Description of problem: After upgrade from 4.4 to 4.5 kibana indexes are not created and logs about the user shows this: [2020-08-17T06:22:24,224][INFO ][c.a.o.s.p.PrivilegesEvaluator] [elasticsearch-cdm-g7ojzjry-2] No index-level perm match for User [name=Dirk.Egert, roles=[project_user], requestedTenant=__user__] Resolved [aliases=[.kibana_1687154965_dirkegert], indices=[], allIndices=[.kibana_1687154965_dirkegert_2], types=[doc], originalRequested=[.kibana_1687154965_dirkegert], remoteIndices=[]] [Action [indices:data/write/bulk[s]]] [RolesChecked [project_user]] [2020-08-17T06:22:24,224][INFO ][c.a.o.s.p.PrivilegesEvaluator] [elasticsearch-cdm-g7ojzjry-2] No permissions for [indices:data/write/index, indices:data/write/bulk[s]] i see that the index begin created/accessed is this one: .kibana_1687154965_dirkegert_2 i verified the roles extracting them with: $ oc exec <logging-es-POD> -- es_acl get --doc=roles ~~~ "project_user": { "indices": { ... "?kibana_*_${user_name}": { "*": [ "CRUD" ] } }, ~~~ and find that this cannot match. I get a dump of the logging project and found that there is an alias created: ~~~ alias index filter routing.index routing.search .kibana_1687154965_dirkegert .kibana_1687154965_dirkegert_2 - - - ~~~ I would to verify if my analysis is correct. And if it is correct then look for answer to some questions: 1. Why this alias is created? is created as part of the upgrade? or was already there before? 2. how to resolve this situation? is it safe to just delete the alias? I'm attaching privately the logs. Thanks in advance
(In reply to Mario Abajo from comment #0) > Description of problem: > After upgrade from 4.4 to 4.5 kibana indexes are not created and logs about > the user shows this: > > [2020-08-17T06:22:24,224][INFO ][c.a.o.s.p.PrivilegesEvaluator] > [elasticsearch-cdm-g7ojzjry-2] No index-level perm match for User > [name=Dirk.Egert, roles=[project_user], requestedTenant=__user__] Might the customer be able to test a username without a dot? I'm wondering if ${user_name} in the permission is not being evaluated correctly.
@jeff I can confirm this is related to the dot in the username. I've created a test-user `mig.user` and the index created is without the dot: green open .kibana_-1613711986_miguser 5toXw2KlSZu5bYA60r1i0Q 3 1 1 0 8.4kb 4.2kb
This seems to be a bug in OpenDistro: https://github.com/opendistro-for-elasticsearch/security/issues/74
We can solve this issue without the OpenDistro fix by: * add a modified user name as an alternate proxy var in ES proxy stripping out the dot * Update the permissions in OAL to use the new var
(In reply to Periklis Tsirakidis from comment #9) > @jeff > > I can confirm this is related to the dot in the username. I've created a > test-user `mig.user` and the index created is without the dot: > > green open .kibana_-1613711986_miguser 5toXw2KlSZu5bYA60r1i0Q 3 1 1 0 > 8.4kb 4.2kb And you confirm that you are unable to access kibana?
Test results conclude that the dot in the username is not an issue neither for Kibana nor for OpenDistro Security. This is a duplicate of 1867461 *** This bug has been marked as a duplicate of bug 1867461 ***