Hey guys,
i have successfully installed an elk stack with the sec pack "x-pack". Further i created 1 user with the roles kibana_user and events_admin. The kibana_user ist default and the events_admin has: Cluster Priv: all, index Priv indices: * Privs: all
configured over the Kibana webinterface with elastic user.
Every time i get following error:
Config: Error 403 Forbidden: [security_exception] action [indices:data/write/update] is unauthorized for user
Any Idea? Thanks for help!
What version of Elasticsearch and Kibana are you using?
When and where do you see that error? In Kibana? When you log in? Or in a log file?
To Just use Kibana and have access to the data in an index, a user would typically only require;
kibana_userread and view_index_metadata privs on that particular index (and no cluster privs)Plus optionally reporting_user and monitoring_user roles.
But the fact that you've given more privs should not be the problem.
You could turn on audit logging in your Elasticsearch cluster and that would show you what user it is getting the error and what index they are accessing.
https://www.elastic.co/guide/en/x-pack/current/auditing.html
You could also query Elasticsearch for your users and roles and paste it here so we could check that you really have everything set correctly.
curl -XGET http://localhost:9200/_xpack/security/role?pretty
curl -XGET http://localhost:9200/_xpack/security/user?pretty
Please let us know if that helps.
Regards,
Lee
Hi Lee,
thanks for some tips...
I'll get this error: Config: Error 403 Forbidden: [security_exception] action [indices:data/write/update] is unauthorized for user [network] with the login over kibana...
curl -XGET http://elastic:changeme@localhost:9200/_xpack/security/user?pretty
{
"elastic" : {
"username" : "elastic",
"roles" : [
"superuser"
],
"full_name" : null,
"email" : null,
"metadata" : {
"_reserved" : true
},
"enabled" : true
},
"kibana" : {
"username" : "kibana",
"roles" : [
"kibana_system"
],
"full_name" : null,
"email" : null,
"metadata" : {
"_reserved" : true
},
"enabled" : true
},
"logstash_system" : {
"username" : "logstash_system",
"roles" : [
"logstash_system"
],
"full_name" : null,
"email" : null,
"metadata" : {
"_reserved" : true
},
"enabled" : true
},
"network" : {
"username" : "network",
"roles" : [
"kibana_user",
"events_admin2"
],
"full_name" : "network",
"email" : "ntwk@nt.com",
"metadata" : { },
"enabled" : true
}
}
curl -XGET http://elastic:changeme@localhost:9200/_xpack/security/role?pretty
{
"watcher_admin" : {
"cluster" : [
"manage_watcher"
],
"indices" : [
{
"names" : [
".watches",
".triggered_watches",
".watcher-history-"
],
"privileges" : [
"read"
]
}
],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"logstash_system" : {
"cluster" : [
"monitor",
"cluster:admin/xpack/monitoring/bulk"
],
"indices" : [ ],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"kibana_user" : {
"cluster" : [ ],
"indices" : [
{
"names" : [
".kibana"
],
"privileges" : [
"manage",
"read",
"index",
"delete"
]
}
],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"machine_learning_user" : {
"cluster" : [
"monitor_ml"
],
"indices" : [
{
"names" : [
".ml-anomalies*",
".ml-notifications"
],
"privileges" : [
"view_index_metadata",
"read"
]
}
],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"remote_monitoring_agent" : {
"cluster" : [
"manage_index_templates",
"manage_ingest_pipelines",
"monitor",
"cluster:admin/xpack/watcher/watch/get",
"cluster:admin/xpack/watcher/watch/put",
"cluster:admin/xpack/watcher/watch/delete"
],
"indices" : [
{
"names" : [
".marvel-es-",
".monitoring-"
],
"privileges" : [
"all"
]
}
],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"machine_learning_admin" : {
"cluster" : [
"manage_ml"
],
"indices" : [
{
"names" : [
".ml-"
],
"privileges" : [
"view_index_metadata",
"read"
]
}
],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"watcher_user" : {
"cluster" : [
"monitor_watcher"
],
"indices" : [
{
"names" : [
".watches",
".watcher-history-"
],
"privileges" : [
"read"
]
}
],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"monitoring_user" : {
"cluster" : [ ],
"indices" : [
{
"names" : [
".marvel-es-",
".monitoring-"
],
"privileges" : [
"read"
]
}
],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"reporting_user" : {
"cluster" : [ ],
"indices" : [
{
"names" : [
".reporting-"
],
"privileges" : [
"read",
"write"
]
}
],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"kibana_system" : {
"cluster" : [
"monitor",
"cluster:admin/xpack/monitoring/bulk"
],
"indices" : [
{
"names" : [
".kibana",
".reporting-"
],
"privileges" : [
"all"
]
}
],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"transport_client" : {
"cluster" : [
"transport_client"
],
"indices" : [ ],
"run_as" : [ ],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"superuser" : {
"cluster" : [
"all"
],
"indices" : [
{
"names" : [
""
],
"privileges" : [
"all"
]
}
],
"run_as" : [
""
],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"ingest_admin" : {
"cluster" : [
"manage_index_templates",
"manage_pipeline"
],
"indices" : [ ],
"run_as" : [ ],
"metadata" : {
"reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
},
"events_admin2" : {
"cluster" : [ ],
"indices" : [
{
"names" : [
"logstash"
],
"privileges" : [
"read",
"view_index_metadata"
]
}
],
"run_as" : [ ],
"metadata" : { },
"transient_metadata" : {
"enabled" : true
}
}
}
Maybe an idea?
i will turn on audit-logging now, giving response later! Thank you again! 
With the audit-log i found the error...
[2017-07-18T12:18:41,333] [transport] [access_denied] origin_type=[rest], origin_address=[127.0.0.1], principal=[floham], action=[indices:data/write/update], indices=[.logstash], request=[UpdateRequest]
Thanks for all! cya
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.