User can't create index, even with create_index and create permissions

Hello everybody.

I had this issue before using Metricbeat. I created an user called metricbeat_internal to write and read all the stuff related to that Beat and to make it visible on Kibana. So, I assigned two roles to it (a reader and a writer). They have the following privileges:

  • monitor and manage_index_templates (cluster)
  • write, delete, create_index, create (index)
  • read and view_index_metadata (index)

But, after creating the user and restarting the stack, I received the following error on Metricbeat logs:
2017-02-21T14:22:38-06:00 WARN Can not index event (status=403): {"type":"security_exception","reason":"action [indices:admin/create] is unauthorized for user [metricbeat_internal]"}

I fixed it by assigning superuser roles for a while and it solved the problem, even though it isn't a proper solution at all.

Now, I'm trying the Netflow codec on Logstash, where I have a similar user with the same roles as described before, and got the same issue:
[2017-03-10T09:15:33,085][WARN ][logstash.outputs.elasticsearch] Failed action. {:status=>403, :action=>["index", {:_id=>nil, :_index=>"netflow-2017.03.10", :_type=>"netflow", :_routing=>nil}, 2017-03-10T15:15:06.000Z %{message}], :response=>{"index"=>{"_index"=>"netflow-2017.03.10", "_type"=>"netflow", "_id"=>nil, "status"=>403, "error"=>{"type"=>"security_exception", "reason"=>"action [indices:admin/create] is unauthorized for user [logstash_internal]"}}}}

How can this be solved?

I just saw what happened. The netflow data was being sent to another index, instead of the logstash one. I had to set it on the roles and set the index pattern on Kibana to see the information.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.