I have create a new user but couldn't set a privilege or role to it


(Vijay Ramachandran) #1

Hi there,

I have installed X-Pack and created a user called vijay, but somehow I couldn't authenticate with that user, I get the below error message. I know that some privilege or role has to be assigned to the user, but I am hitting the bush, couldn't able to find a tidy document which says how to do that.

can you help me with this?

Error : {"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [vijay]"}],"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [vijay]"},"status":403}


(Javier) #2

HI Vijay:

X-pack includes (for 5.3) two default users kibana and elastic (password changeme by default if you did not change it)

You should be able to log in into Kibana using elastic user, and assign any role you need to that user.

Case you can't log in into kibana because you changed kibana config to use that user to log in into ES, then just change the kibana config back so it uses the kibana user.


(Vijay Ramachandran) #3

Thanks for the update.

Alright, but in advance settings in Kibana UI I don't see anything in terms of user, I am using trail license.


(Tim Vernum) #4

If you have installed X-Pack for Kibana, then you should find a UI to manage Elasticsearch users and roles by navigating to:

  • Management (the gear icon) on the left hand navigation
  • At the top of the management page there should be a panel labeled "Elasticsearch" with two options "Users" and "Roles".

(Vijay Ramachandran) #5

Sorry this is what I see in my UI,


(Javier) #6

Hi there. May it be that you installed x-pack on elasticsearch, but not on kibana?. You must do it for both products separately (installing on ES does not means having it installed on Kibana).

Please refer to the x-pack doc regarding how to do this.

Case you did intall the kibana x-pack plugin, I would try uninstalling it and installing it over again


(Vijay Ramachandran) #7

Thanks it worked!

I have managed to install for Kibana however, I see the user list is fairly new here in Kibana.

Wouldn't the user I created with the command x-pack$./users useradd test -r superuser doesn't appear here?

So, Kibana's X-Pack and Elastic search (plugin x-pack) is totally different is it?

And, will I be able to configure LDAP with Kibana or again I should configure it in elasticsearch.yml, which will reflect in Kibana as well?

Thanks.


(Tim Vernum) #8

The Kibana UI works with files in the native realm, not the file realm. The native realm is the recommended way to store users in Elasticsearch. The file realm is primarily supported to serve as a fallback/recovery realm, and should ideally not be used as a general purpose authentication realm.

No, not totally different. They are a single product, with complimentary features and shared licensing/support, but, as per the installation instructions, you need to install the plugin into each relevant component of the Elastic stack.

No, Kibana does not provide a UI for configuring LDAP realms.

Yes, you should configure it according to the instructions in X-Pack for Elasticsearch, and then Kibana will recognise LDAP users automatically. However, Kibana will not provide any UI for managing the users & roles. You will need to set up role mappings in a file on the Elasticsearch server.


(Laura Herrera) #9

Hi Tim,

I have configured LDAP on my elasticsearch cluster. I have created a role for all users to be able to read all indices:

{
"cluster": [ "" ],
"indices": [
{
"names": [ "
" ],
"privileges": [ "read" ]
}
]
}

I created this role via the API. Now I need to match this role with all users in LDAP, i thought this is done via
role_mapping.yml so i added:

kibana_user:

  • "ou=People,dc=moj,dc=com"
    user:
  • "ou=People,dc=moj,dc=com"

But that has no effect. I can login to Kibana with my LDAP user/passwd, but i cannot see anything, and when trying to access EL directly on command line i get this error:

{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [myUser]"}],"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [myUser]"},"status":403}

Please would you be able to help?
How can I make this mapping using the API?

Ta
Laura


(Laura Herrera) #10

Hi,

Actually, after adding DEBUG to the auth logs, I saw a problem with the binding of LDAP.
Once i fixed that, i get now this error:

[2017-05-18T13:07:02,590][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [ElasticSearch01] the roles [[]], are mapped from the user [uid=myUser,ou=People,dc=example,dc=com] for realm [ldap/ldap]

[2017-05-18T13:09:42,889][DEBUG][o.e.x.s.a.l.LdapRealm ] [ElasticSearch01] authenticated user [myUser], with roles [[]]

And requesting auth from API:

{"username":"myUser","roles":[],"full_name":null,"email":null,"metadata":{},"enabled":true}

Not finding any roles for the user...


(Tim Vernum) #11

@lherrera, In the future please start a new thread rather than adding your issue to an existing thread.

What is ou=People,dc=moj,dc=com?

In the log you posted, it says that your user DN is uid=myUser,ou=People,dc=example,dc=com

Is there a reason why you are expecting that user to match what you have put in the role mapping file?


(system) #12

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.