Action [indices:admin/delete] is unauthorized for user

vijayramachandran · May 15, 2017, 11:05am

Hi Team,

I don't quite get this, what's causing this issue,

roles.yml

> hello:
>   cluster:
>     - all
>   indices:
>     - names: 'twitter'
>       privileges:
>         - all

x-pack]$./users list
test : monitoring_user
hello : ingest_admin
sample : -

 x-pack]$curl --user hello:hello123 -XDELETE  '10.245.30.45:9200/twitter?pretty'
{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "action [indices:admin/delete] is unauthorized for user [hello]"
      }
    ],
    "type" : "security_exception",
    "reason" : "action [indices:admin/delete] is unauthorized for user [hello]"
  },
  "status" : 403
}

Could you explain me about cluster privileges, what needs to be given for the normal user in order to make it work? If you're going to say admin, then there wouldn't be any security here right? Anyone can fire anything isn't it?

What's the optimal combination of these below?

cluster privilege : ?
x-pack user privilege : superuser or whichever appropriate for a normal user?
indice privilege : ?

TimV · May 15, 2017, 12:03pm

This shows that you have a role named hello.

But this:

shows that no user has the "hello" role. There is a user with the id "hello", but it only has the ingest_admin role.

you are authenticating as the user "hello", but that mean you have the "ingest_admin" role, not the "hello" role.

What you need to do is:

First, add the "hello" role to the "hello" user:

bin/x-pack/users roles hello -a hello

Then, verify that everything is correct:

curl --user hello:hello123 '10.245.30.45:9200/_xpack/security/_authenticate?pretty'

That should list that the hello user has the hello role.

vijayramachandran · May 15, 2017, 1:47pm

I think I am missing something, can you have a look and advise on this?

> x-pack]$curl --user hello:hello123 -XGET '10.245.30.45:9200/_xpack/security/_authenticate?pretty'
> {
>   "username" : "hello",
>   "roles" : [
>     "testing"
>   ],
>   "full_name" : null,
>   "email" : null,
>   "metadata" : { },
>   "enabled" : true
> }

> testing:
>   run_as: 'hello'
>   cluster:
>     - all
>   indices:
>     - names: 'twitter'
>       privileges:
>         - delete (all - works here, but not delete, or delete_index, wondering why?)

I get this error, is it because of the white space issue?

[2017-05-15T15:45:37,306][ERROR][o.e.x.s.a.s.FileRolesStore] [node-1] failed to parse role [testing]. skipping role...
[2017-05-15T15:45:37,306][INFO ][o.e.x.s.a.s.FileRolesStore] [node-1] updated roles (roles file [/opt/elastic/applications/elasticsearch-5.2.2_bkp/config/x-pack/roles.yml] changed)

Even after the role added to that user account, it still barfs with user not authorized,

> x-pack]$curl --user hello:hello123 -XDELETE  '10.245.30.45:9200/twitter?pretty'
> {
>   "error" : {
>     "root_cause" : [
>       {
>         "type" : "security_exception",
>         "reason" : "action [indices:admin/delete] is unauthorized for user [hello]"
>       }
>     ],
>     "type" : "security_exception",
>     "reason" : "action [indices:admin/delete] is unauthorized for user [hello]"
>   },
>   "status" : 403
> }

P.S: even I have set the privileges as below, it didn't work.

privileges:
>         - all

And my bad in the previous thread, I had given hello as a role, but actually testing is a role and hello is the user.

vijayramachandran · May 15, 2017, 2:11pm

Update:

I have corrected this roles.yml now,

>  x-pack]$cat roles.yml
> # The default roles file is empty as the preferred method of defining roles is
> # through the API/UI. File based roles are useful in error scenarios when the
> # API based roles may not be available.
>   testing:
>   run_as: 'hello'
>   cluster:
>     - all
>   indices:
>     - names: 'twitter'
>       privileges:
>        -delete_index

Somehow, I get the same error,

 >   x-pack]$curl --user hello:hello123 -XDELETE  '10.245.30.45:9200/twitter?pretty'
> {
>   "error" : {
>     "root_cause" : [
>       {
>         "type" : "security_exception",
>         "reason" : "action [indices:admin/delete] is unauthorized for user [hello]"
>       }
>     ],
>     "type" : "security_exception",
>     "reason" : "action [indices:admin/delete] is unauthorized for user [hello]"
>   },
>   "status" : 403
> }

system · June 12, 2017, 2:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.