Admin role is unauthorized

security

(piyush) #1

Hi Team,
I configured shield and integrated with Active directory and now my problems is:

I have a admin role (mapped with gp-ops-es-admin AD group) but it can't access some of the indices getting unauthorized error. I believe it should have all the access.

GET _cat/indices
{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "action [indices:monitor/stats] is unauthorized for user [es-admin]"
}
],
"type": "security_exception",
"reason": "action [indices:monitor/stats] is unauthorized for user [es-admin]"
},
"status": 403
}

role_mapping.yml:
admin:

  • "CN=gp-ops-es-admin,----

roles.yml:

All operations on all indices

admin:
cluster:
- all
indices:
- names: '*'
privileges:
- all

Thanks & Regards,
Piyush Tekade


(Jay Modi) #2

Hi Piyush,

Can you check the output of GET /_shield/authenticate as that user? Do you see the role listed for that user?

Jay


(piyush) #3

Yes, PFB:
{
"username": "es-admin",
"roles": [
"admin"
],
"full_name": null,
"email": null,
"metadata": {}
}


(Jay Modi) #4

Is it just the cat indices API?


(piyush) #5

Yes, i am getting results for below:

GET _cat/indices/filebeat-*
allocation
count
health
master
nodeattrs
nodes


(Jay Modi) #6

What version are you using?


(piyush) #7

ES: 2.3.1

Kibana: 4.5.0


(Jay Modi) #8

This was a bug in Shield 2.3.0 and 2.3.1. It was fixed in 2.3.2 https://www.elastic.co/guide/en/shield/current/release-notes.html#_2_3_2


(piyush) #9

Thanks Jai...


(system) #10