I have create a new user but couldn't set a privilege or role to it

vijayramachandran · April 28, 2017, 10:47am

Hi there,

I have installed X-Pack and created a user called vijay, but somehow I couldn't authenticate with that user, I get the below error message. I know that some privilege or role has to be assigned to the user, but I am hitting the bush, couldn't able to find a tidy document which says how to do that.

can you help me with this?

Error : {"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [vijay]"}],"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [vijay]"},"status":403}

Xavy · April 28, 2017, 12:19pm

HI Vijay:

X-pack includes (for 5.3) two default users kibana and elastic (password changeme by default if you did not change it)

You should be able to log in into Kibana using elastic user, and assign any role you need to that user.

Case you can't log in into kibana because you changed kibana config to use that user to log in into ES, then just change the kibana config back so it uses the kibana user.

vijayramachandran · April 28, 2017, 1:07pm

Thanks for the update.

Alright, but in advance settings in Kibana UI I don't see anything in terms of user, I am using trail license.

TimV · April 28, 2017, 1:14pm

If you have installed X-Pack for Kibana, then you should find a UI to manage Elasticsearch users and roles by navigating to:

Management (the gear icon) on the left hand navigation
At the top of the management page there should be a panel labeled "Elasticsearch" with two options "Users" and "Roles".

vijayramachandran · April 28, 2017, 1:36pm

Sorry this is what I see in my UI,

Xavy · April 28, 2017, 1:45pm

Hi there. May it be that you installed x-pack on elasticsearch, but not on kibana?. You must do it for both products separately (installing on ES does not means having it installed on Kibana).

Please refer to the x-pack doc regarding how to do this.

Case you did intall the kibana x-pack plugin, I would try uninstalling it and installing it over again

vijayramachandran · April 28, 2017, 3:18pm

Thanks it worked!

I have managed to install for Kibana however, I see the user list is fairly new here in Kibana.

Wouldn't the user I created with the command x-pack$./users useradd test -r superuser doesn't appear here?

So, Kibana's X-Pack and Elastic search (plugin x-pack) is totally different is it?

And, will I be able to configure LDAP with Kibana or again I should configure it in elasticsearch.yml, which will reflect in Kibana as well?

Thanks.

TimV · May 1, 2017, 2:08am

The Kibana UI works with files in the native realm, not the file realm. The native realm is the recommended way to store users in Elasticsearch. The file realm is primarily supported to serve as a fallback/recovery realm, and should ideally not be used as a general purpose authentication realm.

No, not totally different. They are a single product, with complimentary features and shared licensing/support, but, as per the installation instructions, you need to install the plugin into each relevant component of the Elastic stack.

No, Kibana does not provide a UI for configuring LDAP realms.

Yes, you should configure it according to the instructions in X-Pack for Elasticsearch, and then Kibana will recognise LDAP users automatically. However, Kibana will not provide any UI for managing the users & roles. You will need to set up role mappings in a file on the Elasticsearch server.

lherrera · May 18, 2017, 12:46pm

Hi Tim,

I have configured LDAP on my elasticsearch cluster. I have created a role for all users to be able to read all indices:

{
"cluster": [ "" ],
"indices": [
{
"names": [ "" ],
"privileges": [ "read" ]
}
]
}

I created this role via the API. Now I need to match this role with all users in LDAP, i thought this is done via
role_mapping.yml so i added:

kibana_user:

"ou=People,dc=moj,dc=com"
user:
"ou=People,dc=moj,dc=com"

But that has no effect. I can login to Kibana with my LDAP user/passwd, but i cannot see anything, and when trying to access EL directly on command line i get this error:

{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [myUser]"}],"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [myUser]"},"status":403}

Please would you be able to help?
How can I make this mapping using the API?

Ta
Laura

lherrera · May 18, 2017, 1:13pm

Hi,

Actually, after adding DEBUG to the auth logs, I saw a problem with the binding of LDAP.
Once i fixed that, i get now this error:

[2017-05-18T13:07:02,590][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [ElasticSearch01] the roles [[]], are mapped from the user [uid=myUser,ou=People,dc=example,dc=com] for realm [ldap/ldap]

[2017-05-18T13:09:42,889][DEBUG][o.e.x.s.a.l.LdapRealm ] [ElasticSearch01] authenticated user [myUser], with roles [[]]

And requesting auth from API:

{"username":"myUser","roles":[],"full_name":null,"email":null,"metadata":{},"enabled":true}

Not finding any roles for the user...

TimV · May 19, 2017, 5:53am

@lherrera, In the future please start a new thread rather than adding your issue to an existing thread.

What is ou=People,dc=moj,dc=com?

In the log you posted, it says that your user DN is uid=myUser,ou=People,dc=example,dc=com

Is there a reason why you are expecting that user to match what you have put in the role mapping file?

system · June 16, 2017, 5:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.