[Shield] Kibana error on startup

Pierre_Jacquot · October 20, 2015, 4:15pm

Hello,

I'm trying to use Shield with elasticSearch and kibana, but I get the following error when I launch kibana

"level":50,"err":{"message":"AuthorizationException[action [cluster:monitor/health] is unauthorized for user [XXXXX]]","name":"Error","stack":"Error: AuthorizationException[action [cluster:monitor/health] is unauthorized for user [XXXXX]]

I have follow the instruction describe is the topic bellow without any success :

Here is the elasticSearch configuration related to shield :
shield.authc.realms.default.type: esusers
shield.authc.realms.default.order: 0
shield.authc.realms.default.files.users: /etc/elasticsearch/shield/user
shield.authc.realms.default.files.users_roles: /etc/elasticsearch/shield/users_roles
shield.authc.realms.default.files.roles: /etc/elasticsearch/shield/roles

and the content of /etc/elasticsearch/shield/user file
toto:$2a$10$ZMwDYq/U7jJOHkgdE77Z7uUS4qPhqDRhtwBJlXt0TE.verOva5eWe
kibana:$2a$10$wgi9556p286bUeNSYBE34.1wVl6gT8/a56kesRUEt3Ugmnv8CWDfe

here is the content of users_roles file :
admin:es_admin,kibana,ng36cb1
kibana4_server:toto

roles files have not been updated, and I have try multiple test with admin and kibana4 roles without success.
Anyone have an idea of the origin of this issue ?

jaymode · October 21, 2015, 1:23pm

Hi Pierre,

I am sorry that you have not had success getting Kibana to work with Shield, lets work on resolving that. What did you configure in your kibana.yml? What versions of Kibana, Elasticsearch, and Shield are you using?

Are you able to issue curl commands to the elasticsearch node protected by shield with success?

-Jay

Pierre_Jacquot · October 22, 2015, 9:10am

Hello,

I'm sorry for the missing information.
Here is a quick view of the product versions :

Elastic search : Version: 1.7.0, Build: 929b973/2015-07-16T14:31:07Z, JVM: 1.8.0_40
Kibana : Version : 4.1.1
Shield : Version 1.3.2

Here is the content of my kybana.yml file

port: 5601
host: "0.0.0.0"
elasticsearch_url: "http://localhost:9200"
elasticsearch_preserve_host: true
kibana_index: ".kibana"
kibana_elasticsearch_username: toto
kibana_elasticsearch_password: aaaaaa
default_app_id: "discover"
request_timeout: 300000
shard_timeout: 0
verify_ssl: true
bundled_plugin_ids:
 - plugins/dashboard/index
 - plugins/discover/index
 - plugins/doc/index
 - plugins/kibana/index
 - plugins/markdown_vis/index
 - plugins/metric_vis/index
 - plugins/settings/index
 - plugins/table_vis/index
 - plugins/vis_types/index
 - plugins/visualize/index

I have tested connection use the folllowing url and it's works

curl -u toto:aaaaaa http://localhost:9200
{
"status" : 200,
"name" : "ELK INT",
"cluster_name" : "elasticsearch",
"version" : {
"number" : "1.7.0",
"build_hash" : "929b9739cae115e73c346cb5f9a6f24ba735a743",
"build_timestamp" : "2015-07-16T14:31:07Z",
"build_snapshot" : false,
"lucene_version" : "4.10.4"
},
"tagline" : "You Know, for Search"
}

jaymode · October 22, 2015, 12:15pm

Can you try to curl http://localhost:9200/_cluster/health instead? The root URL only requires authentication and not authorization.

Pierre_Jacquot · October 22, 2015, 7:15pm

Hello,

I have test it, and I get an error of authorization also.
I have checked the following parameters

> shield.authc.realms.default.files.roles: /etc/elasticsearch/shield/roles

and correct it with

shield.authc.realms.default.files.roles: /etc/elasticsearch/shield/roles.yml

but I still have an issue.

jaymode · October 22, 2015, 7:33pm

Ah, I think the issue is that setting should be:

shield.authz.store.file.roles: /etc/elasticsearch/shield/roles.yml

Pierre_Jacquot · October 23, 2015, 7:19am

Hello Jaymode,

I have updated the line as you tell me to do and it's works as expected !
Thanks for your help !