Role mappings will not be applied to any users

cporte01 · May 17, 2021, 8:37pm

I'm getting the following message in the Role Mappings page of Kibana:

No compatible realms are enabled in Elasticsearch
Role mappings will not be applied to any users. Contact your system administrator and refer to the docs for more information.

The link takes me to the Role Mappings documentation page but it doesn't seem to describe what could be causing that error. Does anybody know what it means? The confusing thing is authentication and authoisation seem to be working, so maybe this is a false alarm?

We're using SAML authentication with Okta.

warkolm · May 18, 2021, 2:10am

You're likely on a Platinum license then? I would suggest you hit up the Support team

It'd be helpful if you could show some screenshots of what you are doing as well.

cporte01 · May 18, 2021, 11:05am

Hi Mark

We do have a platinum licence so a support case is an option. I was just looking around this site for a solution so thought I'd ask here in case somebody else has seen the same issue. We're still running version 7.9 on this cluster and we're about to upgrade to 7.12 so I'll do that first and maybe it will resolve the issue. If not I'll raise a support case.

This is a screenshot of the problem:

Thanks
Craig.

TimV · May 18, 2021, 2:37pm

That's just a warning, to alert people to the fact that they don't want to be on that page if none of their configured realms need role mapping. So, it shouldn't prevent you from getting stuff done.

However, if it's coming up then either

there's a bug in that version of Kibana
you really don't have realms configured.

My guess is that your elected master node doesn't have the SAML realms configured.
The Kibana code is looking at an API that only reports the security state on the master node of the cluster, so if it doesn't have any applicable realms, then you'll see this message.

cporte01 · May 18, 2021, 3:23pm

Thanks Tim. You're right, it does seem to be working so it could be just a warning. I don't have realms configured on the master servers. I'm running ES as a coordinating node on the Kibana server and in elasticsearch.yml I have a native realm and a saml realm configured there. Should the realms configuration be on the master nodes instead of the coordinating node or as well as on the coordinating node?

This is my realms configuration on the coordinating node:

    xpack.security.authc:
    token:
        enabled: true
    realms:
        native:
            native1:
                enabled: true
                order: 0
        saml:
            okta:
                enabled: true
                order: 2
                attributes.principal: "principal"
                attributes.groups: "groups"
                idp.metadata.path: "/etc/path/to/idp-metadata.xml"
                idp.entity_id: "http://www.okta.com/<redacted>"
                sp.entity_id:  "https://<kibana_host>:5601/"
                sp.acs: "https://<kibana_host>:5601/api/security/v1/saml"
                sp.logout: "https://<kibana_host>:5601/logout"

cporte01 · May 24, 2021, 8:32am

This is resolved now. As Tim said, Kibana is checking for realms information on the master server only. Realms functionality is not affected because realms are configured in Elasticsearch, not Kibana. So the message in Kibana is just a warning to advise that Kibana can't find the realms information.

I copied the Okta realms configuration to my 3 master elegible nodes, restarted ES on the master nodes, and the warning has now gone.

system · June 21, 2021, 8:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.