Create index pattern throws internal server error with non elastic user

[liza-mae]

Kibana version: 7.9.0 BC1

Elasticsearch version: 7.9.0 BC1

Server OS version: Linux

Browser version: Chrome

Original install method (e.g. download page, yum, from source, etc.):
Staging

Description of the problem including expected versus actual behavior:

Steps to reproduce:

1. Create a user with roles kibana_admin and read only to an index pattern
2. Navigate to create index pattern, notice internal error occurs.

Errors in browser console (if relevant):

core.entry.js:34 GET https://localhost:5601/internal/index-pattern-management/resolve_index/* 500 (Internal Server Error)
_callee3$ @ core.entry.js:34
l @ kbn-ui-shared-deps.js:368
(anonymous) @ kbn-ui-shared-deps.js:368
forEach.e.<computed> @ kbn-ui-shared-deps.js:368
fetch_asyncGeneratorStep @ core.entry.js:34
_next @ core.entry.js:34
(anonymous) @ core.entry.js:34
(anonymous) @ core.entry.js:34
fetchResponse @ core.entry.js:34
_callee$ @ core.entry.js:34
l @ kbn-ui-shared-deps.js:368
(anonymous) @ kbn-ui-shared-deps.js:368
forEach.e.<computed> @ kbn-ui-shared-deps.js:368
fetch_asyncGeneratorStep @ core.entry.js:34
_next @ core.entry.js:34
Promise.then (async)
fetch_asyncGeneratorStep @ core.entry.js:34
_next @ core.entry.js:34
(anonymous) @ core.entry.js:34
(anonymous) @ core.entry.js:34
(anonymous) @ core.entry.js:34
_callee2$ @ core.entry.js:34
l @ kbn-ui-shared-deps.js:368
(anonymous) @ kbn-ui-shared-deps.js:368
forEach.e.<computed> @ kbn-ui-shared-deps.js:368
fetch_asyncGeneratorStep @ core.entry.js:34
_next @ core.entry.js:34
(anonymous) @ core.entry.js:34
(anonymous) @ core.entry.js:34
(anonymous) @ core.entry.js:34
(anonymous) @ core.entry.js:34
_callee$ @ 1.plugin.js:1
l @ kbn-ui-shared-deps.js:368
(anonymous) @ kbn-ui-shared-deps.js:368
forEach.e.<computed> @ kbn-ui-shared-deps.js:368
get_indices_asyncGeneratorStep @ 1.plugin.js:1
_next @ 1.plugin.js:1
(anonymous) @ 1.plugin.js:1
(anonymous) @ 1.plugin.js:1
_getIndices @ 1.plugin.js:1
getIndices @ 1.plugin.js:1
_callee2$ @ 1.plugin.js:1
l @ kbn-ui-shared-deps.js:368
(anonymous) @ kbn-ui-shared-deps.js:368
forEach.e.<computed> @ kbn-ui-shared-deps.js:368
create_index_pattern_wizard_asyncGeneratorStep @ 1.plugin.js:1
_next @ 1.plugin.js:1
(anonymous) @ 1.plugin.js:1
(anonymous) @ 1.plugin.js:1
_callee4$ @ 1.plugin.js:1
l @ kbn-ui-shared-deps.js:368
(anonymous) @ kbn-ui-shared-deps.js:368
forEach.e.<computed> @ kbn-ui-shared-deps.js:368
create_index_pattern_wizard_asyncGeneratorStep @ 1.plugin.js:1
_next @ 1.plugin.js:1
(anonymous) @ 1.plugin.js:1
(anonymous) @ 1.plugin.js:1
UNSAFE_componentWillMount @ 1.plugin.js:1
Lo @ kbn-ui-shared-deps.js:422
Ga @ kbn-ui-shared-deps.js:422
xs @ kbn-ui-shared-deps.js:422
ml @ kbn-ui-shared-deps.js:422
hl @ kbn-ui-shared-deps.js:422
ol @ kbn-ui-shared-deps.js:422
(anonymous) @ kbn-ui-shared-deps.js:422
t.unstable_runWithPriority @ kbn-ui-shared-deps.js:430
Hi @ kbn-ui-shared-deps.js:422
Gi @ kbn-ui-shared-deps.js:422
Yi @ kbn-ui-shared-deps.js:422
se @ kbn-ui-shared-deps.js:422
An @ kbn-ui-shared-deps.js:422
Show 40 more frames
core.entry.js:34 GET https://localhost:5601/internal/index-pattern-management/resolve_index/*:* 500 (Internal Server Error)

[liza-mae]

pinging: @elastic/kibana-security

[legrego]

The error is thrown from the /internal/index-pattern-management/resolve_index/{query} endpoint. @mattkime / @danhermann are you able to help resolve this one? Looks like this was introduced in #70271 to support data streams.

Was the corresponding Elasticsearch endpoint (elastic/elasticsearch#57626) introduced specifically to enable Kibana and index pattern management? If so, then that endpoint should not require the indices:admin/resolve/index privilege in order to function. We've been able to create index patterns with just the read and view_index_metadata index privileges historically, and changing that requirement isn't something we can do in a minor release.

server    log   [05:44:13.087] [error][http] { Error: [security_exception] action [indices:admin/resolve/index] is unauthorized for user [test]
    at respond (/Users/larry/repos/kibana/node_modules/elasticsearch/src/lib/transport.js:349:15)
    at checkRespForFailure (/Users/larry/repos/kibana/node_modules/elasticsearch/src/lib/transport.js:306:7)
    at HttpConnector.<anonymous> (/Users/larry/repos/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)
    at IncomingMessage.wrapper (/Users/larry/repos/kibana/node_modules/lodash/lodash.js:4929:19)
    at IncomingMessage.emit (events.js:203:15)
    at endReadableNT (_stream_readable.js:1145:12)
    at process._tickCallback (internal/process/next_tick.js:63:19)
  status: 403,
  displayName: 'AuthorizationException',
  message:
   '[security_exception] action [indices:admin/resolve/index] is unauthorized for user [test]',
  path: '/_resolve/index/*%3A*',
  query: undefined,
  body:
   { error:
      { root_cause: [Array],
        type: 'security_exception',
        reason:
         'action [indices:admin/resolve/index] is unauthorized for user [test]' },
     status: 403 },
  statusCode: 403,
  response:
   '{"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:admin/resolve/index] is unauthorized for user [test]"}],"type":"security_exception","reason":"action [indices:admin/resolve/index] is unauthorized for user [test]"},"status":403}',
  toString: [Function],
  toJSON: [Function] }

[elasticmachine]

Pinging @elastic/kibana-app-arch (Team:AppArch)

[danhermann]

Was the corresponding Elasticsearch endpoint (elastic/elasticsearch#57626) introduced specifically to enable Kibana and index pattern management? If so, then that endpoint should not require the indices:admin/resolve/index privilege in order to function. We've been able to create index patterns with just the read and view_index_metadata index privileges historically, and changing that requirement isn't something we can do in a minor release.

@legrego, by necessity, that endpoint is going to require authorization for the indices:admin/resolve/index action, but there is a case to be made that that action should be covered by the existing view_index_metadata privilege. If that would resolve this situation, I can raise the question on the ES and make that change if approved.

[legrego]

by necessity, that endpoint is going to require authorization for the indices:admin/resolve/index action, but there is a case to be made that that action should be covered by the existing view_index_metadata privilege. If that would resolve this situation, I can raise the question on the ES and make that change if approved.

I think that would resolve the situation from Kibana's perspective, so long as adding indices:admin/resolve/index to view_index_metadata is palatable from the ES security standpoint

[danhermann]

I think that would resolve the situation from Kibana's perspective, so long as adding indices:admin/resolve/index to view_index_metadata is palatable from the ES security standpoint

I'll look into that, then.

[droberts195]

The Elasticsearch PR is merged and backported - see links above.

[kobelb]

I believe this issue has been fixed. Were any tests skipped that should be re-enabled or can we close this?

[liza-mae]

It was fixed, closing.

[pdi-activelan]

Hi elastic/kibana Thank you for contacting our support team. A support ticket has now been opened for your request. You will be notified when a response is made by email. Subject: Re: [elastic/kibana] Create index pattern throws internal server error with non elastic user (#72219) Department: Technical Support Priority: Medium Ticket message: Closed #72219. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: #72219 (comment) You can view the ticket on the following link: #61 Kind Regards, activeLAN Solutions GmbH

[pdi-activelan]

Hi elastic/kibana Thank you for contacting our support team. A support ticket has now been opened for your request. You will be notified when a response is made by email. Subject: Re: [elastic/kibana] Create index pattern throws internal server error with non elastic user (#72219) Department: Technical Support Priority: Medium Ticket message: It was fixed, closing. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: #72219 (comment) You can view the ticket on the following link: #60 Kind Regards, activeLAN Solutions GmbH