Security_exception

Hello,
I have deployed Elasticsearch and Kibana from Azure Marketplace.Elastic cluster is created with 3 data nodes,3 master nodes,1 Kibana node as per my selection during deployment. Kibana VM can be communicated with the help of its Public IP.Azure Internal load balancer selects one of the data nodes to store index, based on traffic load on it.Also 1 client node is deployed externally in same Virtual Network where the elastic cluster is.The main aim is to visualize logs of Client VM with the help of filebeat on it and with help of Elastic cluster nodes.Azure marketplace image is integrated with X-Pack of elastic that is cluster is protected with Shield. While communicating elastic cluster with REST API commands we known that we should pass Shield user name and password.

I am able to get reply from elastic server when i do normal API calls with shield user name and password like "list of indices" , "knowing cluster health" , "list of nodes",etc

I tried with username "es_admin" which has admin rights

But when am trying to load filebeat-index-template am getting below "security_exception" error

{
"error" : {
"root_cause" : [ {
"type" : "security_exception",
"reason" : "missing authentication token for REST request [/_template/filebeat?pretty]",
"header" : {
"WWW-Authenticate" : "Basic realm="shield" charset="UTF-8""
}
} ],
"type" : "security_exception",
"reason" : "missing authentication token for REST request [/_template/filebeat?pretty]",
"header" : {
"WWW-Authenticate" : "Basic realm="shield" charset="UTF-8""
}
},
"status" : 401
}

Clarification is needed.

Thanks in advance,

Try creating a role for filebeat. And assign this role to a user specific to filebeat.

There is an example for Packetbeat in the X-Pack docs. Just change packetbeat to filebeat.

Thanks @andrewkroh .Let me try

Thanks @andrewkroh. Created filebeat role and assigned the same to the user.I able to see the logs forwarded by filebeat in Kibana UI and it helped me lot.Thanks again.

But es_admin or elastic are superusers by default.As a superuser it should have all admin permissions to create index, load index templates ,etc and all.Then why we need to create and assign some specific role to particular superuser.

It's hard to tell exactly what was going on with your original issue, but the problem seems to have been that you didn't provide credentials in your request.

"reason" : "missing authentication token for REST request [/_template/filebeat?pretty]",

This indicates that there was no username/password provided in the REST request. It's not that es_admin wasn't permitted to view the template, it's that you hadn't actually authenticated as es_admin.

Thanks for your Reply @TimV. Even though es_admin\elastic credentials are provided during API Calls, I got the same issue.

"missing authentication token" error is coming only while loading filebeat-index template.

Other API Calls with es_admin:password are serving outputs without any authentication issues.

But the project is done successfully as per andrewkroh guide lines.

Thanks a lot @TimV @andrewkroh

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.