How to display the documents present in .security index?

sampathkumar23 · September 1, 2016, 9:26pm

When I try to fetch all the documents in .security index, getting 403 even with admin user.

{"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [es_admin]"}],"type":"security_exception","reason":"action [indices:data/read/search] is unauthorized for user [es_admin]"},"status":403}

My goal is see all the users present.

http://localhost:9200/_cat/indices?v - works and gives me the count of users/documents that I have added (i have added 3 users)
health status index pri rep docs.count docs.deleted store.size pri.store.size
green open .security 1 0 3 0 12.2kb 12.2kb

Can someone please help?

skearns · September 1, 2016, 9:58pm

Hey Sam,

You should be able to use the Shield Users API to list the current users

https://www.elastic.co/guide/en/shield/current/shield-rest.html#shield-users-rest

so you could hit http://localhost:9200/_shield/user and it will return all configured users.

Hope that helps!
Steve

sampathkumar23 · September 2, 2016, 6:38pm

Thanks a lot Steve. It works. It doesn't return the admin user name. Is there a way to fetch the admin user name too?

skearns · September 2, 2016, 9:25pm

Which admin username are you expecting to see returned that you're not?

As a quick guess: It can sometimes be confusing that we have two "built-in" realms - a file based realm, and the native API-based realm. The API will only return users that were created via the API, so if your "admin" user was defined in the File-based realm, it won't be returned.

If possible, I suggest using the API-based realm exclusively!

sampathkumar23 · September 2, 2016, 10:21pm

Hi Steve,

Thanks a lot for response.
You are right. I created the admin user using esusers tool and the remaining users I created using the API.
bin/shield/esusers useradd es_admin -r admin

/_shield/user returns every user I have created using the api. Just the admin user is not returned.

Follow up question.
I first installed elastic search and then added shield to it. The moment I added shield, I was not able to make any requests. I read through the documentation and interpreted (probably mis-interpreted) that the admin user has to be created first using the esusers utility only and then the other users can be created using API.
https://www.elastic.co/guide/en/shield/current/enable-basic-auth.html

But you sound like we can use api to create the admin user too in the very beginning too. Is that right? Can you please help me understand this?

skearns · September 6, 2016, 2:01am

Indeed, in ES 2.3 and 2.4, you will need to create a file-based administrative user, so you can use the API to create additional users. Depending on your use-case, a good practice might be to create the file-based user, and use it to create a native realm administrative account, then delete the file-based user. This way, you can manage the user, including password changes, etc., via API.

Note that starting in 5.0, Shield will have a built-in admin (elastic) and kibana server user (kibana), which will simplify this process!

sampathkumar23 · September 6, 2016, 3:05pm

Hi Steve,

Thanks a lot for your help.

Thanks,
Sam