I'm trying to get Active Directory authentication working with X-Pack. In /etc/elasticsearch/x-pack/role_mapping.yml I have defined a user and assigned it the monitoring_user and kibana_user roles:
But when I log in Kibana, I get "You are not authorized to access Monitoring. To use Monitoring, you need the privileges granted by both the kibana_user and monitoring_user roles." error
[2017-05-11T16:29:08,033][DEBUG][o.e.x.s.a.e.ReservedRealm] [elk01] user not found in cache, proceeding with normal authentication
[2017-05-11T16:29:08,033][DEBUG][o.e.x.s.a.l.LdapRealm ] [elk01] authenticated user [myuser], with roles [[]]
This log appears to have been from a case where the LdapRealm (AD) was using cached data (*), so it doesn't give us enough information to diagnose the problem.
Try clearing the cache for the active_directory realm and then try again. There should be more detailed logging which we can use to work out what's going on for you.
(*) The message from the ReservedRealm is a little misleading. Each realm maintains its own cache, so the fact that the user isn't cached in the ReservedRealm is totally normal, and doesn't tell us whether the LdapRealm had cached the user data.
Thanks for your answer. So I cleared the active_directory cache as you suggested.
POST /_xpack/security/realm/active_directory/_clear_cache?pretty
Then I logged in again while tailing the /var/log/elasticsearch/myclustername.log logfile
[2017-05-12T11:16:17,161][DEBUG][o.e.x.s.a.e.ReservedRealm] [myclustername] user not found in cache, proceeding with normal authentication
[2017-05-12T11:16:17,161][DEBUG][o.e.x.s.a.l.LdapRealm ] [myclustername] user not found in cache, proceeding with normal authentication
[2017-05-12T11:16:17,190][DEBUG][o.e.x.s.a.l.ActiveDirectorySessionFactory] [myclustername] group SID to DN [CN=MyUser Name,OU=myusernameou's] search filter: [(|(objectSid=S-1-5-32-545)(objectSid=S-1-5-21-171445296-392181855-1598175747-54962)(objectSid=S-1-5-21-171585296-392181855-1598175747-61874)(objectSid=S-1-5-21-171585296-392181855-1598144747-54704)(objectSid=S-1-5-21-171585296-392144855-1598175747-54828)(objectSid=S-1-5-21-171445296-392181855-1598175747-48304).....
[2017-05-12T11:16:17,254][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [myclustername] the roles [[]], are mapped from these [active_directory] groups [[CN=Users,CN=Builtin
Then follows a big list of all the groups I'm in.
[2017-05-12T11:16:17,254][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [myclustername] the roles [[]], are mapped from the user [CN=MyUser Name,OU=muusernameou's] for realm [active_directory/active_directory]
[2017-05-12T11:16:17,256][DEBUG][o.e.x.s.a.l.LdapRealm ] [myclustername] authenticated user [myusername], with roles [[]]
[2017-05-12T11:16:17,525][DEBUG][o.e.x.s.a.e.ReservedRealm] [myclustername] user not found in cache, proceeding with normal authentication
[2017-05-12T11:16:17,525][DEBUG][o.e.x.s.a.l.LdapRealm ] [myclustername] authenticated user [myusername], with roles [[]]
[2017-05-12T11:16:17,525][DEBUG][o.e.x.s.a.e.ReservedRealm] [myclustername] user not found in cache, proceeding with normal authentication
[2017-05-12T11:16:17,525][DEBUG][o.e.x.s.a.l.LdapRealm ] [myclustername] authenticated user [myusername], with roles [[]]
So myusername still has no roles mapped. Not sure how to proceed now.
The first step is to double check that the DN that is logged inside the [ ... ] is exactly the same as the DN in your role-mapping file. Since the files you've posted here have been redacted, I can't tell whether it's correct - but this is the number 1 source of issues with role mapping.
I just notice that in your redacted version in your original post you have 2 different DNs listed:
cn=myuser,ou=Personal,ou=User,dc=my,dc=domain
cn=myuser,ou=Personal,ou=Users,dc=my,dc=domain
so, it's any easy mistake to make.
The next thing to look for is a message printed when the node starts up that says something like:
[o.e.x.s.a.s.DnRoleMapper ] [myclustername] NNN role mappings found in file [/etc/elasticsearch/x-pack/role_mapping.yml] for realm [active_directory/active_directory]
If that exists it will confirm that your file is being read successfully. The count should be the number of distinct DNs in your role-mapping. So if you are mapping exactly 1 user, then it should be a 1 even if that user has multiple roles.
If that log message doesn't exist, then it indicates that the role mapping is not being read. There may be some sort of warning message explaining why, but the details will depend on the version of Elasticsearch you are running, and the cause of the problem.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.