The security index is not yet available - no role mappings can be loaded

Hello X-Pack community,

After installing an elasticsearch cluster 5.6.3 on Kubernetes for about one week. One of my data nodes crushed and I can't access to the cluster anymore.

The master reports the following error:

The security index is not yet available - no role mappings can be loaded

Is there a way to disable xpack security dynamically ? How can I restore this index? I can't even access to the cluster state
Ps: my cluster is combined of 3 data nodes, one client and 3 masters.

Any help will be so appreciated !

The message you are quoting is not strictly an error. It's only logged as an INFO message - by itself it is not the cause of whatever problem you are facing, though it may be making things more complicated to resolve.

Check your logs to see if ther e are more details about why you security index is not available - there should be something more detailed than that.

It is not possible to disable security dynamically, but you may be able to make some dynamic changes to re-enable access to your cluster.

What security realms are you using?

Thanks for your reply, I'm using basic authentication (username, password), here is the log trace:

[2017-11-12T06:12:32,751][WARN ][o.e.g.GatewayAllocator$InternalPrimaryShardAllocator] [yassir-es-master-1230842250-k3q6s] [.security][0]: failed to list shard for shard_started on node [7ydbQuEOR2OaCMRYYPA9YQ]
org.elasticsearch.action.FailedNodeException: Failed node [7ydbQuEOR2OaCMRYYPA9YQ]
        at org.elasticsearch.action.support.nodes.TransportNodesAction$AsyncAction.onFailure(TransportNodesAction.java:239) ~[elasticsearch-5.6.3.jar:5.6.3]
        at org.elasticsearch.action.support.nodes.TransportNodesAction$AsyncAction.access$200(TransportNodesAction.java:153) ~[elasticsearch-5.6.3.jar:5.6.3]
        at org.elasticsearch.action.support.nodes.TransportNodesAction$AsyncAction$1.handleException(TransportNodesAction.java:211) ~[elasticsearch-5.6.3.jar:5.6.3]
        at org.elasticsearch.transport.TransportService.sendRequest(TransportService.java:510) ~[elasticsearch-5.6.3.jar:5.6.3]
        at org.elasticsearch.action.support.nodes.TransportNodesAction$AsyncAction.start(TransportNodesAction.java:197) ~[elasticsearch-5.6.3.jar:5.6.3]
        ... 50 more

The same exception is displayed for other X-Pack indices (watcher, watcher history, monitoring etc).

So this isn't really an X-Pack specific issue - you have a problem with a failed node that is causing you to have unavailable indices.
What happened to your cluster?

I'm using basic authentication

I mean where is that user defined? Have you set up AD/LDAP integration, did you create a user through the API, or are you just using the builtin users?

My best guess is that you haven't customised your security realms, so the simplest option is to add a new file-based superuser so that you can start to access the _cat/ APIs and look at your cluster health in more detail.

You'll need to run the following command on every node in your cluster (but pick your own password)

bin/x-pack/users useradd admin -r superuser -p my-secret-password

That will create a new superuser called admin with password my-secret-password

You can then use that to authenticate to the various health check APIs.

Yes as you guessed I'm using the builtin users, the above command will help me a lot.

Thanks again.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.