Kibana upgrade to 8.9 from 7.17.12 security_exception reindex

Hywelj · August 7, 2023, 2:46pm

So I have upgraded my elasticsearch cluster from 7.17.12 to 8.9 and my cluster is now up and running and in a green health state. When I start 8.9 Kibana I get the following error for multiple .kibana* indices

[INFO ][savedobjects-service][.kibana] CREATE_REINDEX_TEML -> CREATE_REINDEX_TEMP
[ERROR ][savedobjects-service][.kibana] Action failed with 'security_exception Root causes: security_exception: action[indices:admin/block/add] is unauthorized for user [XXX] with effective roles [superuser] on restricted indices [.kibana_7.17.12_001], this action is granted by the index privileges [manage,all]'.

I have tried reducing the hard disk usage to below thresholds as implied here: Locked Out of Kibana Superuser Can't Modify Index Settings but that hasn't done anything.

I've also looked into giving the specific index permissions in the roles.yml file (the allow_restricted_indices permission?) as the error complains about but I cannot figure out how to apply it to a user in the role_mapping.yml (as I'm not using AD, just a simple username/password) and I'm not allowed to modify the superuser role on it's own. I'm not sure how to fix this as I've always used kibana to interact with the cluster and kibana will not start.

I'm also open to completely resetting/deleting the kibana part if needed, I haven't extensively used it yet.

azasypkin · August 14, 2023, 10:21am

Do you use kibana_system as the elasticsearch.username in kibana.yml? Or do you have some special custom user for the Kibana internal system user?

--
Oleg

chinmoy_padhi · August 14, 2023, 3:24pm

Does your Kibana and elasticsearch are on same version? I mean after upgrade are they both in v8.9
I always follow this link as thumbrule whenever I go for any Elasticstack related upgrade

Hywelj · September 4, 2023, 10:08am

I used some of the steps in this post: Resolve migration failures | Kibana Guide [master] | Elastic

to create a role with the allow_restricted_indices permissions true on all kibana* indices, then applied the role to my superuser. Having a superuser without all permissions, yet using the superuser account to give itself full permissions, is honestly one of the most counterintuitive things I have ever encountered.

system · October 2, 2023, 10:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Upgrade Elastic and Kibana from 7.17 to 8.7 - S Kibana elastic-stack-security	7	333	June 9, 2023
Kibana doesn't start properly at upgrade from 7.17.1 to 8.3.2 Kibana	4	812	August 16, 2022
Security_exception: action [indices:admin/create] is unauthorized for user [elasticsearch] with effective roles [superuser] on restricted indices [.kibana_analytics_8.13.4_001], this action is granted by the index privileges [create_index,manage,all]' Kibana	2	282	August 1, 2024
Kibana upgrade from 7 to 8.12 errors with security_exception on saved objects migration Kibana migration	2	213	February 21, 2024
Es-stack 8.1.0 - [security_exception] action [indices:data/read/search] Kibana elastic-stack-monitoring , docker	2	2748	April 23, 2022

Kibana upgrade to 8.9 from 7.17.12 security_exception reindex

Related topics