Kibana: Courier Fetch Error: unhandled error Error: [security_exception] action [indices:data/read/mget] is unauthorized for user [chirag]


(Krushnat Khawale) #1

I've used shield and protected my elasticsearch indexes.
It also asks for credentials when I start kibana.
But when I login using credentials I've configured,
following error is displayed.

Courier Fetch Error: unhandled error Error: [security_exception] action [indices:data/read/mget] is unauthorized for user [chirag]

Please suggest a solution.


(Matt Bargar) #2

Have you configured Kibana to work with Shield per the instructions here?:

https://www.elastic.co/guide/en/kibana/current/production.html#configuring-kibana-shield


(Krushnat Khawale) #3

@Bargs I have 2 roles for which I want to set role based access.
1) Manager 2) Developer

I've created these two roles along with kibana4-server role,

Following is my roles.yml file,

# All cluster rights
# All operations on all indices
admin:
  cluster: all
  indices:
    '*':
      privileges: all

# monitoring cluster privileges
# All operations on all indices
power_user:
  cluster: monitor
  indices:
    '*':
      privileges: all

# Read-only operations on indices
manager:
  indices:
    '*':
      privileges: all

developer:
  cluster: 
      - cluster:monitor/nodes/info
      - cluster:monitor/health 
  indices:
    'wosiindex2':
      privileges:  indices:data/read/mget, indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:admin/get


# Defines the required permissions for transport clients
transport_client:
  cluster:
      - cluster:monitor/nodes/liveness
      #uncomment the following for sniffing
      #- cluster:monitor/state

# The required permissions for kibana 4 users.
kibana4:
  cluster: 
      - cluster:monitor/nodes/info
      - cluster:monitor/health 
  indices:
    '*':
      privileges: indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:admin/get
    '.kibana':
      privileges: indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update, indices:admin/create

# The required permissions for the kibana 4 server
kibana4_server:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
    '.kibana':
      privileges: indices:admin/create, indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update, indices:admin/create

# The required role for logstash users
logstash:
  cluster: indices:admin/template/get, indices:admin/template/put
  indices:
    'logstash-*':
      privileges: indices:data/write/bulk, indices:data/write/delete, indices:data/write/update, indices:data/read/search, indices:data/read/scroll, create_index
    '*':
      privileges: all

# Marvel user role. Assign to marvel users.
marvel_user:
  indices:
    '.marvel-es-*':
      privileges: read
    '.kibana':
      privileges: indices:admin/exists, indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search

# Marvel remote agent role. Assign to the agent user on the remote marvel cluster
# to which the marvel agent will export all its data
remote_marvel_agent:
  cluster: indices:admin/template/put, indices:admin/template/get
  indices:
    '.marvel-es-*':
      privileges: all

kibana.yml file is as follows,

elasticsearch.username: kibana4-server
elasticsearch.password: abc123
kibana_elasticsearch_username: kibana4-server
kibana_elasticsearch_password: abc123

esusers list command shows,

D:\Users\elasticsearch-2.1.0\bin> shield\esusers list
aviral         : developer
logstash       : logstash
chirag         : manager
kibana4-server : kibana4_server

I have created two indices namely wosiindex and wosiindex2

If I log in as chirag, I can see, read both the indices

But If I log in as aviral, the above, Courier Fetch Error: unhandled error Error: [security_exception] action [indices:data/read/mget] error is displayed.


(Matt Bargar) #4

The developer role needs permissions on the .kibana index. The easiest thing to do would be to copy the default kibana4 role, and change '*' to 'wosiindex2' if you want to restrict developer access to only that index. Users with the developer role will still be able to see the list of index patterns configured in Kibana, but they won't be able to access any data in your indices outside of wosiindex2.


(Krushnat Khawale) #5

Yeah @Bargs
Worked!!!
Thanks for the help.

Need to close this. But unfortunately, there is no option to close.


(Matt Bargar) #6

Awesome! Glad I could help


(system) #7