Using Kibana 4 with Shield: Auth problem

Elastic Stack Elasticsearch
1

Hi All,

I refer to 'using kibana 4 with shield steps (Using Kibana with Shield | Shield [2.4] | Elastic)' to practice kibana with shield, but got some error log after I restart Kibana

MY ENV (Elasticsearch Cluster: 1 master (140.92.25.126) 1 node (140.92.25.161) ; (Kibana 140.92.25.95)

{"name":"Kibana","hostname":"kibana","pid":53218,"level":60,"err":{"message":"RemoteTransportException[[enode1][inet[/140.92.25.161:9301]][cluster:monitor/health]]; nested: AuthorizationException[action [cluster:monitor/health] is unauthorized for user [franky]]; ","name":"Error","stack":"Error: RemoteTransportException[[enode1][inet[/140.92.25.161:9301]][cluster:monitor/health]]; nested: AuthorizationException[action [cluster:monitor/health] is unauthorized for user [franky]]; \n at respond (/var/www/html/kibana/src/node_modules/elasticsearch/src/lib/transport.js:235:15)\n at checkRespForFailure (/var/www/html/kibana/src/node_modules/elasticsearch/src/lib/transport.js:203:7)\n at HttpConnector. (/var/www/html/kibana/src/node_modules/elasticsearch/src/lib/connectors/http.js:156:7)\n at IncomingMessage.bound (/var/www/html/kibana/src/node_modules/elasticsearch/node_modules/lodash-node/modern/internals/baseBind.js:56:17)\n at IncomingMessage.emit (events.js:117:20)\n at _stream_readable.js:944:16\n at process._tickCallback (node.js:442:13)"},"msg":"","time":"2015-08-05T03:19:19.586Z","v":0}

@ Elasticsearch Master I did
$/usr/share/elasticsearch/bin/shield/esusers useradd franky -r kibana4_monitoring -p password

@ Elasticsearch Master I added following content to roles.yml

kibana4_monitoring:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
    'logstash-*':
      - indices:admin/mappings/fields/get
      - indices:admin/validate/query
      - indices:data/read/search
      - indices:data/read/msearch
      - indices:admin/get
    '.kibana':
      - indices:admin/create
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update

@ Kibana, I modify kibana.yml

kibana_elasticsearch_username: franky
kibana_elasticsearch_password: password

Seems I missing something to configure?

Jason

2

Looks good, actually. Some things that come to mind:
Do you have more than one nodes in your cluster? Shield (and its config) should be installed on every node in your cluster.
Did you restart your node after installing Shield?

3

Hi Jason,

What versions of ES and Shield are you using?

It looks like you have installed ES using the RPM or Deb package.. Sometimes, when installing this way, people run into issues with setting the correct ES config directory path or file permissions when running the esusers utility. You should make sure that you have the ES config directory set correctly for the linux user you are running the esusers script with, and that the ES service (usually running as the elasticsearch user) has access to the files. Also see:

https://www.elastic.co/guide/en/shield/current/installing-shield.html#deb-rpm-install

Hope that helps!
Steve

4

Hi Patrick,

thanks for your replying, after restarting elasticsearch master and node, the user franky can be used

5

Hi Steve,

ES- 1.6
Shield- 1.3.1

After restarting all nodes of elasticsearch cluster, the new user franky can be used normally, thanks.

As the document (Using Kibana with Shield | Shield [2.4] | Elastic) said

For example, the following kibana4_monitoring role only allows users to discover and visualize data in the logstash-* indices.

there are two indices "logstash-" and "franky-", both two the user franky can access normally, it shall be not correct?

Jason