File-based role management roles.yml

roles.yml is not being loaded and I can't see the entry in GET _security/role. The roles.yml is copied over to all instances. Is there something I'm missing? Anymore logs for me to look at of it getting applied?

LOGS:
[2019-06-27T22:43:56,003][INFO ][o.e.x.s.a.s.FileRolesStore] [corehelk-elasticsearch-master-9698f9995-2ckjm] parsed [1] roles from file [/usr/share/elasticsearch/config/roles.yml]

ROLES.YML
logstash_agent:
indices:
- names: ['.logstash*']
privileges:
- write

The log message you supplied indicates that it is being loaded.

parsed [1] roles from file [/usr/share/elasticsearch/config/roles.yml]

That API only shows roles that were created using the API. There is no API for accessing file based roles.

Thanks for the information TimV.

If I'm using kubernetes, where would be the best place to bootstrap roles using the API during deployment?

Currently I have it in the postStart deployment. If I run the deployment multiple times and change the role name for each future deployment, it will create the roles and add the new ones, but then the data node will start to fail and I get the following errors below. The error below is not caused from bootstrapping a superuser. It is caused by doing multiple deployments and changing the role name. When it does start to fail, I would lose the previous roles which I had created and only have what role is currently being created in the postStart deployment.


ERRORS

[2019-07-03T19:00:53,120][WARN ][o.e.g.DanglingIndicesState] [corehelk-elasticsearch-data-0] [[.security-6/2BRrlagYTEe8JvqcWIlRKQ]] can not be imported as a dangling index, as index with same name already exists in cluster metadata
[2019-07-03T19:00:53,196][INFO ][o.e.l.LicenseService ] [corehelk-elasticsearch-data-0] license [44b747d7-2fd5-4e46-b567-6d30723afc81] mode [basic] - valid
[2019-07-03T19:00:53,229][INFO ][o.e.h.n.Netty4HttpServerTransport] [corehelk-elasticsearch-data-0] publish_address {10.244.4.6:9200}, bound_addresses {0.0.0.0:9200}
[2019-07-03T19:00:53,230][INFO ][o.e.n.Node ] [corehelk-elasticsearch-data-0] started
[2019-07-03T19:00:54,004][WARN ][o.e.g.DanglingIndicesState] [corehelk-elasticsearch-data-0] [[.security-6/2BRrlagYTEe8JvqcWIlRKQ]] can not be imported as a dangling index, as index with same name already exists in cluster metadata
[2019-07-03T19:00:55,031][WARN ][o.e.g.DanglingIndicesState] [corehelk-elasticsearch-data-0] [[.security-6/2BRrlagYTEe8JvqcWIlRKQ]] can not be imported as a dangling index, as index with same name already exists in cluster metadata
[2019-07-03T19:00:55,702][WARN ][o.e.g.DanglingIndicesState] [corehelk-elasticsearch-data-0] [[.security-6/2BRrlagYTEe8JvqcWIlRKQ]] can not be imported as a dangling index, as index with same name already exists in cluster metadata


Deployment.yml

lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "/usr/share/elasticsearch/bin/elasticsearch-users useradd kibanaadmin -p kibanaadmin -r superuser && sh /usr/share/elasticsearch/scripts/security.sh"]


security.sh

STATUSCODE=$(curl /dev/null -s -w "%{http_code}\n" POST -H "Content-Type: application/json" --user kibanaadmin:kibanaadmin localhost:9200/_xpack/security/role/logstash_agent9 -d '{"indices" : [{"names" : [".logstash*"],"privileges" : ["all"]}]}')

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.