Action [cluster:monitor/main] is unauthorized for user


(Turbo Fredriksson) #1

I'm trying to setup X-Pack (on ES v5.1.1 - can't upgrade yet) using the Puppet module (https://github.com/elastic/puppet-elasticsearch/tree/5.x#advanced-features), but I'm having problem with authentication...

I've created a realm (type=file, order=0), a user with a password and added the user to the "monitoring_user" built-in group. But I'm still getting

action [cluster:monitor/main] is unauthorized for user [my_user]

Preferably, I'd like to give anyone access (without login in) to that root URL because it's used by my [AE]LBs in AWS..

EDIT:
Actually, it seems to be worse than that... I can't get ANY authentication working. I've setup an LDAP server as well, and no matter if I try to authenticate with my "file" user or my "ldap" user, I always get

failed to authenticate user [<user>]

However, just found the default password for the 'elastic' user, and THAT works..

My config files:

  • elasticsearch.yml
cloud.aws.region: eu-west-1
cluster.name: dbase-esc
cluster.routing.allocation.awareness.attributes: eu-west-1a
cluster.routing.allocation.awareness.force.my_rack_id.values: "eu-west-1a,eu-west-1b,eu-west-1c"
cluster.routing.allocation.node_concurrent_recoveries: 2
cluster.routing.allocation.node_initial_primaries_recoveries: 4
discovery.ec2.availability_zones: "eu-west-1a,eu-west-1b,eu-west-1c"
discovery.ec2.host_type: private_ip
discovery.zen.hosts_provider: ec2
discovery.zen.minimum_master_nodes: 2
discovery.zen.ping_timeout: "2s"
gateway.expected_nodes: 2
gateway.recover_after_nodes: 1
gateway.recover_after_time: "5m"
http.enabled: "true"
http.max_content_length: "500mb"
http.port: 9200
indices.recovery.max_bytes_per_sec: "200mb"
network.bind_host: "_ec2:privateIpv4_"
network.publish_host: "_ec2:privateIpv4_"
node.attr.my_node_type: "false"
node.attr.my_rack_id: eu-west-1a
node.data: false
node.ingest: false
node.master: false
node.max_local_storage_nodes: 1
node.name: dbase-esc-coordinating-slave-00008
path.data: /var/lib/elasticsearch/data
path.logs: /var/lib/elasticsearch/logs
path.repo: /var/lib/elasticsearch/backups
plugin.mandatory: repository-s3
transport.tcp.compress: "true"
transport.tcp.port: 9300
xpack.monitoring.exporters.my_local.type: local
xpack.monitoring.exporters.my_local.use_ingest: true
xpack.security.audit.enabled: true
xpack.security.audit.outputs:
  - logfile
xpack.security.authc.anonymous.authz_exception: true
xpack.security.authc.anonymous.roles: lbs
xpack.security.authc.anonymous.username: lbs
xpack.security.authc.realms.ldap1.group_search.attribute: cn
xpack.security.authc.realms.ldap1.group_search.base_dn: "<MY_BASE_DN>"
xpack.security.authc.realms.ldap1.order: 1
xpack.security.authc.realms.ldap1.ssl.certificate_authorities:
  - x-pack/cacert.pem
xpack.security.authc.realms.ldap1.type: ldap
xpack.security.authc.realms.ldap1.unmapped_groups_as_roles: false
xpack.security.authc.realms.ldap1.url: "ldaps://ldap.domain.tld"
xpack.security.authc.realms.ldap1.user_search.attribute: uid
xpack.security.authc.realms.ldap1.user_search.base_dn: "<MY_BASE_DN>"
xpack.security.authc.realms.local.order: 0
xpack.security.authc.realms.local.type: file
  • x-pack/role_mapping.yml
admins:
  - "cn=admins,ou=Groups,ou=<MY_BASE_OU>"
devs:
  - "cn=devs,ou=Groups,ou=<MY_BASE_OU>"
  • x-pack/roles.yml
admins:
  cluster: all
  indices:
    "*":
      privileges: all
anon:
  cluster: monitor
  indicies:
    - monitor
devs:
  cluster: manage
  indices:
    - names: "20*"
      privileges:
        - write
        - delete
        - create_index
lbs:
  cluster:
    - monitor
  indices:
    - monitor
    - transport_client
  internal:
    - discovery/zen/fd/ping
  • x-pack/users
lbs:$2a$10$<RANDOM_STRING>
  • x-pack/users_roles
lbs:lbs

I'm also getting

[2018-02-08T18:26:42,103] [transport] [access_denied]   origin_type=[rest], origin_address=[10.111.0.188], principal=[lbs], action=[cluster:monitor/main], request=[MainRequest]

which is the other coordinating node. I also get the same from my AWS (application) load balancers.


(Turbo Fredriksson) #2

Well, several hours later, it seems that my roles.yml was WAY wrong!

This seems to work better:

admins:
  cluster:
    - all
  indices:
    - names:
        - "*"
      privileges:
        - all
devs:
  cluster:
    - manage
  indices:
    - names:
        - "20*"
      privileges:
        - write
        - delete
        - create_index
lbchk:
  cluster:
    - monitor
    - transport_client
  indices:
    - names:
        - ".marvel-es-*"
        - ".monitoring-*"
      privileges:
        - all

I took the opportunity to rename my 'LB check user' (kept getting Username [something] is reserved and may not be used.. But seems that no matter what username I use, I still get that..


How to disable X-Pack http basic auth keeping SSL?
(Tim Vernum) #3

My guess is that you're talking about a user that you're trying use for the "anonymous" user function.

If so, you're probably trying to do something wrong there.
To enabled anonymous access you need to:

  1. Create a role that the anonymous user should have (Note: technically every user gets that role whether they're authenticated or not).
  2. Add that role name into your elasticsearch.yml under the xpack.security.authc.anonymous.roles setting.
  3. Optional change the name of the anonymous user by setting xpack.security.authc.anonymous.username.

And that's it. Don't try and create the anonymous user, or modify them in any way. It's a builtin, reserved user, and the only 2 options you have are what the username is and what roles is has, both of which are configured in elasticsearch.yml and not via the API.


(Turbo Fredriksson) #4

Don't try and create the anonymous user

That was not obvious from any documentation or HOWTO I've ever seen... Thanx, I'll try that.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.