Monitoring & ML not available: "you should also assign the monitoring_user role."

jetnet · August 21, 2019, 4:41pm

One more issue after upgrade 6.8 -> 7.3

It is not clear how to grant "Stack Monitoring" and "Machine Learning" privileges to an AD group (unmapped_groups_as_roles: true), which already has access to all indices and has all cluster privileges.

There is a message in Kibana "you should also assign the monitoring_user role", but it's not clear how to do that.
Is it something for role_mapping?

Note: a user from that AD group can access all monitoring data, when querying ES directly. Why does Kibana refuse to show the Monitoring page?

Thanks!

Igor_Zaytsev · August 22, 2019, 1:19am

Hey @jetnet!

Some specific features like Monitoring and Machine Learning might require write access to be able to set some config settings.

You will need to map correct roles to specific user groups. Checkout #7 https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-ldap-realm.html for Monitoring example.

You'll need to also map additional roles for Machine Learning features, checkout the relevant build-in roles here: https://www.elastic.co/guide/en/elastic-stack-overview/current/built-in-roles.html

jetnet · August 22, 2019, 6:29am

hello Igor,

as I wrote, I'm using an unmaped AD group as a role, and the role has full index and cluster access.
Are there some restrictions on Kibana 7.x when using unmapped_groups_as_roles: true?

Thanks!
P.S. It's always disappointing, when an upgrade breaks something, that used to work with the previous version

jetnet · August 22, 2019, 11:47am

I added a role-mapping for this group:

POST /_security/role_mapping/myADgroup
{
  "roles": [
    "monitoring_user",
    "machine_learning_admin"
  ],
  "enabled": true,
  "rules": {
    "field": {
      "groups": "CN=myADgroup,OU=Groups,DC=company,DC=com"
    }
  }
}

This fixed the issue.

But the question remains: why wasn't that necessary for Kibana 6.x?

P.S. the wrong "no access" status is still shown in Kibana, even though the Monitoring and ML pages are available now:

Igor_Zaytsev · August 22, 2019, 3:43pm

Glad you got your issue resolved.

New features might come with more flexibility which would require more access.

Please note that the "Privilege Summary" is per Space level. Here is more info: https://www.elastic.co/guide/en/kibana/master/kibana-privileges.html If there are inconsistencies however, please file an issue at https://github.com/elastic/kibana/issues/new?template=Bug_report.md

Hope that helps.

system · September 19, 2019, 3:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Monitoring_user role does not work when assigned to AD-based role mapping Kibana elastic-stack-monitoring , elastic-stack-security	3	320	October 12, 2020
Roles in role_mapping.yml not assigned to ad user Elasticsearch	4	3156	June 12, 2017
Can not open Stack monitoring Elasticsearch elastic-stack-monitoring , elastic-stack-security	46	2504	October 28, 2020
Error accessing elastic monitoring tab on kibana Kibana elastic-stack-monitoring	6	6753	April 24, 2022
No way to set ML access in roles Kibana elastic-stack-machine-learning	6	507	May 27, 2020

Monitoring & ML not available: "you should also assign the monitoring_user role."

Related topics