[security_exception] action [indices:data/read/mget] is unauthorized for user

security

(sabad) #1

Moved from local to AD.
Successfully logged in as kibana4-server.

Getting error on browser when I log in as regular AD user.
[security_exception] action [indices:data/read/mget] is unauthorized for user

Logs:
[2016-06-23 19:04:06,566][INFO ][rest.suppressed ] /_mget Params: {preference=1466723046069, timeout=0, ignore_unavailable=true}
ElasticsearchSecurityException[action [indices:data/read/mget] is unauthorized for user [dala]]
at org.elasticsearch.shield.support.Exceptions.authorizationError(Exceptions.java:45)
at org.elasticsearch.shield.authz.InternalAuthorizationService.denialException(InternalAuthorizationService.java:294)
at org.elasticsearch.shield.authz.InternalAuthorizationService.denial(InternalAuthorizationService.java:268)
at org.elasticsearch.shield.authz.InternalAuthorizationService.authorize(InternalAuthorizationService.java:129)
at org.elasticsearch.shield.action.ShieldActionFilter.apply(

My role_mapping.yml file looks like
kibana4:

  • 'cn=dala,cn=Users,dc=ops,dc=saba'

monitoring:

  • 'cn=logstash,cn=Users,dc=ops,dc=saba'
  • 'cn=kibana4-server,cn=Users,dc=ops,dc=saba'
  • 'cn=dala,cn=Users,dc=ops,dc=saba'
    admin:
  • 'cn=logstash,cn=Users,dc=ops,dc=saba'
  • 'cn=kibana4-server,cn=Users,dc=ops,dc=saba'
  • 'cn=dala,cn=Users,dc=ops,dc=saba'
    power_user:
  • 'cn=logstash,cn=Users,dc=ops,dc=saba'
  • 'cn=kibana4-server,cn=Users,dc=ops,dc=saba'
  • 'cn=dala,cn=Users,dc=ops,dc=saba'
    user:
  • 'cn=logstash,cn=Users,dc=ops,dc=saba'
  • 'cn=kibana4-server,cn=Users,dc=ops,dc=saba'
  • 'cn=dala,cn=Users,dc=ops,dc=saba'
    kibana4_server:
  • 'cn=logstash,cn=Users,dc=ops,dc=saba'
  • 'cn=kibana4-server,cn=Users,dc=ops,dc=saba'
  • 'cn=dala,cn=Users,dc=ops,dc=saba'

What additional step I need to do for the AD user to get the kibana UI.


(Jay Modi) #2

What roles do you see when you access localhost:9200/_shield/authenticateas that user?


(sabad) #3

curl -u dala -XGET 'https://n3pv01inflsh01.ops.saba:9200/_shield/authenticate' -k
Enter host password for user 'dala':
{"username":"dala","roles":["Domain Admins","Users","Denied RODC Password Replication Group","SEC-MT","Administrators","VPNusers","Domain Users","VMAdmins","InfobloxAdmin","CLD-Inf"]}

curl -u kibana4-server -XGET 'https://n3pv01inflsh01.ops.saba:9200/_shield/authenticate' -k
Enter host password for user 'kibana4-server':
{"username":"kibana4-server","roles":["Users","monitoring","kibana4_server","admin","power_user","Domain Users","user"]}[


(Jay Modi) #4

the dala user is not getting mapped to any real roles (I think) as those just look like the unmapped groups as roles. Maybe you can edit the config/logging.yml file and add shield.authc: DEBUG in the logger section, restart elasticsearch, try to authenticate and look for log messages about role mapping.

Also, can you provide your role definitions.


(sabad) #5

[root@n3pv01inflsh01 shield]# cat roles.yml

All cluster rights

All operations on all indices

admin:
cluster: all
indices:
'*':
privileges: all

monitoring cluster privileges

All operations on all indices

power_user:
cluster: monitor
indices:
'*':
privileges: all

Read-only operations on indices

user:
indices:
'*':
privileges: read

Defines the required permissions for transport clients

transport_client:
cluster:
- cluster:monitor/nodes/liveness
#uncomment the following for sniffing
#- cluster:monitor/state
##############################

The required permissions for kibana 4 users.

kibana4:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
'*':
privileges: indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:data/read/field_stats, indices:admin/get
'.kibana':
privileges: indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update

The required permissions for the kibana 4 server

kibana4_server:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
'.kibana':
privileges: indices:admin/create, indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update

The required role for logstash users

logstash:
cluster: all
indices:
'logstash-*':
privileges: indices:data/write/bulk, indices:data/write/delete, indices:data/write/update, indices:data/read/search, indices:data/read/scroll, create_index

The required role for logstash users

sabalogstash:
cluster: indices:admin/template/get, indices:admin/template/put
indices:
'logstash-*':
privileges: indices:data/write/bulk, indices:data/write/delete, indices:data/write/update, indices:data/read/search, indices:data/read/scroll, create_index

Marvel user role. Assign to marvel users.

marvel_user:
indices:
'.marvel-es-*':
privileges: read
'.kibana':
privileges: indices:admin/exists, indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search

Marvel remote agent role. Assign to the agent user on the remote marvel cluster

to which the marvel agent will export all its data

remote_marvel_agent:
cluster: indices:admin/template/put, indices:admin/template/get
indices:
'.marvel-es-*':
privileges: all


(Jay Modi) #6

It looks like your Kibana roles may need to be updated. What version of Shield are you using? Also, did you upgrade from an earlier version?

In your roles, where you .kibana is used, please change this to .kibana* and see if you still get the same error. The change needs to be made on all nodes.


(sabad) #7

Looks like ny CN for dala is full name and it started working.

Thanks for your help, debugging the logs helped to fix the issue.


(sabad) #8

I had issue with 2.3.3. After googling the error found the workaround by downgrading to 2,2,0 .

Please provide me the latest versions which are working and stable. I can upgrade now as this is POC.


(system) #9