Kibana doesn't start properly at upgrade from 7.17.1 to 8.3.2

gerib · July 13, 2022, 11:13pm

Log message(s):

...
... [ERROR][savedobjects-service] [.kibana] Action failed with
  'security_exception: [security_exception] Reason: action [indices:admin/create]
  is unauthorized for user [kibanaserver] with roles [admin] on restricted indices
  [.kibana_8.3.2_001], this action is granted by the index privileges
  [create_index,manage,all]'. ...
...
... [ERROR][savedobjects-service] [.kibana_task_manager] Action failed with
   'security_exception: [security_exception] Reason: action [indices:admin/create]
   is unauthorized for user [kibanaserver] with roles [admin] on restricted indices
   [.kibana_task_manager_8.3.2_001], this action is granted by the index privileges
   [create_index,manage,all]'. ...
...

[Line breaks/spaces added here for readability.]
users_roles contains:

...
admin:kibanaserver
...

roles.yml contains:

admin:
  cluster:
    - all
  indices:
    - names: '*'
      privileges:
        - all
...

I also tried in roles.yml:

...
    - names: [ '*', '.*' ]
...

to no avail.

gerib · July 15, 2022, 9:34am

Solved it. There were different users_roles and roles.yml in the configs of our 9 nodes across 3 servers.

But now the elastic user's password has been reset to ???. And Setting passwords for native and built-in users doesn't work.

I'm feeling like Indiana Jones with this upgrade: one trap door after the other.

LeeDr · July 15, 2022, 2:25pm

Glad you solved it! Yes, your configs need to match across nodes of the same cluster.

gerib · July 19, 2022, 11:12am

The errors occurred again during one of the next (re-)starts and it persisted until we changed users_roles on all 9 nodes from:

admin:...,kibanaserver,...

to:

admin:...
kibana_system:kibanaserver

It remains a mystery to us why it worked when restarting Kibana a few times and suddenly it didn't persistently – with the admin role (and its settings in roles.yml) assigned to kibanaserver. Just a guess: Perhaps an issue of the order of restarting ES nodes and which master node was the previous current master?

system · August 16, 2022, 11:12am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana upgrade to 8.9 from 7.17.12 security_exception reindex Kibana	4	458	October 2, 2023
Kibana start fail with the error [ERROR][savedobjects-service] [.kibana_task_manager] Action failed with 'security_exception Kibana	1	550	April 19, 2022
Kibana upgrade from 7 to 8.12 errors with security_exception on saved objects migration Kibana migration	2	213	February 21, 2024
Upgrade Elastic and Kibana from 7.17 to 8.7 - S Kibana elastic-stack-security	7	333	June 9, 2023
Security_exception: action [indices:admin/create] is unauthorized for user [elasticsearch] with effective roles [superuser] on restricted indices [.kibana_analytics_8.13.4_001], this action is granted by the index privileges [create_index,manage,all]' Kibana	2	282	August 1, 2024

Kibana doesn't start properly at upgrade from 7.17.1 to 8.3.2

Related topics