I want to create a user who has admin rights (search, read, write) access on testIndex index. For this, I created a role testIndex_admin (ref. kibana screenshot given below) and assigned the new user this role.
However after the user logs in he only see an empty screen with a "Help us improve the Elastic Stack by providing basic feature usage statistics?" popup. On the browser console I found the following request being made which failed with 403 error.
Request URL: http://localhost:5601/api/saved_objects/_find?type=index-pattern&per_page=10000
{
"message": "action [indices:data/read/search] is unauthorized for user [user01]: [security_exception] action [indices:data/read/search] is unauthorized for user [user01]",
"statusCode": 403,
"error": "Forbidden"
}
Also, I get the following "Advanced Setting Error" popup that appears (give below)
ElasticSearch v6.3.2
Kibana v6.3.2
What can be done so that the user can access only his testIndex with all priviliges to it?
The kibana_user role grants access to the resources that are required when using Kibana.
You need to grant that role, and whatever additional roles you require to get access to the data itself.
So, if you want the user to be able to use Kibana, then you need to give them the kibana_user role.
So for example my list of roles would appear something like this:
testIndex_admin kibana_user
Related
Based on my research, I observed that even if I have granted okta.roles.read scope, the token that gets generated fails to fetch the user roles for a non super admin user.
Details are as follows -
I have 2 users:
User A - Super Admin
User B - Organisation Admin
I have granted 2 scopes
okta.users.read
okta.roles.read
I am using following api to generate the access token
https://${yourOktaDomain}/oauth2/v1/authorize?client_id=0oan47pj9BsB30h7&response_type=token&response_mode=fragment&scope=okta.users.read%20okta.roles.read&redirect_uri=${yourConfiguredRedirectUri}&nonce=UBGW&state=1234
This is as per the documentation https://developer.okta.com/docs/guides/implement-oauth-for-okta/main/#define-allowed-scopes.
My use case is that based on user email, I fetch user details and extract the user id from it. Using the user id, I intend to fetch the user role. Okta api used are as follows -
<url>/api/v1/users/<email>
<url>/api/v1/users/<userId>/roles
Observation -
For user B (can be generalized to any non super admin user), the access token that gets generated fetches the user details successfully but fails to fetch the user role details. It gives following error -
{
"errorCode": "E0000006",
"errorSummary": "You do not have permission to perform the requested action",
"errorLink": "E0000006",
"errorId": "oaeMVYcb9_9TOGjSN4hQG8Eww",
"errorCauses": []
}
But the same works just fine if I generate the access token using a user with super admin role.
Has anyone faced this issue? Can someone help me identify what might be going wrong here?
I am unable to access Microsoft Graph API's, I am getting the below error object-
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2021-03-11T07:17:41",
"request-id": "fa7c7d27-50f3-46ca-b7a9-25198e6cdd8e",
"client-request-id": "fa7c7d27-50f3-46ca-b7a9-25198e6cdd8e"
}
}
}
I have registered the application in the Azure registration portal, acquired client_id, tenant, and client_secret, and used that to generate an access token with the help of the below API-
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id={client_Id}
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret={client_secret}
&grant_type=client_credentials
The access token which I got in this response is used to further call Graph API's but it's giving me an error object attached above.
Please help me here.
This particular error is typically thrown when your application does not have the required permission to call a particular endpoint. Please go to the azure portal and grant the necessary Graph permissions for the endpoints you are calling. You can view the particular permissions you need by going to the Microsoft Graph documentation of the API you want to call and check under the permissions section. For signed in users, you will need the delegated permissions and for access as an application/daemon, you will need application permissions.
To grant these permissions, follow these steps:
Azure portal > Azure Active Directory > App Registration > All Applications > Search with your ClientID/AppID.
In that application navigate to:
Api Permissions > Add a permission > Microsoft Graph > Delegated permissions > Expand User > Select required permissions.
Once the permissions are added, click on Grant Admin Consent for Your Tenant.
Purchases.products: get had been working well till 2 weeks ago. However, it starts returning Error suddenly. (I didn't change any options)
It can still refresh token through POST request to https://accounts.google.com/o/oauth2/token with (grant_type, client_id, client_secret, refresh_token) but with the access-token returned, 403 Error happen like the below.
{
"error": {
"errors": [
{
"domain": "androidpublisher",
"reason": "permissionDenied",
"message": "The current user has insufficient permissions to perform the requested operation."
}
],
"code": 401,
"message": "The current user has insufficient permissions to perform the requested operation."
}
}
This is google dashboard representing error rate for Purchases.products: get
I found the question but it is still not working.
---------- EDIT ----------
I want to describe more detail. I don't know if it is right way because I am actually just fixing Legacy system someone did.
The process above(refreshing token and requesting purchase info) is done in server-side. It is for server-side to verify if the purchase-information APP send is correct.
When APP send purchase-information, server-side just call HTTP request(POST and GET) with pre-defined attributes(client_id, client_secret, grant_type).
It means there is no login process anywhere.
In addition, the client_id and client_secret I use seemed created in google-developer-console by create-credentials in below image but not when registering APP.
---------- Edit ----------
I tried to recreate client_id with an owner account. the screenshot is from google developer console->IAM&Admin->IAM
However, it is still the same error.
"The current user has insufficient permissions to perform the requested operation."
The user you have currently authenticated with no longer has access to the data you are trying to access. Either give the user access again or login with a user that does have access.
ClientId
When you wish to work with a Google API you must register your application. When you do so google gives you a client id. This identities your application to google when ever it runs.
Accessing User data
To access private user data you must have permission of the person who owns the data to access it. Your application runs (Denoted by the Client id) the user is prompted to login to google and grant your application consent to access their data.
If the user looses access to the data that they have granted your application access to your application will loose its access.
Hi I am new to service now.I have an demo instance "demonowprod.service-now.com" when I try to retrieve data from rest API URL it throws authentication fail message like below.
https://demochannel.service-now.com/api/now/table/incident?sysparm_limit=1
{
"error": {
"detail": "Required to provide Auth information",
"message": "User Not Authenticated"
},
"status": "failure"
}
Any help will be appreciated.
So you have two or one instances?
At first you say your instance name is demonowprod.service-now.com in your query you call demochannel.service-now.com.
The credentials used for API calls are your user credentials. Of course you need to have read access on the incident table when querying it.
I think what you need to do is create a service account of sorts and assign the "rest_service" role to that account. Use this credential when connecting from the other instance of SN. User accounts are created by either admins or user_admins under User Administration > Users.
See http://wiki.servicenow.com/index.php?title=REST_API#gsc.tab=0
I am trying to fetch user events from facebook but I am having some problem witht he request. I can access their profile image and their UID but for some reason when I try to access the events I get the following error:
{
"error": {
"type": "QueryParseException",
"message": "An active access token must be used to query information about the current user."
}
}
I have an active access token, that's what I am using to access the UID and profile pic but for some reason the events do not show up.
This is my call:
events
my login button looks like this:
<fb:login-button perms="user_events"></fb:login-button>
It also throws an error after login in.
The error is this:
The application must ask for a valid extended permission.
The invalid permissions requested were: .
I think your call url should look like this:
http://graph.facebook.com/me/events?access_token=[Your oAuth token]