I have configured a 7.3.2 single node cluster with RBAC, the user testeruser only has permissions to read indices. If testuser tries to preform an action via an API call to check the cluster health it returns a 403 but I cannot find this event happening in any of the logs (example of what I am doing below). Is there anything else I need to configure Elasticsearch to log these kind of events?
I have the below two lines the elasticsearch.yaml file
xpack.security.enabled: true
xpack.security.audit.enabled: true
I also applied these settings via dev tools
PUT /_cluster/settings
{
"persistent": {
"xpack.security.audit.logfile.events.include": [
"run_as_granted",
"anonymous_access_denied",
"access_denied",
"authentication_failed",
"connection_denied",
"tampered_request",
"run_as_denied",
"run_as_granted"
]
}
}
API call that is returning a 403
curl -s -XGET -u testuser:Password "http://192.168.0.63:9200/_cluster/health" |jq .
{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "action [cluster:monitor/health] is unauthorized for user [testuser]"
}
],
"type": "security_exception",
"reason": "action [cluster:monitor/health] is unauthorized for user [testuser]"
},
"status": 403
}