Kibana doesn’t work authentication with Shield

munees · March 9, 2016, 6:53am

I have installed and configured ELK (Elasticsearch2.2.0, Logstash2.2.2, and kibana-4.4.1-windows) and updated Elasticsearch with shield plugin to enable authentication. I have craeted new role and user in order to restrict access to specific user to access specific indices. But I got an error that says:

Error: [index_not_found_exception] no such index, with: {"index":"[logstash-*]"}
ErrorAbstract@http://localhost:5601/bundles/kibana.bundle.js?v=9693:74977:20
StatusCodeError@http://localhost:5601/bundles/kibana.bundle.js?v=9693:75139:6
respond@http://localhost:5601/bundles/kibana.bundle.js?v=9693:76344:16
checkRespForFailure@http://localhost:5601/bundles/kibana.bundle.js?v=9693:76307:8
[24]</AngularConnector.prototype.request/<@http://localhost:5601/bundles/kibana.bundle.js?v=9693:74925:8
processQueue@http://localhost:5601/bundles/commons.bundle.js?v=9693:42357:29
scheduleProcessQueue/<@http://localhost:5601/bundles/commons.bundle.js?v=9693:42373:28
$RootScopeProvider/this.$get</Scope.prototype.$eval@http://localhost:5601/bundles/commons.bundle.js?v=9693:43601:17
$RootScopeProvider/this.$get</Scope.prototype.$digest@http://localhost:5601/bundles/commons.bundle.js?v=9693:43412:16
$RootScopeProvider/this.$get</Scope.prototype.$apply@http://localhost:5601/bundles/commons.bundle.js?v=9693:43709:14
done@http://localhost:5601/bundles/commons.bundle.js?v=9693:38158:37
completeRequest@http://localhost:5601/bundles/commons.bundle.js?v=9693:38356:8
requestLoaded@http://localhost:5601/bundles/commons.bundle.js?v=9693:38297:1

There is no problem when accessing with admin account. This is the roles.yml file

stature:
  cluster: 
      - cluster:monitor/nodes/info
      - cluster:monitor/health 
  indices:
    'logstashstature':
      privileges: indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:data/read/field_stats, indices:admin/get
    '.kibana':
      privileges: indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update

krushnat_khawale · March 9, 2016, 9:56am

Your stack trace says, INDEX NOT FOUND. Its not security error.

munees · March 9, 2016, 10:06am

Actually i have index with index names using * as a wildcard (e.g. logstash-2015.12.21) and also a index with name 'logstashstature' . I created role for accessing that index only (roles.yml).
There is no problem when logging kibana with a user has admin role.

krushnat_khawale · March 9, 2016, 11:17am

@munees But the index clearly says,

To figure it out, create a index starts with logstash- and then try login.

jstar · March 9, 2016, 11:34am

The error you are having is because your configured role is not having access to the default index which is logstash-. I have been playing around with kibana and I noticed that in addition to the .kibana index all users must have access to the index logstash-.
Try sometime like this:

logstashstature:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
'logstashstature':
privileges: all
'.kibana':
privileges: all
'logstash-*':
privileges: all

Then create a user on shield with the role logstashstature
That is esusers useradd munees -r logstashstature -p passwordofmunees
Sorry I have updated my answer. The roles has to be logstashstature in the roles.yml file of kibana.

munees · March 9, 2016, 11:44am

I have made this change. now i got new error message on the top of kibana discover window
that says:

Discover: [security_exception] action [indices:data/read/msearch] is unauthorized for user [statureuser]

munees · March 9, 2016, 11:46am

my role name is just stature, is there any need to change that to logstashstature

jstar · March 9, 2016, 12:01pm

I have updated my answer please take a look on the changes.

munees · March 9, 2016, 12:25pm

The same error is still exist

Discover: [security_exception] action [indices:data/read/msearch] is unauthorized for user [munees]

jstar · March 9, 2016, 12:27pm

What are your configuration?

munees · March 9, 2016, 12:29pm

means?

jstar · March 9, 2016, 12:31pm

I means please provide all the configurations that you did.

munees · March 9, 2016, 12:33pm

I just added the role in roles.yml and added user with the role using esusers

jstar · March 9, 2016, 12:39pm

Does the user munees has priviledges for data/read/msearch on all the indices which are in his roles.
that is for the index logstashstucture, .kibana and logstash-*?

munees · March 9, 2016, 12:40pm

already updated privileges: all on all the indices. with the same settings

logstashstature: cluster: - cluster:monitor/nodes/info - cluster:monitor/health indices: 'logstashstature': privileges: all '.kibana': privileges: all 'logstash-*': privileges: all

jstar · March 9, 2016, 12:46pm

Try changing the name of your index maybe the issue is because the name of the index is the same as that of the role. That is change logstashstature to logstashindex.
Then make sure the index logstashindex exist in elasticsearch.
Login and query that index.

munees · March 10, 2016, 4:43am

changed indexname and role name to different.The same error is still exist.

krushnat_khawale · March 21, 2016, 7:01am

Use following permissions,

user_testuser1: 
  indices: 
    'user_testuser1*': 
      privileges: all  
    '.kibana': 
      privileges:  indices:admin/create, indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update