Ldap authorization in kibana via x-pack

Ihsan_Kocak · May 25, 2017, 11:25am

i configured elasticsearch and kibana to login with ldap username, i can login succesfully but after i login kibana gives authorization errors like:
Config: Error 403 Forbidden: [security_exception] action [indices:data/write/update] is unauthorized for user [ihsan]

i gave superuser role to user ihsan which takes authorization error. my elasticsearch.yml is:
xpack: security: authc: realms: ldap1: type: ldap order: 0 url: "ldap://x.x.x.x:389" bind_dn: "uid=xxx,ou=xxx,o=xxx" bind_password: "xxx" user_search: base_dn: "o=xxx" files: role_mapping: "role_mapping.yml" unmapped_groups_as_roles: false cluster.name: jira node.name: node1

rolemapping.yml(in elasticsearch):`superuser:

"cn=xxx,ou=xxx,o=xxx"`

roles.yml in elasticsearch is empty because i user superuser role which is a builtin role.

i installed x-pack in both elastichsearch and kibana. kibana xpack login page exists, i even login with ldap user ihsan but the role configuration in rolemapping.yml in elasticsearch is not working. do you have any idea?

rashmi · May 25, 2017, 4:08pm

hi

Do you see any errors in your elasticsearch logs about invalid roles?Can you turn up the log level to DEBUG and post the full stacktrace? Also do check this to see if you can gather more info:

https://www.elastic.co/guide/en/x-pack/current/security-troubleshooting.html#_ldap

Thanks
Rashmi

Ihsan_Kocak · May 26, 2017, 6:38am

Note:Because of character limitation i replied in several replies.
I set log level to debug, while elasticsearch starting, it gives this error(my system is windows) :
[2017-05-26T08:42:56,966][DEBUG][o.e.x.s.t.n.SecurityNetty4Transport] [node1] binding server bootstrap to: [127.0.0.1, ::1]
[2017-05-26T08:42:56,997][DEBUG][i.n.c.DefaultChannelId ] -Dio.netty.processId: 12144 (auto-detected)
[2017-05-26T08:42:56,997][DEBUG][i.n.u.NetUtil ] -Djava.net.preferIPv4Stack: false
[2017-05-26T08:42:56,997][DEBUG][i.n.u.NetUtil ] -Djava.net.preferIPv6Addresses: false
[2017-05-26T08:42:57,060][DEBUG][i.n.u.NetUtil ] Loopback interface: lo (Software Loopback Interface 1, 127.0.0.1)
[2017-05-26T08:42:57,060][DEBUG][i.n.u.NetUtil ] Failed to get SOMAXCONN from: \proc\sys\net\core\somaxconn
java.security.AccessControlException: access denied ("java.io.FilePermission" "\proc\sys\net\core\somaxconn" "read")
at java.security.AccessControlContext.checkPermission(Unknown Source) ~[?:1.8.0_131]
at java.security.AccessController.checkPermission(Unknown Source) ~[?:1.8.0_131]
at java.lang.SecurityManager.checkPermission(Unknown Source) ~[?:1.8.0_131]
at java.lang.SecurityManager.checkRead(Unknown Source) ~[?:1.8.0_131]
at java.io.File.exists(Unknown Source) ~[?:1.8.0_131]
at io.netty.util.NetUtil$1.run(NetUtil.java:265) ~[?:?]
at io.netty.util.NetUtil$1.run(NetUtil.java:251) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
at io.netty.util.NetUtil.(NetUtil.java:251) ~[?:?]
at io.netty.util.internal.MacAddressUtil.bestAvailableMac(MacAddressUtil.java:50) ~[?:?]
at io.netty.util.internal.MacAddressUtil.defaultMachineId(MacAddressUtil.java:138) ~[?:?]
at io.netty.channel.DefaultChannelId.(DefaultChannelId.java:99) ~[?:?]
at io.netty.channel.AbstractChannel.newId(AbstractChannel.java:107) ~[?:?]
at io.netty.channel.AbstractChannel.(AbstractChannel.java:79) ~[?:?]
at io.netty.channel.nio.AbstractNioChannel.(AbstractNioChannel.java:84) ~[?:?]
at io.netty.channel.nio.AbstractNioMessageChannel.(AbstractNioMessageChannel.java:42) ~[?:?]
at io.netty.channel.socket.nio.NioServerSocketChannel.(NioServerSocketChannel.java:86) ~[?:?]
at io.netty.channel.socket.nio.NioServerSocketChannel.(NioServerSocketChannel.java:72) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) ~[?:?]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Unknown Source) ~[?:1.8.0_131]
at java.lang.Class.newInstance(Unknown Source) ~[?:1.8.0_131]
at io.netty.channel.ReflectiveChannelFactory.newChannel(ReflectiveChannelFactory.java:38) ~[?:?]
at io.netty.bootstrap.AbstractBootstrap.initAndRegister(AbstractBootstrap.java:321) ~[?:?]
at io.netty.bootstrap.AbstractBootstrap.doBind(AbstractBootstrap.java:283) ~[?:?]
at io.netty.bootstrap.AbstractBootstrap.bind(AbstractBootstrap.java:279) ~[?:?]
at org.elasticsearch.transport.netty4.Netty4Transport.bind(Netty4Transport.java:427) ~[?:?]
at org.elasticsearch.transport.netty4.Netty4Transport.bind(Netty4Transport.java:94) ~[?:?]
at org.elasticsearch.transport.TcpTransport.lambda$bindToPort$2(TcpTransport.java:743) ~[elasticsearch-5.4.0.jar:5.4.0]
at org.elasticsearch.common.transport.PortsRange.iterate(PortsRange.java:73) [elasticsearch-5.4.0.jar:5.4.0]
at org.elasticsearch.transport.TcpTransport.bindToPort(TcpTransport.java:741) [elasticsearch-5.4.0.jar:5.4.0]
at org.elasticsearch.transport.TcpTransport.bindServer(TcpTransport.java:725) [elasticsearch-5.4.0.jar:5.4.0]
at org.elasticsearch.transport.netty4.Netty4Transport.doStart(Netty4Transport.java:172) [transport-netty4-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.transport.netty4.SecurityNetty4Transport.doStart(SecurityNetty4Transport.java:74) [x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:69) [elasticsearch-5.4.0.jar:5.4.0]
at org.elasticsearch.transport.TransportService.doStart(TransportService.java:196) [elasticsearch-5.4.0.jar:5.4.0]
at org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:69) [elasticsearch-5.4.0.jar:5.4.0]
at org.elasticsearch.node.Node.start(Node.java:685) [elasticsearch-5.4.0.jar:5.4.0]
at org.elasticsearch.bootstrap.Bootstrap.start(Bootstrap.java:287) [elasticsearch-5.4.0.jar:5.4.0]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:369) [elasticsearch-5.4.0.jar:5.4.0]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) [elasticsearch-5.4.0.jar:5.4.0]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:114) [elasticsearch-5.4.0.jar:5.4.0]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:67) [elasticsearch-5.4.0.jar:5.4.0]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122) [elasticsearch-5.4.0.jar:5.4.0]
at org.elasticsearch.cli.Command.main(Command.java:88) [elasticsearch-5.4.0.jar:5.4.0]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91) [elasticsearch-5.4.0.jar:5.4.0]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84) [elasticsearch-5.4.0.jar:5.4.0]
[2017-05-26T08:42:57,154][DEBUG][i.n.c.DefaultChannelId ] -Dio.netty.machineId: 00:50:56:ff:fe:ab:2d:f0 (auto-detected)

Ihsan_Kocak · May 26, 2017, 6:40am

After elasticsearch started, when i browse localhost:9200 it gives this:( authentication field username and password pops up)
[2017-05-26T09:19:08,421][DEBUG][r.suppressed ] path: /, params: {}
org.elasticsearch.ElasticsearchSecurityException: missing authentication token for REST request [/]
at org.elasticsearch.xpack.security.support.Exceptions.authenticationError(Exceptions.java:39) ~[x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.DefaultAuthenticationFailureHandler.missingToken(DefaultAuthenticationFailureHandler.java:69) ~[x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$AuditableRestRequest.anonymousAccessDenied(AuthenticationService.java:566) ~[x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$handleNullToken$14(AuthenticationService.java:331) ~[x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.handleNullToken(AuthenticationService.java:336) ~[x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.consumeToken(AuthenticationService.java:258) ~[x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$extractToken$5(AuthenticationService.java:234) ~[x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.extractToken(AuthenticationService.java:247) ~[x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$0(AuthenticationService.java:194) ~[x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication$2(AuthenticationService.java:212) ~[x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:224) [x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:190) [x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.access$000(AuthenticationService.java:147) [x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:100) [x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.rest.SecurityRestFilter.handleRequest(SecurityRestFilter.java:78) [x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:260) [elasticsearch-5.4.0.jar:5.4.0]
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:199) [elasticsearch-5.4.0.jar:5.4.0]
at org.elasticsearch.http.netty4.Netty4HttpServerTransport.dispatchRequest(Netty4HttpServerTransport.java:504) [transport-netty4-5.4.0.jar:5.4.0]
at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:72) [transport-netty4-5.4.0.jar:5.4.0]
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at org.elasticsearch.http.netty4.pipelining.HttpPipeliningHandler.channelRead(HttpPipeliningHandler.java:63) [transport-netty4-5.4.0.jar:5.4.0]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.9.Final.jar:4.1.9.Final]
at io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111) [netty-codec-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:293) [netty-codec-4.1.9.Final.jar:4.1.9.Final]

Ihsan_Kocak · May 26, 2017, 6:41am

When i start kibana it gives many logs of this:
[2017-05-26T09:23:08,383][DEBUG][o.e.x.s.a.e.ReservedRealm] [node1] realm [reserved] authenticated user [elastic], with roles [[superuser]]

when i browse to localhost:5601 xpack authentication page comes and elasticsearch log gives this:
[2017-05-26T09:25:08,517][DEBUG][r.suppressed ] path: /_xpack/security/_authenticate, params: {}
org.elasticsearch.ElasticsearchSecurityException: missing authentication token for REST request [/_xpack/security/_authenticate]
at org.elasticsearch.xpack.security.support.Exceptions.authenticationError(Exceptions.java:39) ~[x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.DefaultAuthenticationFailureHandler.missingToken(DefaultAuthenticationFailureHandler.java:69) ~[x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$AuditableRestRequest.anonymousAccessDenied(AuthenticationService.java:566) ~[x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$handleNullToken$14(AuthenticationService.java:331) ~[x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.handleNullToken(AuthenticationService.java:336) ~[x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.consumeToken(AuthenticationService.java:258) ~[x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$extractToken$5(AuthenticationService.java:234) ~[x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.extractToken(AuthenticationService.java:247) ~[x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$0(AuthenticationService.java:194) ~[x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication$2(AuthenticationService.java:212) ~[x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:224) [x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:190) [x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.access$000(AuthenticationService.java:147) [x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:100) [x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.rest.SecurityRestFilter.handleRequest(SecurityRestFilter.java:78) [x-pack-5.4.0.jar:5.4.0]
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:260) [elasticsearch-5.4.0.jar:5.4.0]
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:199) [elasticsearch-5.4.0.jar:5.4.0]
at org.elasticsearch.http.netty4.Netty4HttpServerTransport.dispatchRequest(Netty4HttpServerTransport.java:504) [transport-netty4-5.4.0.jar:5.4.0]
at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:72) [transport-netty4-5.4.0.jar:5.4.0]
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at org.elasticsearch.http.netty4.pipelining.HttpPipeliningHandler.channelRead(HttpPipeliningHandler.java:63) [transport-netty4-5.4.0.jar:5.4.0]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.9.Final.jar:4.1.9.Final]
at io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111) [netty-codec-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.9.Final.jar:4.1.9.Final]

Ihsan_Kocak · May 26, 2017, 6:44am

when i enter my ldap credentials it gives these(it authenticates me but not authorizes):
`[2017-05-26T09:27:28,528][DEBUG][o.e.x.s.a.e.ReservedRealm] [node1] user [xxx] not found in cache for realm [reserved], proceeding with normal authentication
[2017-05-26T09:27:28,529][DEBUG][o.e.x.s.a.l.LdapRealm ] [node1] user [xxx] not found in cache for realm [ldap1], proceeding with normal authentication

...
[2017-05-26T09:27:34,001][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [node1] the roles [[]], are mapped from these [ldap] groups [[]] for realm [ldap/ldap1]
[2017-05-26T09:27:34,002][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [node1] the roles [[]], are mapped from the user [uid=xxx,ou=xxx,o=xxx] for realm [ldap/ldap1]
[2017-05-26T09:27:34,003][DEBUG][o.e.x.s.a.l.LdapRealm ] [node1] realm [ldap1] authenticated user [xxx], with roles [[]]
[2017-05-26T09:27:34,043][DEBUG][o.e.x.s.a.e.ReservedRealm] [node1] user [netikocak] not found in cache for realm [reserved], proceeding with normal authentication
[2017-05-26T09:27:34,045][DEBUG][o.e.x.s.a.l.LdapRealm ] [node1] realm [ldap1] authenticated user [xxx], with roles [[]]
[2017-05-26T09:27:34,054][DEBUG][o.e.x.s.a.e.ReservedRealm] [node1] user [netikocak] not found in cache for realm [reserved], proceeding with normal authentication
[2017-05-26T09:27:34,057][DEBUG][o.e.x.s.a.l.LdapRealm ] [node1] realm [ldap1] authenticated user [xxx], with roles [[]]
[2017-05-26T09:27:34,058][DEBUG][o.e.x.s.a.e.ReservedRealm] [node1] user [xxx] not found in cache for realm [reserved], proceeding with normal authentication
[2017-05-26T09:27:34,073][DEBUG][o.e.x.s.a.l.LdapRealm ] [node1] realm [ldap1] authenticated user [netikocak], with roles [[]]
[2017-05-26T09:27:34,073][DEBUG][o.e.x.s.a.e.ReservedRealm] [node1] realm [reserved] authenticated user [elastic], with roles [[superuser]]
[2017-05-26T09:27:34,079][DEBUG][o.e.x.s.a.e.ReservedRealm] [node1] user [netikocak] not found in cache for realm [reserved], proceeding with normal authentication
[2017-05-26T09:27:34,080][DEBUG][o.e.x.s.a.l.LdapRealm ] [node1] realm [ldap1] authenticated user [netikocak], with roles [[]]
[2017-05-26T09:27:34,183][DEBUG][o.e.x.s.a.e.ReservedRealm] [node1] user [netikocak] not found in cache for realm [reserved], proceeding with normal authentication
[2017-05-26T09:27:34,183][DEBUG][o.e.x.s.a.e.ReservedRealm] [node1] user [netikocak] not found in cache for realm [reserved], proceeding with normal authentication
[2017-05-26T09:27:34,202][DEBUG][o.e.x.s.a.l.LdapRealm ] [node1] realm [ldap1] authenticated user [xxx], with roles [[]]
[2017-05-26T09:27:34,203][DEBUG][o.e.x.s.a.l.LdapRealm ] [node1] realm [ldap1] authenticated user [xxx], with roles [[]]
[2017-05-26T09:27:34,330][DEBUG][o.e.x.s.a.e.ReservedRealm] [node1] user [xxx] not found in cache for realm [reserved], proceeding with normal authentication
[2017-05-26T09:27:34,334][DEBUG][o.e.x.s.a.l.LdapRealm ] [node1] realm [ldap1] authenticated user [xxx], with roles [[]]
[2017-05-26T09:27:34,337][DEBUG][r.suppressed ] path: /.kibana/config/5.4.0, params: {index=.kibana, id=5.4.0, type=config}
org.elasticsearch.ElasticsearchSecurityException: action [indices:data/read/get] is unauthorized for user [xxx]
at org.elasticsearch.xpack.security.support.Exceptions.authorizationError(Exceptions.java:45) ~[?:?]
at org.elasticsearch.xpack.security.authz.AuthorizationService.denialException(AuthorizationService.java:459) ~[?:?]
at org.elasticsearch.xpack.security.authz.AuthorizationService.denial(AuthorizationService.java:430) ~[?:?]
at org.elasticsearch.xpack.security.authz.AuthorizationService.authorize(AuthorizationService.java:244) ~[?:?]
at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$authorizeRequest$4(SecurityActionFilter.java:190) ~[?:?]
at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.maybeRun(AuthorizationUtils.java:127) ~[?:?]
at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.setRunAsRoles(AuthorizationUtils.java:121) ~[?:?]
at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.authorize(AuthorizationUtils.java:109) ~[?:?]
at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.authorizeRequest(SecurityActionFilter.java:205) ~[?:?]
at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$3(SecurityActionFilter.java:181) ~[?:?]
at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:59) ~[elasticsearch-5.4.0.jar:5.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$0(AuthenticationService.java:192) ~[?:?]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication$2(AuthenticationService.java:212) ~[?:?]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:224) ~[?:?]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:190) ~[?:?]
...
at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.authenticateWithCache(CachingUsernamePasswordRealm.java:117) ~[?:?]
at
[2017-05-26T09:27:34,461][DEBUG][o.e.x.s.a.e.ReservedRealm] [node1] user [netikocak] not found in cache for realm [reserved], proceeding with normal authentication
[2017-05-26T09:27:34,505][DEBUG][o.e.x.s.a.l.LdapRealm ] [node1] realm [ldap1] authenticated user [netikocak], with roles [[]]`

as you see my realm name in ldap config in elasticsearch.yml is ldap1:xpack: security: authc: realms: ldap1: type: ldap order: 0 url: "xxx" bind_dn: "uid=xxx,ou=xxx,o=xxx" bind_password: "xxx." user_search: base_dn: "o=xxx" files: role_mapping: "role_mapping.yml" unmapped_groups_as_roles: false

TimV · May 29, 2017, 7:06am

@Ihsan_Kocak, It looks like you turned on DEBUG for the whole server. That generates a lot of logging - far more than you really need.

For future reference, when debugging authentication issues, you only need to turn on DEBUG for the authentication modules within X-Pack. You do that as follows:

curl -H "Content-Type: application/json" -XPUT -uelastic 'http://localhost:9200/_cluster/settings' -d'
{
    "transient" : {
        "logger.org.elasticsearch.xpack.security.authc" : "DEBUG"
    }
}'

The key part of your log that explains what is happening is here:

[2017-05-26T09:27:34,001][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [node1] the roles [[]], are mapped from these [ldap] groups [[]] for realm [ldap/ldap1]
[2017-05-26T09:27:34,002][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [node1] the roles [[]], are mapped from the user [uid=NETIKOCAK,ou=danisman,o=thy] for realm [ldap/ldap1]

This tells us:

Your user has no groups
Your user has the DN uid=NETIKOCAK,ou=danisman,o=thy
But there no roles are mapped for that user.

In your first post you gave the contents of your role_mapping.yml file as:

superuser: 
  - "cn=IHSAN,ou=xxx,o=xxx"

From what you've supplied, it appears that you are logging in as NETIKOCAK, but you've only configured roles for IHSAN.

Ihsan_Kocak · May 29, 2017, 8:25am

Actually cn=IHSAN and uid=NETIKOCAK are same ldap account. i also tried

superuser:  - "uid=xxx,ou=xxx,o=xxx"

but it also did not work.

TimV · May 29, 2017, 10:21am

They might be the same account, but they are not the same DN. The values you enter into the role-mapping file are textual DNs, they have to match precisely with whatever the LDAP server uses as the DN when ES authenticates.

You're going to have to provide more information than that. I can't guess what the problem is, you need to provide the exact details including logs.

Ihsan_Kocak · May 29, 2017, 11:21am

uid,ou,o combination worked. Thank you.

system · June 26, 2017, 11:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.