Using Kibana 4 with Shield: Auth problem

security

(Jason Zheng) #1

Hi All,

I refer to 'using kibana 4 with shield steps (https://www.elastic.co/guide/en/shield/current/kibana.html#kibana4-user-role)' to practice kibana with shield, but got some error log after I restart Kibana

MY ENV (Elasticsearch Cluster: 1 master (140.92.25.126) 1 node (140.92.25.161) ; (Kibana 140.92.25.95)

{"name":"Kibana","hostname":"kibana","pid":53218,"level":60,"err":{"message":"RemoteTransportException[[enode1][inet[/140.92.25.161:9301]][cluster:monitor/health]]; nested: AuthorizationException[action [cluster:monitor/health] is unauthorized for user [franky]]; ","name":"Error","stack":"Error: RemoteTransportException[[enode1][inet[/140.92.25.161:9301]][cluster:monitor/health]]; nested: AuthorizationException[action [cluster:monitor/health] is unauthorized for user [franky]]; \n at respond (/var/www/html/kibana/src/node_modules/elasticsearch/src/lib/transport.js:235:15)\n at checkRespForFailure (/var/www/html/kibana/src/node_modules/elasticsearch/src/lib/transport.js:203:7)\n at HttpConnector. (/var/www/html/kibana/src/node_modules/elasticsearch/src/lib/connectors/http.js:156:7)\n at IncomingMessage.bound (/var/www/html/kibana/src/node_modules/elasticsearch/node_modules/lodash-node/modern/internals/baseBind.js:56:17)\n at IncomingMessage.emit (events.js:117:20)\n at _stream_readable.js:944:16\n at process._tickCallback (node.js:442:13)"},"msg":"","time":"2015-08-05T03:19:19.586Z","v":0}

@ Elasticsearch Master I did
$/usr/share/elasticsearch/bin/shield/esusers useradd franky -r kibana4_monitoring -p password

@ Elasticsearch Master I added following content to roles.yml

kibana4_monitoring:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
    'logstash-*':
      - indices:admin/mappings/fields/get
      - indices:admin/validate/query
      - indices:data/read/search
      - indices:data/read/msearch
      - indices:admin/get
    '.kibana':
      - indices:admin/create
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update

@ Kibana, I modify kibana.yml

kibana_elasticsearch_username: franky
kibana_elasticsearch_password: password

Seems I missing something to configure?

Jason


[Shield] Kibana error on startup
(Patrick Kik) #2

Looks good, actually. Some things that come to mind:
Do you have more than one nodes in your cluster? Shield (and its config) should be installed on every node in your cluster.
Did you restart your node after installing Shield?


(Steve Kearns) #3

Hi Jason,

What versions of ES and Shield are you using?

It looks like you have installed ES using the RPM or Deb package.. Sometimes, when installing this way, people run into issues with setting the correct ES config directory path or file permissions when running the esusers utility. You should make sure that you have the ES config directory set correctly for the linux user you are running the esusers script with, and that the ES service (usually running as the elasticsearch user) has access to the files. Also see:

https://www.elastic.co/guide/en/shield/current/installing-shield.html#deb-rpm-install

Hope that helps!
Steve


(Jason Zheng) #4

Hi Patrick,

thanks for your replying, after restarting elasticsearch master and node, the user franky can be used


(Jason Zheng) #5

Hi Steve,

ES- 1.6
Shield- 1.3.1

After restarting all nodes of elasticsearch cluster, the new user franky can be used normally, thanks.

As the document (https://www.elastic.co/guide/en/shield/current/kibana.html#kibana4-server-role) said

For example, the following kibana4_monitoring role only allows users to discover and visualize data in the logstash-* indices.

there are two indices "logstash-" and "franky-", both two the user franky can access normally, it shall be not correct?

Jason


(system) #6