Security_exeption Xpack

Hey guys,

i have successfully installed an elk stack with the sec pack "x-pack". Further i created 1 user with the roles kibana_user and events_admin. The kibana_user ist default and the events_admin has: Cluster Priv: all, index Priv indices: * Privs: all
configured over the Kibana webinterface with elastic user.

Every time i get following error:
Config: Error 403 Forbidden: [security_exception] action [indices:data/write/update] is unauthorized for user

Any Idea? Thanks for help!

What version of Elasticsearch and Kibana are you using?

When and where do you see that error? In Kibana? When you log in? Or in a log file?

To Just use Kibana and have access to the data in an index, a user would typically only require;

  1. kibana_user
  2. a role with read and view_index_metadata privs on that particular index (and no cluster privs)

Plus optionally reporting_user and monitoring_user roles.

But the fact that you've given more privs should not be the problem.

You could turn on audit logging in your Elasticsearch cluster and that would show you what user it is getting the error and what index they are accessing.

https://www.elastic.co/guide/en/x-pack/current/auditing.html

You could also query Elasticsearch for your users and roles and paste it here so we could check that you really have everything set correctly.

curl -XGET http://localhost:9200/_xpack/security/role?pretty

curl -XGET http://localhost:9200/_xpack/security/user?pretty

Please let us know if that helps.

Regards,
Lee

Hi Lee,
thanks for some tips...
I'll get this error: Config: Error 403 Forbidden: [security_exception] action [indices:data/write/update] is unauthorized for user [network] with the login over kibana...

curl -XGET http://elastic:changeme@localhost:9200/_xpack/security/user?pretty
{
"elastic" : {
"username" : "elastic",
"roles" : [
"superuser"
],
"full_name" : null,
"email" : null,
"metadata" : {
"_reserved" : true
},
"enabled" : true
},
"kibana" : {
"username" : "kibana",
"roles" : [
"kibana_system"
],
"full_name" : null,
"email" : null,
"metadata" : {
"_reserved" : true
},
"enabled" : true
},
"logstash_system" : {
"username" : "logstash_system",
"roles" : [
"logstash_system"
],
"full_name" : null,
"email" : null,
"metadata" : {
"_reserved" : true
},
"enabled" : true
},
"network" : {
"username" : "network",
"roles" : [
"kibana_user",
"events_admin2"
],
"full_name" : "network",
"email" : "ntwk@nt.com",
"metadata" : { },
"enabled" : true
}
}

curl -XGET http://elastic:changeme@localhost:9200/_xpack/security/role?pretty
{
"watcher_admin" : {
"cluster" : [
"manage_watcher"
],
"indices" : [
{
"names" : [
".watches",
".triggered_watches",
".watcher-history-"
],
"privileges" : [
"read"
]
}
],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"logstash_system" : {
"cluster" : [
"monitor",
"cluster:admin/xpack/monitoring/bulk"
],
"indices" : [ ],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"kibana_user" : {
"cluster" : [ ],
"indices" : [
{
"names" : [
".kibana
"
],
"privileges" : [
"manage",
"read",
"index",
"delete"
]
}
],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"machine_learning_user" : {
"cluster" : [
"monitor_ml"
],
"indices" : [
{
"names" : [
".ml-anomalies*",
".ml-notifications"
],
"privileges" : [
"view_index_metadata",
"read"
]
}
],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"remote_monitoring_agent" : {
"cluster" : [
"manage_index_templates",
"manage_ingest_pipelines",
"monitor",
"cluster:admin/xpack/watcher/watch/get",
"cluster:admin/xpack/watcher/watch/put",
"cluster:admin/xpack/watcher/watch/delete"
],
"indices" : [
{
"names" : [
".marvel-es-",
".monitoring-
"
],
"privileges" : [
"all"
]
}
],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"machine_learning_admin" : {
"cluster" : [
"manage_ml"
],
"indices" : [
{
"names" : [
".ml-"
],
"privileges" : [
"view_index_metadata",
"read"
]
}
],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"watcher_user" : {
"cluster" : [
"monitor_watcher"
],
"indices" : [
{
"names" : [
".watches",
".watcher-history-
"
],
"privileges" : [
"read"
]
}
],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"monitoring_user" : {
"cluster" : [ ],
"indices" : [
{
"names" : [
".marvel-es-",
".monitoring-
"
],
"privileges" : [
"read"
]
}
],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"reporting_user" : {
"cluster" : [ ],
"indices" : [
{
"names" : [
".reporting-"
],
"privileges" : [
"read",
"write"
]
}
],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"kibana_system" : {
"cluster" : [
"monitor",
"cluster:admin/xpack/monitoring/bulk"
],
"indices" : [
{
"names" : [
".kibana
",
".reporting-"
],
"privileges" : [
"all"
]
}
],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"transport_client" : {
"cluster" : [
"transport_client"
],
"indices" : [ ],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"superuser" : {
"cluster" : [
"all"
],
"indices" : [
{
"names" : [
"
"
],
"privileges" : [
"all"
]
}
],
"run_as" : [
""
],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"ingest_admin" : {
"cluster" : [
"manage_index_templates",
"manage_pipeline"
],
"indices" : [ ],
"run_as" : [ ],
"metadata" : {
"reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"events_admin2" : {
"cluster" : [ ],
"indices" : [
{
"names" : [
"logstash
"
],
"privileges" : [
"read",
"view_index_metadata"
]
}
],
"run_as" : [ ],
"metadata" : { },
"transient_metadata" : {
"enabled" : true
}
}
}

Maybe an idea?
i will turn on audit-logging now, giving response later! Thank you again! :slight_smile:

With the audit-log i found the error...

[2017-07-18T12:18:41,333] [transport] [access_denied] origin_type=[rest], origin_address=[127.0.0.1], principal=[floham], action=[indices:data/write/update], indices=[.logstash], request=[UpdateRequest]

Thanks for all! cya

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.