Hi, I have a problem with the Kibana/Elasticserach rules.
I enabled the x-pack on Kibana and after I connected my LDAP server (OpenDJ) with Elasticsearch.
dn: dc=example,dc=com
objectClass: domain
objectClass: top
dc: example
o: myorganization
dn: cn=admin,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: admin
dn: cn=firstuser,cn=admin,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
cn: firstuser
sn: firstuser
userPassword: {SSHA}<password>
dn: cn=user,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: user
dn: cn=seconduser,cn=user,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
cn: seconduser
sn: seconduser
userPassword: {SSHA}<password>
The problem is that when I try to connect with the "firstuser" I access to kibana but I have this error: "You are not authorized to access Monitoring. To use Monitoring, you need the privileges granted by both the kibana_user and monitoring_user roles"
Please use </> or backticks (`) to format your message - instead of quotes. This will allow you to maintain format and will be much easier to read. It would be great if you can update your post
The error message tells you that your user needs to have the kibana_user and the monitoring_user roles.
is assigning the monitoring role to the members of the cn=admin,dc=example,dc=com group and the user role to the members of the cn=user,dc=example,dc=com group.
In your LDAP, neither your cn=user,dc=example,dc=com group, nor your cn=admin,dc=example,dc=com group contain any members.
So, you need to correct a few things:
Add your firstuser to the cn=user,dc=example,dc=com group in your LDAP.
Give the users of your cn=user,dc=example,dc=com group the correct roles in role mapping with the following rules:
This is not the same as the user being member of the group. You can read more on ldap group membership, this is unrelated to elasticsearch ( see for example https://ldapwiki.com/wiki/LDAP%20Group )
Our role mapping works with either user DNs or with group DNs as you can read in the documentation. What uou did works ,but will only work for your firstuser as you have specified them by user DN .
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.