Access Granted in access log but AuthorizationException in response

Hi All,

Have a strange issue. Using AD with shield to authenticate users and have an account that is tied to a role that is not being allowed to carry out it's actions.

With the account, I can execute a curl command against the basic url (localhost:9200) and get back the status response fine (with status, cluster name, version etc), but when I do anything else, for instance localhost:9200/_cat/indices I get an access granted message in the log for it:

[2016-10-03 11:09:48,086] [node-d01] [transport] [access_granted] origin_type=[rest], origin_address=[/], principal=[curator], action=[cluster:monitor/state], indices=[]

But in the response to the curl command I get an AuthorizationException:

{"error":"RemoteTransportException[[es-m01-node-m01][inet[/]][cluster:monitor/state]]; nested: AuthorizationException[action [cluster:monitor/state] is unauthorized for user [curator]]; ","status":403}

How is it possible that it's getting access granted and yet refused the action too!?

For reference, i've also now been trying this with the admin settings for that role (in roles.yml):

cluster: monitor
'*': all

It looks like the role may not exist or has different permissions on a remote node in the cluster ( Can your check the other node to see if the role exists there?

1 Like

Yep that's fixed it! Thanks very much, as the curl was just talking to one node didn't think permissions on the others would be needed (and failed to see the different IP addresses in the curl response)