I've used shield and protected my elasticsearch indexes.
It also asks for credentials when I start kibana.
But when I login using credentials I've configured,
following error is displayed.
Courier Fetch Error: unhandled error Error: [security_exception] action [indices:data/read/mget] is unauthorized for user [chirag]
Please suggest a solution.
Have you configured Kibana to work with Shield per the instructions here?:
https://www.elastic.co/guide/en/kibana/current/production.html#configuring-kibana-shield
@Bargs I have 2 roles for which I want to set role based access.
1) Manager 2) Developer
I've created these two roles along with kibana4-server role,
Following is my roles.yml file,
# All cluster rights
# All operations on all indices
admin:
cluster: all
indices:
'*':
privileges: all
# monitoring cluster privileges
# All operations on all indices
power_user:
cluster: monitor
indices:
'*':
privileges: all
# Read-only operations on indices
manager:
indices:
'*':
privileges: all
developer:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
'wosiindex2':
privileges: indices:data/read/mget, indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:admin/get
# Defines the required permissions for transport clients
transport_client:
cluster:
- cluster:monitor/nodes/liveness
#uncomment the following for sniffing
#- cluster:monitor/state
# The required permissions for kibana 4 users.
kibana4:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
'*':
privileges: indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:admin/get
'.kibana':
privileges: indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update, indices:admin/create
# The required permissions for the kibana 4 server
kibana4_server:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
'.kibana':
privileges: indices:admin/create, indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update, indices:admin/create
# The required role for logstash users
logstash:
cluster: indices:admin/template/get, indices:admin/template/put
indices:
'logstash-*':
privileges: indices:data/write/bulk, indices:data/write/delete, indices:data/write/update, indices:data/read/search, indices:data/read/scroll, create_index
'*':
privileges: all
# Marvel user role. Assign to marvel users.
marvel_user:
indices:
'.marvel-es-*':
privileges: read
'.kibana':
privileges: indices:admin/exists, indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search
# Marvel remote agent role. Assign to the agent user on the remote marvel cluster
# to which the marvel agent will export all its data
remote_marvel_agent:
cluster: indices:admin/template/put, indices:admin/template/get
indices:
'.marvel-es-*':
privileges: all
kibana.yml file is as follows,
elasticsearch.username: kibana4-server
elasticsearch.password: abc123
kibana_elasticsearch_username: kibana4-server
kibana_elasticsearch_password: abc123
esusers list command shows,
D:\Users\elasticsearch-2.1.0\bin> shield\esusers list
aviral : developer
logstash : logstash
chirag : manager
kibana4-server : kibana4_server
I have created two indices namely wosiindex and wosiindex2
If I log in as chirag, I can see, read both the indices
But If I log in as aviral, the above, Courier Fetch Error: unhandled error Error: [security_exception] action [indices:data/read/mget] error is displayed.
The developer role needs permissions on the .kibana index. The easiest thing to do would be to copy the default kibana4 role, and change '*' to 'wosiindex2' if you want to restrict developer access to only that index. Users with the developer role will still be able to see the list of index patterns configured in Kibana, but they won't be able to access any data in your indices outside of wosiindex2.
Yeah @Bargs
Worked!!!
Thanks for the help.
Need to close this. But unfortunately, there is no option to close.
Awesome! Glad I could help
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.