Getting access denied in Kibana with x-pack monitoring only enabled


I am running ES 5.5.1 on windows 2008 R2, with Readonlyrest free version, X-pack monitoring only enabled (rest all features disabled). I am able to get into Kibana Dev console using the id/pwd that I have setup in Readonlyrest. I have updated kibana.yml also with proper id/pwd and also set the monitoring user id/pwd.

elasticsearch.username: "kibana"
elasticsearch.password: "kibana22"
xpack.monitoring.elasticsearch.username: "kibana"
xpack.monitoring.elasticsearch.password: "kibana22"

But I am getting below error when I click on monitoring tab. Since I have xpack security disabled, why am I getting this error? Can anyone please help me on understanding what wrong with this setup?

Access Denied
You are not authorized to access Monitoring. To use Monitoring, you need the privileges granted by both the `kibana_user` and `monitoring_user` roles.
If you are attempting to access a dedicated monitoring cluster, this might be because you are logged in as a user that is not configured on the monitoring cluster.


You are getting this error because Readonlyrest places restrictions which users can perform which actions.
X-Pack monitoring is designed to work with clusters that have

  • no security enabled, or
  • X-Pack Security

So, when X-Pack monitoring receives access denied errors from Elasticsearch, it detects those, assumes that they are being triggered by X-Pack security, and provides instructions about how you can configure X-Pack security to enable access to monitoring.

We do not test or support running any X-Pack components with 3rd party security plugins.
If you want to make it work with readonlyrest then you'll need talk to them about how you can enable access to the REST endpoints that monitoring relies on.

Be warned though, that you are likely to run into more issues like this, particularly as you install Elasticsearch upgrades. X-Pack monitoring is designed to work out-of-the-box with X-Pack security, and we make sure that the components evolve together so that you keep getting the best possible experience as you upgrade and enable new features. We cannot offer any such guarantees with 3rd party plugins.

Tim, thanks for the details. But the user id that I am using does not have any block rules. So I dont think there is any restrictions being imposed from Readonlyrest for this id. So when using such user id, shouldn't it be same as running the 1st option that you have specified i.e. no-security?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.