Login to Kibana indices:data/write/update is unauthorized for user

Elastic Stack Kibana
1

Hi all,

We have started to use x-pack and configured the AD integration according to documentation on elastic website. We have granted read to kibana index for users and necessary permissions for their indices. However time to time they have Error 403 Forbidden: action [indices:data/write/update] is unauthorized for user error and there is no entry on elasticsearch or kibana logs. I am attaching

GET /_xpack/security/role

"identity_team": {
"cluster": [],
"indices": [
{
"names": [
"ldap-",
".kibana"
],
"privileges": [
"monitor",
"read"
],
"field_security": {
"grant": [
"*"
]
}
}
],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
}

and

GET /_xpack/security/user

{
"logstash_internal": {
"username": "logstash_internal",
"roles": [
"logstash_writer"
],
"full_name": "Internal Logstash User",
"email": null,
"metadata": {},
"enabled": true
},
"logstash_user": {
"username": "logstash_user",
"roles": [
"logstash_reader"
],
"full_name": "Kibana User",
"email": null,
"metadata": {},
"enabled": true
},
"monuser": {
"username": "monuser",
"roles": [
"remote_monitoring_agent"
],
"full_name": "Monitoring User",
"email": "xxx@yyy.com",
"metadata": {},
"enabled": true
},
"curator": {
"username": "curator",
"roles": [
"index_manager"
],
"full_name": "Curator Automation",
"email": "manager@xxx.com",
"metadata": {},
"enabled": true
},
"elastic": {
"username": "elastic",
"roles": [
"superuser"
],
"full_name": null,
"email": null,
"metadata": {
"_reserved": true
},
"enabled": true
},
"kibana": {
"username": "kibana",
"roles": [
"kibana_system"
],
"full_name": null,
"email": null,
"metadata": {
"_reserved": true
},
"enabled": true
},
"logstash_system": {
"username": "logstash_system",
"roles": [
"logstash_system"
],
"full_name": null,
"email": null,
"metadata": {
"_reserved": true
},
"enabled": true
}
}

outputs. Also my elasticsearch.yml is

xpack:
  security:
    authc:
      realms:
        file:
          type: file
          order: 0
        native:
          type: native
          order: 1
        active_directory:
          type: active_directory
          order: 2
          domain_name: <my_domain>
          url: ldap://<ad_auth_server>:389
          bind_dn: CN=<es_user>,CN=Users,DC=xx,DC=yyyy,DC=zzz
          bind_password: <es_passwd>
          follow_referrals: false

Any ideas to check.

Thanks.

2

Do you have Elasticsearch audit logging enabled? It might help narrow the problem down a bit;
https://www.elastic.co/guide/en/x-pack/6.2/auditing.html
We don't know what index the error was on, but I'm pretty sure that audit logging would show it.

You included the roles and users but you didn't say what user is having this issue?

3

Hi Lee,

Thanks for the reply. Firstly i am using version 5.6 until i will setup the ssl between components, so i am not sure about audit logging. i will read about it asap.

All the roles from AD are having the problem time to time. Strange thing is AD admins cannot see any error on the logs and the problem is not occuring everytime, but when it is happening it stays at least few hours or sometimes a couple of days.

4

Solved...

AD group names are case sensitive in elastic and recently they change one of the group names. updating the group name solved the problem.

Thank you Lee.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.