Authentication problem after setting up native realm

So I have the following setup where i run Elasticsearch, Logstash and Kibana all on their own server in a Docker container. It all works fine and I used the latest version 6.1.1 (X-Pack pre-installed).

Then I fixed the passwords for the built in users (elastic, kibana and logstash_system). Fix all my YML files and start everything up again. Still going strong.

Now, I change the security to the native realm, restarted ES and added myself as a user. Worked like a charm. But no more connections to the other servers ??? ES is showing this in the logs:

[2017-12-20T13:57:35,410][INFO ][o.e.x.s.a.AuthenticationService] [es01] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]
[2017-12-20T13:57:35,418][INFO ][o.e.x.s.a.AuthenticationService] [es01] Authentication of [logstash_system] was terminated by realm [reserved] - failed to authenticate user [logstash_system]

And..... Kibana shows a loging screen with the text:

Login is currently disabled. Administrators should consult the Kibana logs for more details.

But the logs give a similar problem:

{"type":"log","@timestamp":"2017-12-20T13:59:42Z","tags":["license","warning","xpack"],"pid":1,"message":"License information from the X-Pack plugin could not be obtained from Elasticsearch for the [monitoring] cluster. [security_exception] failed to authenticate user [elastic], with { header={ WWW-Authenticate=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } :: {\"path\":\"/_xpack\",\"statusCode\":401,\"response\":\"{\\\"error\\\":{\\\"root_cause\\\":[{\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"failed to authenticate user [elastic]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"}}],\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"failed to authenticate user [elastic]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"}},\\\"status\\\":401}\",\"wwwAuthenticateDirective\":\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"}"}

Are those built-in users gone now ????

If so, I guess I have to add them to the native realm, but what roles do they have ??


No, switching to the native realm does not have any impact on the builtin users.

My guess is that in the process of changing your configuration to use the native realm (*), you somehow managed to drop your .security-6 index, possibly by removing all the data/ directory, or something like that.
It's just a guess, but given the ephermeral nature of docker containers, it's easy enough to do such things by accident.

(*) Out of interest, what were you using before the native realm? The default out-of-the-box configuration for X-Pack security provides the native realm and the file realm, so unless you had explicitly configured your own set of realms, you the native realm would have been enabled already.

Yes, the .security-6 index was not there.

What I did as well was after I configured a native realm and restarted ES, I went back to run the bin/x-pack/setup-passwords in the ES docker container and used the same passwords again that I had in my config files. Now everything is working again.

Another thing I noticed is that even if you have all the correct roles and settings for a user, if the index has a read only setting like below, it will be impossible to make changes:

"settings": {
  "index": {
    "blocks": {
      "read_only_allow_delete": "true"


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.