Not able to Execute Query with Custom User


(Amit) #1

Hi ,

I have ES 5.2.2 and X-Pack 5.2.2 security with Authentication mechanism:

I have 6 Data Node in cluster. I have created Following Role(yy_elastic_search_role) and User(yy_transport_client) in cluster(native realm).

From 5 Node I am able to execute query, but on one of Node(Node6) I am seeing Exception:

[DEBUG][o.e.a.a.c.n.i.TransportNodesInfoAction] [xxxx-esa32-1] failed to execute on node [e4BtZsc2QqiFhCOVn2qcOg]
 org.elasticsearch.transport.RemoteTransportException: [xxxx-esa32-1][1.1.1.151:7571][cluster:monitor/nodes/info[n]]
Caused by: org.elasticsearch.ElasticsearchSecurityException: action [cluster:monitor/nodes/info[n]] is unauthorized for user [**yy_transport_client**]

But at same time If I assign "SuperUser" role to yy_transport_client then I am able to run query from this Node(Node6) too.

Custom Role

yy_elastic_search_role": {
    "cluster": [
      "monitor",
      "manage",
      "manage_index_templates"
    ],
    "indices": [
      {
        "names": [
          "*"
        ],
        "privileges": [
          "all"
        ]
      }
    ],
    "run_as": [],
    "metadata": {},
    "transient_metadata": {
      "enabled": true
    }
  }

User

"yy_transport_client": {
    "username": "yy_transport_client",
    "roles": [
      "transport_client",
      "yy_elastic_search_role"
    ],
    "full_name": null,
    "email": null,
    "metadata": {},
    "enabled": true
}

Can there be Issue at OS level with one Node(Node6), as I am not able to figure out. Appreciate your help in advance.

Thanks,
Amit Sinha.


(Tim Vernum) #2

Please make the effort to format your post to be as readable as possible - there's a live preview panel for exactly this reasons. In particular, please use the </> button to pre-format code or configuration files.

Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow a wall of badly formatted text.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.


(Tim Vernum) #3

How did you create your role, through the API, or in a file?


(Amit) #4

Sorry for formatting issue.

I have created users and roles through curl command(user management api).

Cluster was green when i created user and roles. So from other nodes I am able to run query, only one node is creating Issue. But same time if I assign SuperUser role, I am able to run Query on Culprit node too.


(Amit) #5

Just to add few things, The node where I am not able to Run Query with Custom User was started 3 days back due to power failure on this server and this is Virtual Machine. Earlier prior to restart I was able to run Query.


(Tim Vernum) #6

I think you've hit a caching problem.
Elasticsearch 5.2 is now a year old, and in that time we resolved a number of problems related to caching of users and roles.
My guess is that the broken node has a cache that thinks this role doesn't exist.


(Amit) #7

Thank you Tim.
This came in my mind but I was not sure, appreciate your view, in pointing this out. I will check on my server and post you.

I will be thankful if you can let me know Release Notes mentioning Caching Issue and Exact Elastic Search release in which this is Fixed.


(Tim Vernum) #8

There are multiple fixes across multiple versions, you will need to read the release notes yourself.

If you are considering upgrading, then you should upgrade to the most recent version with the same major release (in this case 5.6.x) as that will be the most stable and supported version, and will facilitate upgrading to the next major release in the future.


(system) #9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.