We're testing upgrades from v5.1.1 to v5.6.4 and we had all role based access working before the upgrade, but afterwards, no authentication/authorisation succeeded.
$ curl -s https://turbo:Secret@mycluster/myindex | jq .
{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "action [indices:admin/get] is unauthorized for user [turbo]"
}
],
"type": "security_exception",
"reason": "action [indices:admin/get] is unauthorized for user [turbo]"
},
"status": 403
}
I'm still running on the trial license that was generated under v5.1.1:
$ curl -s https://mycluster/_xpack/license
{
"license" : {
"status" : "active",
"uid" : "acb1b8f6-8667-49ef-b99a-847aba749c61",
"type" : "trial",
"issue_date" : "2018-04-04T17:52:15.919Z",
"issue_date_in_millis" : 1522864335919,
"expiry_date" : "2018-05-04T17:52:15.919Z",
"expiry_date_in_millis" : 1525456335919,
"max_nodes" : 1000,
"issued_to" : "dbase-tst",
"issuer" : "elasticsearch",
"start_date_in_millis" : -1
}
}
There's no indices that needs upgrading:
$ curl -s https://elastic:Secret@dbase-tst.pharmpress.net/_xpack/migration/assistance | jq .
{
"indices": {}
}
The relevant X-Pack configuration:
root@coordinating_host_one:/etc/elasticsearch/coordinating_host_one# grep ^xpack elasticsearch.yml
xpack.graph.enabled: false
xpack.monitoring.enabled: true
xpack.monitoring.exporters.my_local.type: local
xpack.monitoring.exporters.my_local.use_ingest: true
xpack.security.audit.enabled: true
xpack.security.audit.outputs:
xpack.security.authc.anonymous.authz_exception: false
xpack.security.authc.anonymous.roles: anon
xpack.security.authc.anonymous.username: anon
xpack.security.authc.realms.ldap1.bind_dn: "<AUTH_DN>"
xpack.security.authc.realms.ldap1.bind_password: "Secret"
xpack.security.authc.realms.ldap1.group_search.base_dn: "<BASE_DN>"
xpack.security.authc.realms.ldap1.group_search.user_attribute: cn
xpack.security.authc.realms.ldap1.order: 1
xpack.security.authc.realms.ldap1.ssl.certificate_authorities:
xpack.security.authc.realms.ldap1.timeout.ldap_search: "15s"
xpack.security.authc.realms.ldap1.timeout.tcp_connect: "15s"
xpack.security.authc.realms.ldap1.timeout.tcp_read: "15s"
xpack.security.authc.realms.ldap1.type: ldap
xpack.security.authc.realms.ldap1.unmapped_groups_as_roles: false
xpack.security.authc.realms.ldap1.url: "ldaps://myldapserver"
xpack.security.authc.realms.ldap1.user_search.attribute: uid
xpack.security.authc.realms.ldap1.user_search.base_dn: "<BASE_DN>"
xpack.security.authc.realms.local.order: 0
xpack.security.authc.realms.local.type: file
xpack.security.enabled: true
xpack.security.http.filter.allow: "10.114.2.0/16"
xpack.security.http.filter.deny: "_all"
xpack.security.http.filter.enabled: true
xpack.security.transport.filter.allow: "10.114.2.0/16"
xpack.security.transport.filter.deny: "_all"
xpack.security.transport.filter.enabled: true
I'm member of the 'admins' group, which have the following access and one of my developers is in the 'devs' group:
root@coordinating_host_one:/etc/elasticsearch/x-pack# cat roles.yml
admins:
cluster:
- all
indices:
- names:
- "*"
privileges:
- all
devs:
cluster:
- manage
indices:
- names:
- "*"
privileges:
- manage
- read
- view_index_metadata
[...]
This worked on v5.1.1. Is there another way of doing it now or what could I have missed?