How we can use RBAC in elasticserach7.1

Hello Teamt ,

Currently we are using ELK Version 6.4.4. All things are working fine as expected. We are not using any feature of xpac because we are using basic license.

But few days back elasticsearch7.1 come with free TLS and RBAC on Kibana. So we want to test and use it.

From yesterday i am trying to understand how we can implement RBAC but unable to understand how we can configure it.

Can we follow the below article:

https://www.elastic.co/guide/en/kibana/7.x/development-security-rbac.html

Please help me how we can do it so we can start our testing and later can enjoy the new feature of ELK.

Thanks.

Use https://www.elastic.co/guide/en/kibana/current/development-security-rbac.html and https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html, not the 7.X URL.

Other than that you should be ok

@warkolm, Thank you for your response.

As per below article we need to use Dev tool of kibana to implement it.

https://www.elastic.co/guide/en/kibana/current/development-security-rbac.html

Can we use only single feature of xpac like RBAC alone? Or we need to use the security also if we want to use RBAC?

Please guide me.

Thanks.

You don't need to use that, you can use the same commands with curl or postman or whatever.

Security is the collection of features, that includes RBAC.

@warkolm,

I have added the below lines in my elasticserach.yml file:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

And set the password for all built in user. Now when i run any query over my elasticsearch i need to pass credential for built in user elastic like below:

curl -XGET -u elastic:admin@123 http://192.168.56.4:9200/

But after enabling security in elasticsearch i am not able to login in kibana dashboard. I have added the below lines in my kibana.yml file which are kibana built in user and password for that user:

elasticsearch.username: "kibana"
elasticsearch.password: "admin@123"

Now i have below question:

  1. Can we add the elastic built in user and password in elasticserach.yml file? If yes then how?
  2. Why i am unable to login in kibana dashboard using old credentials? Is i need to install xpac over kibana also?
  3. What will be the changes in logstash and beats after using xpac?

Please guide me.

Thanks.

Hi ,

Did you made changes in Elasticsearch.yml file? If not, then add the below lines only in this file and removed it from Kibana.yml. I couldnt able to test the basic RBAC on v7.1.

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

Thanks.

@Balaji,
i have added the below lines in my elasticserach.yml

i didn't add these lines in kibana.yml file. Only built in user i.e kibana and password is added in kibana.yml file:

Please suggest what changes are required.

Thanks.

Did you run the below command after making changes to Elasticsearch.yml to create kibana & other user credentials

./bin/elasticsearch-setup-passwords interactive

If so, what is the error that you are getting in the log files?

@Balaji,

Yes..i have run the above command and it was run successfully and i have set the password for all built in users using above command.

After the above configuration i am getting the below error when i am trying to access kibana dashboard:

message":"Authentication attempt failed: [security_exception] unable to authenticate user [tek] for REST request [/_security/_authenticate], with { header={ WWW-Authenticate=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } }"}

@warkolm, @Balaji,

I am able to access the kibana dashboard. But i am confused why i am able to login in kibana dashboard using elastic built in user and credential instead of user created earlier which is used before xpack enble?

But now i am not getting logs on Kibana dashboard. Can you please help me what changes are required at logstash end?

Its seems that logstash is not sending logs to elasticsearch after enabling xpack at elasticserach.

Because i am able to see the old logs on kibana. It means kibana able to communicate with elasticserach.

Thanks.

Log in with the elastic user works, because you have set the password for the elastic user with the elasticsearch-setup-passwords command and you're using the correct password. Expected behavior. Now, what is this "user created earlier which is used before xpack enble" and how was it created ?

We can only suggest changes if you share your current configuration with us. If we don't know what you use now, we can't know what you need to change :slight_smile: Assuming that you are using the elasticsearch output plugin in Logstash, please read through our documentation where we explain what needs to be configured. If after reading that and performing the necessary configuration changes, you still have issues, we'll be glad to help further, but do take the time to read through the docs, I'm sure you'll find it enlightening and really helpful for your understanding.

1 Like

@ikakavas, Thank you for your response.

Below are the changes and configuration which is done by us:

We have added the below 2 line in elasticsearch.yml file:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

And set the password for all built in user. Now when we are trying to query our elasticsearch we need to pass built in user and password then its working. As shown below:

curl -XGET -u elastic:admin@123 http://192.168.56.4:9200/

We have added the below 2 line in our kibana.yml file:

elasticsearch.username: "kibana"
elasticsearch.password: "admin@123"

And now we are able to access the kibana dashboard using username elastic and its password. We are able to see security feature on dashboard and able to create new user also using users and able to login using that user.

We are able to see the old logs also on kibana dashboard.

But now we are facing issue that new logs are not reaching over kibana dashboard. Its seems that logstash is not sending logs to elasticsearch. We have made the below changes at logstash:

Added the below 2 lines in logstash.yml

xpack.monitoring.elasticsearch.username: "logstash_internal"
xpack.monitoring.elasticsearch.password: "admin@123"

Below is my logstash configuration file

input {
  beats {
    port => 5044
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}


output {
  elasticsearch {
    hosts => ["192.168.56.4:9200"]
    user => "logstash_internal"
    password => "admin@123"
    sniffing => true
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

When i am restarting the logstash service getting below error log:

[2019-06-11T17:52:37,338][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://logstash_internal:xxxxxx@192.168.56.4:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '401' contacting Elasticsearch at URL 'http://192.168.56.4:9200/'"}
[2019-06-11T17:52:38,307][WARN ][logstash.outputs.elasticsearch] Error while performing sniffing {:error_message=>"Got response code '401' contacting Elasticsearch at URL 'http://192.168.56.4:9200/_nodes/http'", :class=>"LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client/manticore_adapter.rb:80:in `perform_request'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:291:in `perform_request_to_url'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:278:in `block in perform_request'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:373:in `with_connection'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:277:in `perform_request'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:164:in `check_sniff'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:157:in `sniff!'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:146:in `block in start_sniffer'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:128:in `until_stopped'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:144:in `block in start_sniffer'"]}

Can you please help me whats mistake i am doing here?

Thanks.

Please read the documentation that I've shared with you already, everything you ask for is written there in detail in section " Configuring Logstash to use Basic Authentication"

1 Like

@ikakavas, Thank you for your guidance. After following the documentation my problem is fixed.

I was making mistake i.e logstash_write role and logstash_internal user were not available on kibana. After following the documentation i created it and everything become fine.

Thanks.