I'm trying to setup X-Pack (on ES v5.1.1 - can't upgrade yet) using the Puppet module (https://github.com/elastic/puppet-elasticsearch/tree/5.x#advanced-features), but I'm having problem with authentication...
I've created a realm (type=file, order=0), a user with a password and added the user to the "monitoring_user" built-in group. But I'm still getting
action [cluster:monitor/main] is unauthorized for user [my_user]
Preferably, I'd like to give anyone access (without login in) to that root URL because it's used by my [AE]LBs in AWS..
EDIT:
Actually, it seems to be worse than that... I can't get ANY authentication working. I've setup an LDAP server as well, and no matter if I try to authenticate with my "file" user or my "ldap" user, I always get
failed to authenticate user [<user>]
However, just found the default password for the 'elastic' user, and THAT works..
My config files:
- elasticsearch.yml
cloud.aws.region: eu-west-1
cluster.name: dbase-esc
cluster.routing.allocation.awareness.attributes: eu-west-1a
cluster.routing.allocation.awareness.force.my_rack_id.values: "eu-west-1a,eu-west-1b,eu-west-1c"
cluster.routing.allocation.node_concurrent_recoveries: 2
cluster.routing.allocation.node_initial_primaries_recoveries: 4
discovery.ec2.availability_zones: "eu-west-1a,eu-west-1b,eu-west-1c"
discovery.ec2.host_type: private_ip
discovery.zen.hosts_provider: ec2
discovery.zen.minimum_master_nodes: 2
discovery.zen.ping_timeout: "2s"
gateway.expected_nodes: 2
gateway.recover_after_nodes: 1
gateway.recover_after_time: "5m"
http.enabled: "true"
http.max_content_length: "500mb"
http.port: 9200
indices.recovery.max_bytes_per_sec: "200mb"
network.bind_host: "_ec2:privateIpv4_"
network.publish_host: "_ec2:privateIpv4_"
node.attr.my_node_type: "false"
node.attr.my_rack_id: eu-west-1a
node.data: false
node.ingest: false
node.master: false
node.max_local_storage_nodes: 1
node.name: dbase-esc-coordinating-slave-00008
path.data: /var/lib/elasticsearch/data
path.logs: /var/lib/elasticsearch/logs
path.repo: /var/lib/elasticsearch/backups
plugin.mandatory: repository-s3
transport.tcp.compress: "true"
transport.tcp.port: 9300
xpack.monitoring.exporters.my_local.type: local
xpack.monitoring.exporters.my_local.use_ingest: true
xpack.security.audit.enabled: true
xpack.security.audit.outputs:
- logfile
xpack.security.authc.anonymous.authz_exception: true
xpack.security.authc.anonymous.roles: lbs
xpack.security.authc.anonymous.username: lbs
xpack.security.authc.realms.ldap1.group_search.attribute: cn
xpack.security.authc.realms.ldap1.group_search.base_dn: "<MY_BASE_DN>"
xpack.security.authc.realms.ldap1.order: 1
xpack.security.authc.realms.ldap1.ssl.certificate_authorities:
- x-pack/cacert.pem
xpack.security.authc.realms.ldap1.type: ldap
xpack.security.authc.realms.ldap1.unmapped_groups_as_roles: false
xpack.security.authc.realms.ldap1.url: "ldaps://ldap.domain.tld"
xpack.security.authc.realms.ldap1.user_search.attribute: uid
xpack.security.authc.realms.ldap1.user_search.base_dn: "<MY_BASE_DN>"
xpack.security.authc.realms.local.order: 0
xpack.security.authc.realms.local.type: file
- x-pack/role_mapping.yml
admins:
- "cn=admins,ou=Groups,ou=<MY_BASE_OU>"
devs:
- "cn=devs,ou=Groups,ou=<MY_BASE_OU>"
- x-pack/roles.yml
admins:
cluster: all
indices:
"*":
privileges: all
anon:
cluster: monitor
indicies:
- monitor
devs:
cluster: manage
indices:
- names: "20*"
privileges:
- write
- delete
- create_index
lbs:
cluster:
- monitor
indices:
- monitor
- transport_client
internal:
- discovery/zen/fd/ping
- x-pack/users
lbs:$2a$10$<RANDOM_STRING>
- x-pack/users_roles
lbs:lbs
I'm also getting
[2018-02-08T18:26:42,103] [transport] [access_denied] origin_type=[rest], origin_address=[10.111.0.188], principal=[lbs], action=[cluster:monitor/main], request=[MainRequest]
which is the other coordinating node. I also get the same from my AWS (application) load balancers.