Skip to content

kibanaserver user lacks frontend/config/get permissions by default

During migration we try to run OSD i get the following logs:

kibanaserver <basic/internal_users_db> UNKNOWN [Action [cluster:admin/securityplus/auth/frontend/config/get]] [RolesChecked [SGS_KIBANA_SERVER, SGS_OWN_INDEX]]:
2023-02-19 14:37:20 Evaluated Privileges:
2023-02-19 14:37:20 _/cluster:admin/securityplus/auth/frontend/config/get: MISSING
2023-02-19 15:06:22 {"type":"response","@timestamp":"2023-02-19T14:06:22Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/ui/legacy_light_theme.css","method":"get","headers":{"host":"localhost:5607","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0","accept":"text/css,*/*;q=0.1","accept-language":"de,en-US;q=0.7,en;q=0.3","accept-encoding":"gzip, deflate, br","connection":"keep-alive","referer":"http://localhost:5607/login?nextUrl=/","sec-fetch-dest":"style","sec-fetch-mode":"no-cors","sec-fetch-site":"same-origin","x-forwarded-for":"172.19.0.1","x-forwarded-port":42270,"x-forwarded-proto":"http","x-forwarded-host":"localhost:5607"},"remoteAddress":"172.19.0.1","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0","referer":"http://localhost:5607/login?nextUrl=/"},"res":{"statusCode":200,"responseTime":21,"contentLength":9},"message":"GET /ui/legacy_light_theme.css 200 21ms - 9.0B"}
2023-02-19 15:06:23 {"type":"log","@timestamp":"2023-02-19T14:06:23Z","tags":["error","opensearch","data"],"pid":1,"message":"[security_exception]: Insufficient permissions"}
2023-02-19 15:06:23 Error while retrieving auth config ResponseError: security_exception: [security_exception] Reason: Insufficient permissions
2023-02-19 15:06:23     at onBody (/usr/share/opensearch-dashboards/node_modules/@opensearch-project/opensearch/lib/Transport.js:374:23)
2023-02-19 15:06:23     at IncomingMessage.onEnd (/usr/share/opensearch-dashboards/node_modules/@opensearch-project/opensearch/lib/Transport.js:293:11)
2023-02-19 15:06:23     at IncomingMessage.emit (events.js:412:35)
2023-02-19 15:06:23     at IncomingMessage.emit (domain.js:475:12)
2023-02-19 15:06:23     at endReadableNT (internal/streams/readable.js:1333:12)
2023-02-19 15:06:23     at processTicksAndRejections (internal/process/task_queues.js:82:21) {
2023-02-19 15:06:23   meta: {
2023-02-19 15:06:23     body: { error: [Object], status: 403 },
2023-02-19 15:06:23     statusCode: 403,
2023-02-19 15:06:23     headers: {
2023-02-19 15:06:23       'content-type': 'application/json; charset=UTF-8',
2023-02-19 15:06:23       'content-length': '321'
2023-02-19 15:06:23     },
2023-02-19 15:06:23     meta: {
2023-02-19 15:06:23       context: null,
2023-02-19 15:06:23       request: [Object],
2023-02-19 15:06:23       name: 'opensearch-js',
2023-02-19 15:06:23       connection: [Object],
2023-02-19 15:06:23       attempts: 0,
2023-02-19 15:06:23       aborted: false
2023-02-19 15:06:23     }
2023-02-19 15:06:23   }
2023-02-19 15:06:23 }
2023-02-19 15:06:23 {"type":"response","@timestamp":"2023-02-19T14:06:23Z","tags":[],"pid":1,"method":"post","statusCode":200,"req":{"url":"/api/core/capabilities","method":"post","headers":{"host":"localhost:5607","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0","accept":"*/*","accept-language":"de,en-US;q=0.7,en;q=0.3","accept-encoding":"gzip, deflate, br","referer":"http://localhost:5607/login?nextUrl=/","content-type":"application/json","osd-version":"2.4.1","content-length":"602","origin":"http://localhost:5607","connection":"keep-alive","sec-fetch-dest":"empty","sec-fetch-mode":"cors","sec-fetch-site":"same-origin","x-forwarded-for":"172.19.0.1","x-forwarded-port":42284,"x-forwarded-proto":"http","x-forwarded-host":"localhost:5607"},"remoteAddress":"172.19.0.1","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0","referer":"http://localhost:5607/login?nextUrl=/"},"res":{"statusCode":200,"responseTime":22,"contentLength":9},"message":"POST /api/core/capabilities 200 22ms - 9.0B"}
2023-02-19 15:06:23 {"type":"response","@timestamp":"2023-02-19T14:06:23Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/api/v1/systeminfo","method":"get","headers":{"host":"localhost:5607","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0","accept":"*/*","accept-language":"de,en-US;q=0.7,en;q=0.3","accept-encoding":"gzip, deflate, br","referer":"http://localhost:5607/login?nextUrl=/","content-type":"application/json","osd-version":"2.4.1","connection":"keep-alive","sec-fetch-dest":"empty","sec-fetch-mode":"cors","sec-fetch-site":"same-origin","x-forwarded-for":"172.19.0.1","x-forwarded-port":42284,"x-forwarded-proto":"http","x-forwarded-host":"localhost:5607"},"remoteAddress":"172.19.0.1","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0","referer":"http://localhost:5607/login?nextUrl=/"},"res":{"statusCode":200,"responseTime":7,"contentLength":9},"message":"GET /api/v1/systeminfo 200 7ms - 9.0B"}
2023-02-19 15:06:23 {"type":"response","@timestamp":"2023-02-19T14:06:23Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/api/v1/systeminfo","method":"get","headers":{"host":"localhost:5607","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0","accept":"*/*","accept-language":"de,en-US;q=0.7,en;q=0.3","accept-encoding":"gzip, deflate, br","referer":"http://localhost:5607/login?nextUrl=/","content-type":"application/json","osd-version":"2.4.1","connection":"keep-alive","sec-fetch-dest":"empty","sec-fetch-mode":"cors","sec-fetch-site":"same-origin","x-forwarded-for":"172.19.0.1","x-forwarded-port":42284,"x-forwarded-proto":"http","x-forwarded-host":"localhost:5607"},"remoteAddress":"172.19.0.1","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0","referer":"http://localhost:5607/login?nextUrl=/"},"res":{"statusCode":200,"responseTime":8,"contentLength":9},"message":"GET /api/v1/systeminfo 200 8ms - 9.0B"}
2023-02-19 15:06:23 {"type":"log","@timestamp":"2023-02-19T14:06:23Z","tags":["error","opensearch","data"],"pid":1,"message":"[security_exception]: Insufficient permissions"}
2023-02-19 15:06:23 {"type":"log","@timestamp":"2023-02-19T14:06:23Z","tags":["error","http"],"pid":1,"message":"ResponseError: security_exception: [security_exception] Reason: Insufficient permissions\n    at onBody (/usr/share/opensearch-dashboards/node_modules/@opensearch-project/opensearch/lib/Transport.js:374:23)\n    at IncomingMessage.onEnd (/usr/share/opensearch-dashboards/node_modules/@opensearch-project/opensearch/lib/Transport.js:293:11)\n    at IncomingMessage.emit (events.js:412:35)\n    at IncomingMessage.emit (domain.js:475:12)\n    at endReadableNT (internal/streams/readable.js:1333:12)\n    at processTicksAndRejections (internal/process/task_queues.js:82:21) {\n  meta: {\n    body: { error: [Object], status: 403 },\n    statusCode: 403,\n    headers: {\n      'content-type': 'application/json; charset=UTF-8',\n      'content-length': '321'\n    },\n    meta: {\n      context: null,\n      request: [Object],\n      name: 'opensearch-js',\n      connection: [Object],\n      attempts: 0,\n      aborted: false\n    }\n  }\n}"}
2023-02-19 15:06:23 {"type":"error","@timestamp":"2023-02-19T14:06:23Z","tags":[],"pid":1,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n    at HapiResponseAdapter.toInternalError (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:80:19)\n    at Router.handle (/usr/share/opensearch-dashboards/src/core/server/http/router/router.js:177:34)\n    at runMicrotasks (<anonymous>)\n    at processTicksAndRejections (internal/process/task_queues.js:95:5)\n    at handler (/usr/share/opensearch-dashboards/src/core/server/http/router/router.js:124:50)\n    at exports.Manager.execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n    at Object.internals.handler (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/handler.js:46:20)\n    at exports.execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/handler.js:31:20)\n    at Request._lifecycle (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:371:32)\n    at Request._execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:281:9)"},"url":"http://localhost:5607/api/v1/auth/config","message":"Internal Server Error"}
2023-02-19 15:06:23 {"type":"response","@timestamp":"2023-02-19T14:06:23Z","tags":[],"pid":1,"method":"get","statusCode":500,"req":{"url":"/api/v1/auth/config","method":"get","headers":{"host":"localhost:5607","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0","accept":"*/*","accept-language":"de,en-US;q=0.7,en;q=0.3","accept-encoding":"gzip, deflate, br","referer":"http://localhost:5607/login?nextUrl=/","content-type":"application/json","osd-version":"2.4.1","connection":"keep-alive","sec-fetch-dest":"empty","sec-fetch-mode":"cors","sec-fetch-site":"same-origin","x-forwarded-for":"172.19.0.1","x-forwarded-port":42284,"x-forwarded-proto":"http","x-forwarded-host":"localhost:5607"},"remoteAddress":"172.19.0.1","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0","referer":"http://localhost:5607/login?nextUrl=/"},"res":{"statusCode":500,"responseTime":5,"contentLength":9},"message":"GET /api/v1/auth/config 500 5ms - 9.0B"}
Edited by Hendrik Saly