Not sufficient permissions to access license information on remote monitoring cluster

[radoondas]

Elasticsearch version (bin/elasticsearch --version): 6.5.4

Plugins installed: [none]

JVM version (java -version): OpenJDK 64-Bit Server VM 11.0.1

OS version (uname -a if on a Unix-like system): not relevant

Description of the problem including expected versus actual behavior:

When using least privileges for user defined to read monitoring data in remote monitoring cluster, this user is missing some of the permissions to show all information in Monitoring application.

Steps to reproduce:
Production cluster and Monitoring cluster.
Both have valid Gold/Platinum license.
Production cluster is sending data to Remote monitoring cluster.

To allow Production cluster Kibana with Monitoring UI to read monitoring data from remote Monitoring cluster, configuration for least privileges is suggested in the documentation (point 3.)
https://www.elastic.co/guide/en/kibana/current/monitoring-data.html

Correct user is defined in Monitoring cluster and This user is also configured in Production Kibana configuration file according to documentation above.

User definition

"monitor_viewer" : {
    "username" : "monitor_viewer",
    "roles" : [
      "monitoring_user"
    ],
    "full_name" : "Monitor viewer for Kibana",
    "email" : "",
    "metadata" : { },
    "enabled" : true
  }

In Production, we are missing Cluster status due to license issue.

Accessing _xpack endpoint which is required for license check provides following permission error.

curl -k -u monitor_viewer https://<monitoring_hostname>:9200/_xpack/?pretty 
Enter host password for user 'monitor_viewer': 
{ 
 "error" : { 
   "root_cause" : [ 
     { 
       "type" : "security_exception", 
       "reason" : "action [cluster:monitor/xpack/info] is unauthorized for user [monitor_viewer]" 
     } 
   ], 
   "type" : "security_exception", 
   "reason" : "action [cluster:monitor/xpack/info] is unauthorized for user [monitor_viewer]" 
 }, 
 "status" : 403 
}

This means that in Production Kibana Monitoring tab, some of the informations are missing due to limited privileges for the role monitoring_user

I would expect that role monitoring_user have all required permissions.

[elasticmachine]

Pinging @elastic/es-security

[elasticmachine]

Pinging @elastic/es-core-features

[chrisronline]

From a UI perspective, we're pulling live license information [1] from the monitoring cluster [2] using the logged in user[3]. The necessary call for this information is /_xpack[3] which requires more permissions than monitoring_user grants.

1. https://github.com/elastic/kibana/blob/master/x-pack/plugins/monitoring/server/init_monitoring_xpack_info.js#L21
2. https://github.com/elastic/kibana/blob/master/x-pack/plugins/monitoring/server/init_monitoring_xpack_info.js#L16
3. https://github.com/elastic/kibana/blob/master/x-pack/plugins/xpack_main/server/lib/xpack_info.js#L139

[ycombinator]

@chrisronline Are you sure it's the logged-in user? The function name in [3] seems to suggest that it's an internal user. If it's an internal user, could you verify which internal user this when this code is called by the Monitoring UI code - elasticsearch.username OR xpack.monitoring.elasticsearch.username falling back to elasticsearch.username?

[chrisronline]

Yes, you are correct.

It is the elasticsearch.username