I'm trying to setup X-Pack (on ES v5.1.1 - can't upgrade yet) using the Puppet module (https://github.com/elastic/puppet-elasticsearch/tree/5.x#advanced-features), but I'm having problem with authentication...
I've created a realm (type=file, order=0), a user with a password and added the user to the "monitoring_user" built-in group. But I'm still getting
action [cluster:monitor/main] is unauthorized for user [my_user]
Preferably, I'd like to give anyone access (without login in) to that root URL because it's used by my [AE]LBs in AWS..
Actually, it seems to be worse than that... I can't get ANY authentication working. I've setup an LDAP server as well, and no matter if I try to authenticate with my "file" user or my "ldap" user, I always get
failed to authenticate user [<user>]
However, just found the default password for the 'elastic' user, and THAT works..
My config files:
cloud.aws.region: eu-west-1 cluster.name: dbase-esc cluster.routing.allocation.awareness.attributes: eu-west-1a cluster.routing.allocation.awareness.force.my_rack_id.values: "eu-west-1a,eu-west-1b,eu-west-1c" cluster.routing.allocation.node_concurrent_recoveries: 2 cluster.routing.allocation.node_initial_primaries_recoveries: 4 discovery.ec2.availability_zones: "eu-west-1a,eu-west-1b,eu-west-1c" discovery.ec2.host_type: private_ip discovery.zen.hosts_provider: ec2 discovery.zen.minimum_master_nodes: 2 discovery.zen.ping_timeout: "2s" gateway.expected_nodes: 2 gateway.recover_after_nodes: 1 gateway.recover_after_time: "5m" http.enabled: "true" http.max_content_length: "500mb" http.port: 9200 indices.recovery.max_bytes_per_sec: "200mb" network.bind_host: "_ec2:privateIpv4_" network.publish_host: "_ec2:privateIpv4_" node.attr.my_node_type: "false" node.attr.my_rack_id: eu-west-1a node.data: false node.ingest: false node.master: false node.max_local_storage_nodes: 1 node.name: dbase-esc-coordinating-slave-00008 path.data: /var/lib/elasticsearch/data path.logs: /var/lib/elasticsearch/logs path.repo: /var/lib/elasticsearch/backups plugin.mandatory: repository-s3 transport.tcp.compress: "true" transport.tcp.port: 9300 xpack.monitoring.exporters.my_local.type: local xpack.monitoring.exporters.my_local.use_ingest: true xpack.security.audit.enabled: true xpack.security.audit.outputs: - logfile xpack.security.authc.anonymous.authz_exception: true xpack.security.authc.anonymous.roles: lbs xpack.security.authc.anonymous.username: lbs xpack.security.authc.realms.ldap1.group_search.attribute: cn xpack.security.authc.realms.ldap1.group_search.base_dn: "<MY_BASE_DN>" xpack.security.authc.realms.ldap1.order: 1 xpack.security.authc.realms.ldap1.ssl.certificate_authorities: - x-pack/cacert.pem xpack.security.authc.realms.ldap1.type: ldap xpack.security.authc.realms.ldap1.unmapped_groups_as_roles: false xpack.security.authc.realms.ldap1.url: "ldaps://ldap.domain.tld" xpack.security.authc.realms.ldap1.user_search.attribute: uid xpack.security.authc.realms.ldap1.user_search.base_dn: "<MY_BASE_DN>" xpack.security.authc.realms.local.order: 0 xpack.security.authc.realms.local.type: file
admins: - "cn=admins,ou=Groups,ou=<MY_BASE_OU>" devs: - "cn=devs,ou=Groups,ou=<MY_BASE_OU>"
admins: cluster: all indices: "*": privileges: all anon: cluster: monitor indicies: - monitor devs: cluster: manage indices: - names: "20*" privileges: - write - delete - create_index lbs: cluster: - monitor indices: - monitor - transport_client internal: - discovery/zen/fd/ping
I'm also getting
[2018-02-08T18:26:42,103] [transport] [access_denied] origin_type=[rest], origin_address=[10.111.0.188], principal=[lbs], action=[cluster:monitor/main], request=[MainRequest]
which is the other coordinating node. I also get the same from my AWS (application) load balancers.