Elasticsearch aliases not visible in Kibana Dashboard-xpack by normal user

Dear Team,

I have ELK version - 6.3.1 and installed xpack trial version to check rules and privileges for normal user and admin user.

So I have created an user (user1) with only one indices aliases(event_aliases01), when i tried to login with user1 , i can able to login successfully, but the problem is , when i go Discover section and i choose the index pattern(It is an aliases) and getting below error in the top of the kibana dashboard,

original index name : events_prabhu
Aliases name : event_aliases01
Kibana Index pattern name : event_aliases01

Discover: Failed to derive xcontent

Error: Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"x_content_parse_exception","reason":"Failed to derive xcontent"}],"type":"search_phase_execution_exception","reason":"all shards failed","phase":"query","grouped":true,"failed_shards":[{"shard":0,"index":"events_prabhu","node":"Auqfigf2SWWqVVWjWPcjGQ","reason":{"type":"x_content_parse_exception","reason":"Failed to derive xcontent"}}],"caused_by":{"type":"x_content_parse_exception","reason":"Failed to derive xcontent","caused_by":{"type":"x_content_parse_exception","reason":"Failed to derive xcontent"}}},"status":400}
at Function.Promise.try (
at Array.map ()
at Function.Promise.map (
at callResponseHandlers (
at processQueue (
at Scope.$digest (
at completeOutstandingRequest (

So when i checked from Elasticsearch error logs i have got below messages,

[2018-12-17T20:07:05,313][DEBUG][o.e.a.s.TransportSearchAction] [Auqfigf] [events_prabhu][1], node[Auqfigf2SWWqVVWjWPcjGQ], [P], s[STARTED], a[id=usM6SkFYSbCPeDLZpXh_qA]: Failed to execute [SearchRequest{searchType=QUERY_THEN_FETCH, indices=[event_aliases01], indicesOptions=IndicesOptions[ignore_unavailable=true, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_aliases_to_multiple_indices=true, forbid_closed_indices=true, ignore_aliases=false], types=, routing='null', preference='1545057408841', requestCache=false, scroll=null, maxConcurrentShardRequests=5, batchedReduceSize=512, preFilterShardSize=64, allowPartialSearchResults=true, source={"size":500,"query":{"bool":{"must":[{"match_all":{"boost":1.0}},{"range":{"@timestamp":{"from":1545056525241,"to":1545057425241,"include_lower":true,"include_upper":true,"format":"epoch_millis","boost":1.0}}}],"adjust_pure_negative":true,"boost":1.0}},"version":true,"_source":{"includes":,"excludes":},"stored_fields":"","docvalue_fields":[{"field":"@timestamp","format":"date_time"},{"field":"enteredDate","format":"date_time"}],"script_fields":{},"sort":[{"@timestamp":{"order":"desc","unmapped_type":"boolean"}}],"aggregations":{"2":{"date_histogram":{"field":"@timestamp","time_zone":"Asia/Kolkata","interval":"30s","offset":0,"order":{"_key":"asc"},"keyed":false,"min_doc_count":1}}},"highlight":{"pre_tags":["@kibana-highlighted-field@"],"post_tags":["@/kibana-highlighted-field@"],"fragment_size":2147483647,"fields":{"":{}}}}}] lastShard [true]
org.elasticsearch.transport.RemoteTransportException: [Auqfigf][][indices:data/read/search[phase/query]]
Caused by: org.elasticsearch.common.xcontent.XContentParseException: Failed to derive xcontent
at org.elasticsearch.common.xcontent.XContentFactory.xContent(XContentFactory.java:191) ~[elasticsearch-x-content-6.4.2.jar:6.4.2]
at org.elasticsearch.xpack.core.security.authz.accesscontrol.SecurityIndexSearcherWrapper.evaluateTemplate(SecurityIndexSearcherWrapper.java:262) ~[?:?]
at org.elasticsearch.xpack.core.security.authz.accesscontrol.SecurityIndexSearcherWrapper.wrap(SecurityIndexSearcherWrapper.java:135) ~[?:?]
at org.elasticsearch.index.shard.IndexSearcherWrapper.wrap(IndexSearcherWrapper.java:76) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.index.shard.IndexShard.acquireSearcher(IndexShard.java:1199) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.index.shard.IndexShard.acquireSearcher(IndexShard.java:1190) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.search.SearchService.createSearchContext(SearchService.java:616) ~[elasticsearch-6.4.2.jar:6.4.2

Below is my xpack user privileges details,

Could you please help me to fix this issue.

Please don't post images of text as they are hard to read, may not display
correctly for everyone, and not searchable. Also, please don't post unformatted logs as these are very hard to read.

Instead paste the text and format it with </> icon, and check the preview window to make sure it's properly formatted before posting it. Also try and describe your issue clearly with words or using example API calls, in your case the output of GET /_xpack/security/role/Test-Role2-aliases

This makes it more likely that your question will receive a useful answer.

It would be great if you could update your post to solve this.

Your "Granted Documents Query" needs to be an actual Elasticsearch Query in JSON format.

"events" is meaningless there.

Thanks Tim, After removed document type its worked.I have one query,

can we restrict index patterns to particular users, right now all users can see all the index pattern.

Hi @praboosingh,

How many different patterns are you thinking about? You can create a separate role that gives the necessary privileges for each of the index patterns and assign this role to the users that need to access that data. Does this look like something that satisfies your use case?

I have 4 index patterns(pattern1,pattern2,pattern3,pattern4) and 3 users(user1,user2,user3) are there.

user1 should have access to - pattern1,pattern2
user2 should have access to - pattern2,pattern3
user3 should have access to - pattern3,pattern4

But here, if user1 logins to kibana, user1 can see all the 4 index pattern like wise for other users as well.

I do not see any privileges from kibana role management console to restrict for index pattern.

Can you please guide me how to restrict index patterns from kibana user/role management.

One more query, I want to restrict index size for every 25GB, if the index size reached 25GB, it has to create new index.Could you please help.

Create one role per index pattern and then give each user access to the appropriate set off roles.

I de not believe this is possible out of the box. You may need to handle this at the application layer.

Thanks Christian, i have tried but no luck, below screenshot has the details,

test1 user has restricted to events_nested1 index pattern, but when loggd in with test1 user we can see three index pattern are visible.

If you are looking to restrict access to index patterns and visualisations/dashboards and not just the data in the indices, you should look at Kibana Spaces and how you can use this together with security. This will however require an upgrade to the latest version.

Thanks Christian, I will upgrade and check it.

Can you help me for how to limit shard data size for an index., do we need to put a parameter in logstash template or somewhere

I do not think you can do it through Logstash either. You may need to use a custom external process that periodically checks and takes action.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.