @ vendors.bundle.js:141
batchedUpdates @ vendors.bundle.js:141
tc @ vendors.bundle.js:141
vd @ vendors.bundle.js:141
3) Continue with the .kibana and click next and complete the index pattern creation.
4) Observe that the index pattern is successfully created although it should not have been created at all.
This means that the check is not properly enforced.
Expected behavior: Do not allow user with limited privileges to create index patterns.
Screenshots (if relevant):
cc @bmcconaghy
cc @LeeDr @epixa - thoughts??
rashmivkulkarni
All 4 comments
This seems like the intended behavior to me. All you need to create index patterns in Kibana is write access, which is what the kibana_user role provides by default. It doesn't require elevated privileges of some kind.
epixa
on 21 May 2018
Agreed. kibana_user has to have read/write access to .kibana. And so this is the ONLY index pattern a user with only kibana_user role could create.
LeeDr
on 21 May 2018
And so this is the ONLY index pattern a user with only kibana_user role could create.
It's also worth noting that I think the check for the existence of an index that matches an index pattern is just a convenience baked into the UI (or an inconvenience, depending on who you ask). I don't think the API itself validates that. So any user with write access to kibana can create an index pattern that matches any indices, regardless of whether they exist or whether the user has permission to access them.
On the other side of that coin, the existence of an index pattern does not mean that the user has access to the underlying indices, so this isn't a security thing.
epixa
on 21 May 2018
You need remove read only flag (this happens when the instance is in a low free space disk node) running this command. curl -XPUT -H "Content-Type: application/json" http://localhost:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}'
pdr0
on 14 Sep 2018
❤5
👍5
Was this page helpful?
0 / 5 - 0 ratings
Related issues
socialmineruser1
路
3Comments
bradvido
路
3Comments
MaartenUreel
路
3Comments
timroes
路
3Comments
cafuego
路
3Comments
Most helpful comment
You need remove read only flag (this happens when the instance is in a low free space disk node) running this command.
curl -XPUT -H "Content-Type: application/json" http://localhost:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}'