X-pack 5.4.1 Role mapping not getting applied on AD users

venuambati · July 6, 2017, 8:25am

I am using ELK and x-pack 5.4.1 version. I am using AD authentication using x-pack. System is allowing me to login But getting this error.

Config: Error 403 Forbidden: [security_exception] action [indices:data/write/update] is unauthorized for user <user name error>"

I have defined roles in Kibana and Role mapping in "/config/x-pack/role_mapping.yml" file. These roles are not getting applied when login.

PFB the elasticsearch.yml configuration.

    xpack.security.audit.enabled: true
   xpack:
  security:
    authc:
      realms:
       active_directory:
        type: active_directory
        order: 0
        domain_name: "<domain_name>"
        url: ldap://<ldaphost>:389
        unmapped_groups_as_roles: true
        #follow_referrals: false
        user_search:
         filter: "(&(objectClass=user)(sAMAccountName={0}))"
        files:
            role_mapping: "<Config Dir>/x-pack/role_mapping.yml"

role_mapping.yml

superuser:
  - "cn=<user name>,cn=Users,dc=<domain>,dc=com"

Access Logs:

[2017-07-06T12:21:44,998] [transport] [access_granted]  origin_type=[rest], origin_address=[<IP>], principal=[<user name>], action=[cluster:admin/xpack/security/user/authenticate], request=[AuthenticateRequest]
[2017-07-06T12:21:45,000] [transport] [access_denied]   origin_type=[rest], origin_address=[<IP>], principal=[<user name>], action=[indices:data/read/search], indices=[.reporting-*], request=[SearchRequest]

Any help appreciated. Thanks in advance.

Regards
Venu

TimV · July 7, 2017, 2:51am

There are 2 likely explanations:

That the DN in your role_mapping.yml file is not the right match for your user.
That the path to your role_mapping file is incorrect.

Because you've redacted those in your post, it's hard to tell whether either of those are the cause, but they're the most likely.

To diagnose #1, try to GET /_xpack/security/_authenticate?pretty as the user you're trying to map to superuser.
The result of that API will tell you the DN and groups that your user is in, you can then check that these are the same as you have entered in your role_mapping file.

To diagnose #2, check the elasticsearch logs.
Check for messages for the DnRoleMapper category, if there is a problem with your file it will be logged there.

system · August 4, 2017, 2:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
X-Pack Security - Created Role not Apply to AD Users Elasticsearch	3	540	May 23, 2018
LDAP X-pack error Config: Error 403 Forbidden Elasticsearch	15	3331	November 29, 2017
LDAP Authorization issue X-PACK Elasticsearch	6	1732	August 30, 2017
X-Pack 5.2.1: Role mappings never get applied to LDAP groups Elasticsearch	5	1273	April 7, 2017
Roles in role_mapping.yml not assigned to ad user Elasticsearch	4	3156	June 12, 2017

X-pack 5.4.1 Role mapping not getting applied on AD users

Related topics