Permission error on user management - kibana

We just set up elasticsearch, logstash and kibana on our swisscom application cloud instance. Now when I log in into kibana with the full_access_username and full_access_password I can do almost everything except adding new users and manage existing ones under settings - user management.
There I always get a message saying:
You do not have permission to manage users. Please contact your administrator.
Does anyone of you has an idea on how to fix that?
We d like to have different users and give them permissions on some indices and attributes only.
Thanks in advance for your help.

As Swisscom provides their Elasticsearch Service as managed, you have some limitations in terms of administrative functions. At the time of writing this includes cluster and user management as well as watches.
You can provide new users by creating service-keys cf create-service-key <service-instance-name> <service-key-name>.

Related

No permissions to run the selected query in App Insights

When I go to App Insights -> Activity Log I get:
No permissions to run the selected query.
Is that because there are no queries to run? Or is it really a permissions problem?
I have defined two queries but they don't show up in the dropdown. Should they?
Where can I read more about this? The docs page didn't help me very much.
Please ensure that the user has access to the following azure provider in addition to the obvious ones.
"microsoft.insights/eventtypes/*"
you could also try "microsoft.insights/*/read", in case you want the role to view all monitoring data from Azure Monitor.
more on custom roles & RBAC is documented here:
https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles
To configure custom roles in Azure - https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-powershell
Activity Log interaction is here:
https://learn.microsoft.com/en-us/rest/api/monitor/activitylogs/activitylogs_list

Unable to retrieve the list of workspaces. Error: Insufficient privileges

Why do i get this error message when i try to launch conversation service tool:
Unable to retrieve the list of workspaces. Error: Insufficient privileges
You need delete cookies of your browser. I faced with the same problem but after to delete cookies I could see my workspaces.
I'm one of the developers of the Watson Conversation service and you seem to have uncovered a small bug in the way that the tooling currently operates. We've been able to successfully reproduce this.
In short, when you open up the tooling to train an instance of the Watson Conversation service a call is made to Bluemix for all instances of the Watson Conversation service that you can see. However, due to the way that Bluemix space permissions work, you may be able to see instances that you don't have permission to edit. You should be able to find your service in the dropdown in the upper right corner of the screen.
In order to have permission to edit and make changes to an instance of the Watson Conversation service, you'll need to have dev permissions in the space that contains the instance of the Watson Conversation service. If you'd like to work on that service instance, you'll need to ask the person who owns the service instance to grant you dev permissions in the space. You can find out more about how to do this in the managing team members and roles section of the IBM Bluemix documentation.
I met the same issue
"Unable to retrieve the list of workspaces. Error: Insufficient privileges".
I double checked my permissions and validated that I have the admin access to all services in my space.
Then, I switched to a different browser and was able to navigate to the watson tool login page.So for my case, it looks more like a cookie issue. Thanks #Richard L. 's comment.

How to achieve that user is also the author of a task in Phabricator's Maniphest via Conduit API?

The Conduit API in Phabricator does not support setting of authorPHID parameter while calling maniphest.createtask. I can imagine this is because of security or some logical reason.
But I am developping my own frontend for Maniphest where the users (logged through Phabricator, so they are phab users and have phid) will add and edit tasks. What I need is that if a user creates task, he is also the author of the task.
But the problem is, that I can't connect to Conduit as any other user than "apibot" because I don't have others certificates in my front-end to do it. But if I log in as "apibot", then "apibot" is set as an author of the task.
Three possible solutions came to my mind:
1. retrieve certificate directly from phab's database
2. keep a list of certificates in some file in my front-end and update it manually everytime somebody will register
I guess none of them are really smart...
The third solution would be nice, but I didn't find a way, how to do it:
3. log in as "apibot", get certificate of userXY and then log in as the userXY
What would you suggest?

How to authenticate in order to access Kibana 2.0?

Q: Kibana is great, but I want to make it so users have to authenticate in order to access it. How do I do that? A: This can be handled a number of ways. The best way is to run Kibana with Passenger and Apache or Nginx. There's sample configurations in the sample directory. You can then handle your preferred authentication mechanism with Apache or Nginx.
How do I do this? I do not use any of these programs. Could someone give me a basic overview of what I have to do? Any help would be nice I am a Student and learning but I need help to stay going, I don't know everything.
I am running Ubuntu.
Well, actually even if you make a kind of authentication against Kibana it won't be enough. As you probably know Kibana runs over Elasticsearch, so even if you "limit" permissions to Kibana , everyone can still have access to elastic search and see existed indeces or even create new ones. So, the main question is whether you can manage AuthN && AuthZ against ElasticSearch.
For authentication you can integrate Kibana/ElasticSearch with any framework (example Play,Spring MVC etc) which ever your are using.Create a login page (authentication) using the framework,point the Kibana to web server/app server embedded in the framework and pass the kibana request to Elastic Search and response from Elastic Search to Kibana through this framework.Basically this framework will be a mediator between kibana and ElasticSearch.Also need to block the Elastic Search server port,so that no body could directly access the ES.
Kibana<-->Intermediate Framework<-->Elastic Search
Hope this helps!

How to allow multiple users to manage application running on server?

I'm not sure if the title makes sense. Hard question to ask.
I have an application running on a server under my network account, and it's scheduled to run daily.
I can remote in with my user credentials and check on the application.
What if I want more than one person to be able to remote in and check it? I can create a new account on the server, but it wouldn't have network rights and the application needs access to network folders.
What would be the best approach?
Thanks! :-)
P.S. Feel free to edit the tags. I can't figure out what to pick.
I would recommend your application writes out log files or status messages to a place the necessary users can see. They can see the status via logs or output and don't need access to the scheduled task itself.
well, in Unix you'd create a group and add users to said group. I'm fairly certain you can do this on a windows server (make sure of course, that the group has permission to execute and read the app or the app's log files)

Resources