Watcher and Shield integration issue

alerting

(Pavel Mlejnek) #1

Hello,
we are running Elasticsearch 2.4.1 with Shield and trying to configure watcher.
Plugin installation was successfull, plugin itself is running.

{
	"watcher_state": "started",
	"watch_count": 0,
	"execution_thread_pool": {
		"queue_size": 0,
		"max_size": 0
	},
	"manually_stopped": false
}

We are however not able to create any watches.
When I try to create new one, I get security excetpion.

{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "action [indices:data/write/index] is unauthorized for user [__watcher_user]"
}
],
"type": "security_exception",
"reason": "action [indices:data/write/index] is unauthorized for user [__watcher_user]"
},
"status": 403
}

However according to the documentation https://www.elastic.co/guide/en/watcher/current/shield-integration.html __watcher_user is internal user of the plugin and privileges should not be set up via Shield.
How do I set up the privileges for the __watcher_user and make this work?
Sorry but documentation doesn't really answers this question.
Thanks a lot!


(Alexander Reelsen) #2

can you post a full recreation, otherwise everything is just guessing. Also include the users/roles that are configured for completeness.


(Pavel Mlejnek) #3

Hello,
is this sufficient?

/_shield/user

{
"marvel_user": {
"username": "marvel_user",
"roles": [
"marvel_user"
],
"full_name": null,
"email": null,
"metadata": {}
},
"kibana4_server": {
"username": "kibana4_server",
"roles": [
"kibana4_server"
],
"full_name": null,
"email": null,
"metadata": {}
},
"webapi_webapi_sys_app": {
"username": "webapi_webapi_sys_app",
"roles": [
"webapi_webapi_sys_app"
],
"full_name": null,
"email": null,
"metadata": {}
},
"kibana4": {
"username": "kibana4",
"roles": [
"kibana4"
],
"full_name": null,
"email": null,
"metadata": {}
},
"webapi_webapi_admin": {
"username": "webapi_webapi_admin",
"roles": [
"admin"
],
"full_name": null,
"email": null,
"metadata": {}
},
"cluster_monitor": {
"username": "cluster_monitor",
"roles": [
"cluster_monitor"
],
"full_name": null,
"email": null,
"metadata": {}
},
"maintenance": {
"username": "maintenance",
"roles": [
"maintenance",
"kibana4"
],
"full_name": null,
"email": null,
"metadata": {}
}
}

/_shield/role
{
"kibana4_server_cleanup": {
"cluster": [
"cluster:monitor/state",
"indices:admin/template/put",
"cluster:monitor/nodes/info",
"indices:admin/template/get",
"cluster:monitor/health"
],
"indices": [
{
"names": [
".kibana"
],
"privileges": [
"indices:admin/create",
"indices:admin/exists",
"indices:admin/mapping/put",
"indices:admin/mappings/fields/get",
"indices:admin/refresh",
"indices:admin/validate/query",
"indices:data/read/get",
"indices:data/read/mget",
"indices:data/read/search",
"indices:data/write/delete",
"indices:data/write/index",
"indices:data/write/update"
]
},
{
"names": [
""
],
"privileges": [
"indices:data/read/count",
"indices:data/read/exists",
"indices:data/read/explain",
"indices:data/read/field_stats",
"indices:data/read/get",
"indices:data/read/mget",
"indices:data/read/mpercolate",
"indices:data/read/msearch",
"indices:data/read/mtv",
"indices:data/read/percolate",
"indices:data/read/script/get",
"indices:data/read/scroll",
"indices:data/read/scroll/clear",
"indices:data/read/search",
"indices:data/read/tv",
"indices:data/write/bulk",
"indices:data/write/update",
"indices:data/write/delete",
"indices:data/write/script/put",
"indices:data/write/script/delete"
]
},
{
"names": [
".cleanup"
],
"privileges": [
"all"
]
},
{
"names": [
"cleanup-log
"
],
"privileges": [
"all"
]
}
],
"run_as": []
},
"kibana4_server": {
"cluster": [
"cluster:monitor/nodes/info",
"cluster:monitor/health"
],
"indices": [
{
"names": [
""
],
"privileges": [
"indices:admin/mappings/fields/get",
"indices:admin/validate/query",
"indices:data/read/search",
"indices:data/read/msearch",
"indices:data/read/field_stats"
]
},
{
"names": [
".kibana"
],
"privileges": [
"indices:admin/create",
"indices:admin/exists",
"indices:admin/mapping/put",
"indices:admin/mappings/fields/get",
"indices:admin/refresh",
"indices:admin/validate/query",
"indices:data/read/get",
"indices:data/read/mget",
"indices:data/read/search",
"indices:data/write/delete",
"indices:data/write/index",
"indices:data/write/update"
]
}
],
"run_as": []
},
"kibana4": {
"cluster": [
"cluster:monitor/nodes/info",
"cluster:monitor/health"
],
"indices": [
{
"names": [
"
"
],
"privileges": [
"indices:admin/mappings/fields/get",
"indices:admin/validate/query",
"indices:data/read/search",
"indices:data/read/msearch",
"indices:data/read/field_stats",
"indices:admin/get"
]
},
{
"names": [
".kibana"
],
"privileges": [
"indices:admin/exists",
"indices:admin/mapping/put",
"indices:admin/mappings/fields/get",
"indices:admin/refresh",
"indices:admin/validate/query",
"indices:data/read/get",
"indices:data/read/mget",
"indices:data/read/search",
"indices:data/write/delete",
"indices:data/write/index",
"indices:data/write/update"
]
}
],
"run_as": []
},
"logstash": {
"cluster": [
"indices:admin/template/get",
"indices:admin/template/put"
],
"indices": [
{
"names": [
"logstash-"
],
"privileges": [
"indices:data/write/bulk",
"indices:data/write/delete",
"indices:data/write/update",
"indices:data/read/search",
"indices:data/read/scroll",
"create_index"
]
}
],
"run_as": []
},
"marvel_user": {
"cluster": [],
"indices": [
{
"names": [
".marvel-es-
"
],
"privileges": [
"read"
]
},
{
"names": [
".kibana"
],
"privileges": [
"indices:admin/exists",
"indices:admin/mappings/fields/get",
"indices:admin/validate/query",
"indices:data/read/get",
"indices:data/read/mget",
"indices:data/read/search"
]
}
],
"run_as": []
},
"webapi_webapi_sys_app": {
"cluster": [
"cluster:monitor/nodes/liveness",
"cluster:monitor",
"cluster:monitor/health"
],
"indices": [
{
"names": [
""
],
"privileges": [
"all"
]
}
],
"run_as": []
},
"remote_marvel_agent": {
"cluster": [
"indices:admin/template/put",
"indices:admin/template/get"
],
"indices": [
{
"names": [
".marvel-es-
"
],
"privileges": [
"all"
]
}
],
"run_as": []
},
"power_user": {
"cluster": [
"all"
],
"indices": [
{
"names": [
""
],
"privileges": [
"all"
]
}
],
"run_as": []
},
"user": {
"cluster": [],
"indices": [
{
"names": [
"
"
],
"privileges": [
"read"
]
}
],
"run_as": []
},
"transport_client": {
"cluster": [
"cluster:monitor/nodes/liveness"
],
"indices": [],
"run_as": []
},
"cluster_monitor": {
"cluster": [
"cluster:monitor"
],
"indices": [],
"run_as": []
},
}
auto create in elasticsearch.yml

action.auto_create_index: +.marvel-,+.kibana,.security,.watches,.triggered_watches,.watch_history-*

Request
PUT /_watcher/watch/cluster_health_watch
{
"trigger" : {
"schedule" : { "interval" : "10s" }
}
}

Response
{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "action [indices:data/write/index] is unauthorized for user [__watcher_user]"
}
],
"type": "security_exception",
"reason": "action [indices:data/write/index] is unauthorized for user [__watcher_user]"
},
"status": 403
}

Thanks a lot.


(Alexander Reelsen) #4

Is the user you are logged into kibana with allowed to put watches (cant see which user you are logged in as, or missed it)? Also can you include the full watch just to be able to reproduce this?


(Pavel Mlejnek) #5

I am using external client not native sense (although tried Sense as well with same results).
User being used for requests is admin therefore should be able to perform any action.
I thought that there might be an issue with __watcher_user . However I am not really sure where to set up privileges for user which is part of plugin not shield.


(Alexander Reelsen) #6

if you are not running in sense/console.. then can you share the full http request, including credentials (password omitted of course), headers, URI etc? I just want to make sure I get the whole picture


(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.