Kibana upgrade to 8.9 from 7.17.12 security_exception reindex

So I have upgraded my elasticsearch cluster from 7.17.12 to 8.9 and my cluster is now up and running and in a green health state. When I start 8.9 Kibana I get the following error for multiple .kibana* indices

[INFO ][savedobjects-service][.kibana] CREATE_REINDEX_TEML -> CREATE_REINDEX_TEMP
[ERROR ][savedobjects-service][.kibana] Action failed with 'security_exception Root causes: security_exception: action[indices:admin/block/add] is unauthorized for user [XXX] with effective roles [superuser] on restricted indices [.kibana_7.17.12_001], this action is granted by the index privileges [manage,all]'.

I have tried reducing the hard disk usage to below thresholds as implied here: Locked Out of Kibana Superuser Can't Modify Index Settings but that hasn't done anything.

I've also looked into giving the specific index permissions in the roles.yml file (the allow_restricted_indices permission?) as the error complains about but I cannot figure out how to apply it to a user in the role_mapping.yml (as I'm not using AD, just a simple username/password) and I'm not allowed to modify the superuser role on it's own. I'm not sure how to fix this as I've always used kibana to interact with the cluster and kibana will not start.

I'm also open to completely resetting/deleting the kibana part if needed, I haven't extensively used it yet.

Do you use kibana_system as the elasticsearch.username in kibana.yml? Or do you have some special custom user for the Kibana internal system user?


Does your Kibana and elasticsearch are on same version? I mean after upgrade are they both in v8.9
I always follow this link as thumbrule whenever I go for any Elasticstack related upgrade

I used some of the steps in this post: Resolve migration failures | Kibana Guide [master] | Elastic

to create a role with the allow_restricted_indices permissions true on all kibana* indices, then applied the role to my superuser. Having a superuser without all permissions, yet using the superuser account to give itself full permissions, is honestly one of the most counterintuitive things I have ever encountered.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.