[security_exception] action [indices:data/read/search]

Hi, I am using elasticsearch 6.8.0.

Configured with AD group and getting below error

{"message":"action [indices:data/read/search] is unauthorized for user [xxxxxx]: [security_exception] action [indices:data/read/search] is unauthorized for user [xxxxxx]","statusCode":403,"error":"Forbidden"}

Created ADMIN Role:-

GET _xpack/security/role/ADMIN
{
  "ADMIN" : {
    "cluster" : [
      "all"
    ],
    "indices" : [
      {
        "names" : [
          "*"
        ],
        "privileges" : [
          "all"
        ],
        "field_security" : {
          "grant" : [ ]
        },
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [
      "*"
    ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

Mapped ADMIN role to AD group

GET _xpack/security/role_mapping/ADMIN
{
  "ADMIN" : {
    "enabled" : true,
    "roles" : [
      "superuser",
      "reporting_user",
      "monitoring_user",
      "kibana_user"
    ],
    "rules" : {
      "field" : {
        "groups" : "CN=XXXXXX,OU=Resource,OU=Groups,OU=XXXX,DC=xxxx1,DC=xxx,DC=xxx"
      }
    },
    "metadata" : { }
  }
}

Anything missing on myside to get ADMIN access to view all indices?

When I give CN=*, I am able to view all. Need help on this.

That implies that the user isn't actually in the CN=XXXXXX,OU=Resource,OU=Groups,OU=XXXX,DC=xxxx1,DC=xxx group.

Use the Authenticate API and check the actual groups.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.