Hello,
I'm experiencing user authentication issues for custom user, roles with X-Pack security.
I'm using elasticsearch REST API for the user, roles, etc. setup (Not using Kibana).
Responses with errors when checking cluster health and indices with REST API:
...security_exception, "reason":"action [cluster:monitor/health] is unauthorized for user [estester]" ... "status":403
...security_exception, "reason":"action [indices:monitor/settings/get] is unauthorized for user [estester]" ... "status":403
Question: where and how these "action [cluster:monitor/health]" and "action [indices:monitor/settings/get]" need to be setup or configured ?
The details are below.
I installed elasticsearch 7.8.0, basic license (elasticsearch-7.8.0-linux-86_64.tar.gz) on RHEL 5.11
Initial configuration: 2 node cluster for poc; one is master, one is data; xpack security disabled in es .yml file.
This initial es cluster setup worked well. With No security setup I was able to monitor cluster (health, etc.) and create/read/write/delete indices with curl REST API.
My ES security configuration with X-Pack and RBAC user setup
I ran command on master node
bin/elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass ""
and file elastic-certificates.p12 has been generated in .../config folder
I copied it to .../config folder of the data node
I enabled security in es .yml on the master and data nodes
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
Generated passwords for the built-in users (elastic, etc.) by running the following command on master node
bin/elasticsearch-setup-passwords auto
Restarted nodes.
I was able to use REST API to monitor the cluster health, etc. successfully as "elastic" superuser, like
curl -u elastic:el_pwd -XGET "host:port/_cluster/health"
Created new new custom role "tester_role" with certain privileges
curl -u elastic:el_pwd -XPOST "host:port/_security/role/tester_role" -H 'Content-Type: application/json' -d'
{"cluste{"cluster": ["monitor","manage_index_templates"],
"indices"indices": [{"names": ["*"], "priviliges": ["all"]}]}'
Created new custom user "estester" (using native realm) and than assigned the role "tester_role" to it
curl -u elastic:el_pwd -XPOST "host:port/_security/role_mapping/mapping1" -H 'Content-Type: application/json' -d'
{
"roles": ["tester_role"],
"enabled": true,
"rules": {"field": { "username": "estester"}}
}'
Checked new user, role and privileges assigned to role, everything were as expected.
Issue 1 when checking cluster health:
curl -u estester:estester_pwd -XGET "host:port/_cluster/health?pretty"
response: { error... root_cause.. security_exception, "reason":"action [cluster:monitor/health] is unauthorized for user [estester]" ... "status":403
Issue 2 when checking indices:
curl -u estester:estester_pwd -XGET "host:port/_cat/indices?h=index"
response: { error... root_cause.. security_exception, "reason":"action [indices:monitor/settings/get] is unauthorized for user [estester]" ... "status":403
I looked at the REST API security docs, did some reserach and not found any specifics/bugs/issues in regards to my issue.
Any ideas, hints, prompts what might be done to address the issue will be appreciated.
Thanks in advance