I'm sending events from logstash 2.0 to ES 2.0 with shield. ES is not accepting any events/logs/requests for logstash user though roles are seems correct.
[2015-11-18 06:47:20,876][INFO ][rest.suppressed ] /_bulk Params: {}
ElasticsearchSecurityException[action [indices:data/write/bulk] is unauthorized for user [logstash]]
at org.elasticsearch.shield.support.Exceptions.authorizationError(Exceptions.java:45)
at org.elasticsearch.shield.authz.InternalAuthorizationService.denialException(InternalAuthorizationService.java:296)
at org.elasticsearch.shield.authz.InternalAuthorizationService.denial(InternalAuthorizationService.java:270)
at org.elasticsearch.shield.authz.InternalAuthorizationService.authorize(InternalAuthorizationService.java:131)
at org.elasticsearch.shield.action.ShieldActionFilter.apply(ShieldActionFilter.java:105)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:99)
I did not make any changes to role_mapping.yml. Here it is:
[root@es1 shield]# cat role_mapping.yml
# Role mapping configuration file which has elasticsearch roles as keys
# that map to one or more user or group distinguished names
#roleA: this is an elasticsearch role
# - groupA-DN this is a group distinguished name
# - groupB-DN
# - user1-DN this is the full user distinguished name
#power_user:
# - "cn=admins,dc=example,dc=com"
#user:
# - "cn=users,dc=example,dc=com"
# - "cn=admins,dc=example,dc=com"
# - "cn=John Doe,cn=other users,dc=example,dc=com"
Maybe we can take a step back and explore something simpler. I just freshly installed Shield to attempt this by creating a Logstash user without anything else added or modified (beyond setting the network.host setting):
Install Elasticsearch 2.0.0
Install Shield and License plugins
Create Logstash user with the existing logstash role:
Create a JSON file to send as part of a manual _bulk payload, which I will call test.json (note: I picked an index name that does not exist so that it can be safely deleted afterward). The \n's (press enter) are meant to be literally typed by you and it's important to note that both lines must end with one!
On my side, this worked. Once you can verify that this works, then we can probably start to work backward to figure out what is different so that we can determine why it's not working.
Note: I did not add any keystore settings anywhere because I did not configure SSL/TLS.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.