How to display the documents present in .security index?

Elastic Stack Elasticsearch
1

When I try to fetch all the documents in .security index, getting 403 even with admin user.

http://localhost:9200/.security/_search

{"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [es_admin]"}],"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [es_admin]"},"status":403}

My goal is see all the users present.

http://localhost:9200/_cat/indices?v - works and gives me the count of users/documents that I have added (i have added 3 users)
health status index pri rep docs.count docs.deleted store.size pri.store.size
green open .security 1 0 3 0 12.2kb 12.2kb

Can someone please help?

2

Hey Sam,

You should be able to use the Shield Users API to list the current users

https://www.elastic.co/guide/en/shield/current/shield-rest.html#shield-users-rest

so you could hit http://localhost:9200/_shield/user and it will return all configured users.

Hope that helps!
Steve

3

Thanks a lot Steve. It works. It doesn't return the admin user name. Is there a way to fetch the admin user name too?

4

Which admin username are you expecting to see returned that you're not?

As a quick guess: It can sometimes be confusing that we have two "built-in" realms - a file based realm, and the native API-based realm. The API will only return users that were created via the API, so if your "admin" user was defined in the File-based realm, it won't be returned.

If possible, I suggest using the API-based realm exclusively!

5

Hi Steve,

Thanks a lot for response.
You are right. I created the admin user using esusers tool and the remaining users I created using the API.
bin/shield/esusers useradd es_admin -r admin

/_shield/user returns every user I have created using the api. Just the admin user is not returned.

Follow up question.
I first installed elastic search and then added shield to it. The moment I added shield, I was not able to make any requests. I read through the documentation and interpreted (probably mis-interpreted) that the admin user has to be created first using the esusers utility only and then the other users can be created using API.
https://www.elastic.co/guide/en/shield/current/enable-basic-auth.html

But you sound like we can use api to create the admin user too in the very beginning too. Is that right? Can you please help me understand this?

6

Indeed, in ES 2.3 and 2.4, you will need to create a file-based administrative user, so you can use the API to create additional users. Depending on your use-case, a good practice might be to create the file-based user, and use it to create a native realm administrative account, then delete the file-based user. This way, you can manage the user, including password changes, etc., via API.

Note that starting in 5.0, Shield will have a built-in admin (elastic) and kibana server user (kibana), which will simplify this process!

7

Hi Steve,

Thanks a lot for your help.

Thanks,
Sam