X-pack PKI based authentication between elasticsearch and kibana


(Shivanshu Bagga) #1

Hi,

I'm using X-Pack to secure ELK-Stack.I don't want to put plain text "username" and "password" in kibana.yml file. So I choose PKI(Public Key Infrastructure) based authentication.Getting some error while trying to established connection

kibana output-

  log   [08:26:38.869] [info][status][plugin:kibana@6.0.0] Status changed from uninitialized to green - Ready
  log   [08:26:38.942] [info][status][plugin:elasticsearch@6.0.0] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [08:26:38.968] [info][status][plugin:xpack_main@6.0.0] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [08:26:39.298] [info][status][plugin:graph@6.0.0] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [08:26:39.311] [info][status][plugin:monitoring@6.0.0] Status changed from uninitialized to green - Ready
  log   [08:26:41.089] [warning][reporting] Generating a random key for xpack.reporting.encryptionKey. To prevent pending reports from failing on restart, please set xpack.reporting.encryptionKey in kibana.yml
  log   [08:26:41.096] [info][status][plugin:reporting@6.0.0] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [08:26:41.159] [info][status][plugin:security@6.0.0] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [08:26:41.161] [warning][security] Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in kibana.yml
  log   [08:26:41.233] [error][status][plugin:xpack_main@6.0.0] Status changed from yellow to red - Authentication Exception
  log   [08:26:41.234] [error][status][plugin:graph@6.0.0] Status changed from yellow to red - Authentication Exception
  log   [08:26:41.235] [error][status][plugin:reporting@6.0.0] Status changed from yellow to red - Authentication Exception
  log   [08:26:41.236] [error][status][plugin:security@6.0.0] Status changed from yellow to red - Authentication Exception
  log   [08:26:41.238] [error][status][plugin:elasticsearch@6.0.0] Status changed from yellow to red - Authentication Exception
  log   [08:26:41.251] [error][status][plugin:searchprofiler@6.0.0] Status changed from uninitialized to red - Authentication Exception
  log   [08:26:41.270] [error][status][plugin:ml@6.0.0] Status changed from uninitialized to red - Authentication Exception
  log   [08:26:41.348] [info][status][plugin:ml@6.0.0] Status changed from red to yellow - Waiting for Elasticsearch
  log   [08:26:41.373] [error][status][plugin:tilemap@6.0.0] Status changed from uninitialized to red - Authentication Exception
  log   [08:26:41.426] [error][status][plugin:ml@6.0.0] Status changed from yellow to red - Authentication Exception
  log   [08:26:41.444] [error][status][plugin:watcher@6.0.0] Status changed from uninitialized to red - Authentication Exception
  log   [08:26:41.497] [info][status][plugin:grokdebugger@6.0.0] Status changed from uninitialized to green - Ready
  log   [08:26:41.511] [info][status][plugin:dashboard_mode@6.0.0] Status changed from uninitialized to green - Ready
  log   [08:26:41.518] [error][status][plugin:logstash@6.0.0] Status changed from uninitialized to red - Authentication Exception
  log   [08:26:41.559] [info][status][plugin:console@6.0.0] Status changed from uninitialized to green - Ready
  log   [08:26:41.576] [info][status][plugin:metrics@6.0.0] Status changed from uninitialized to green - Ready
  log   [08:26:41.821] [info][status][plugin:timelion@6.0.0] Status changed from uninitialized to green - Ready
  log   [08:26:41.825] [info][listening] Server running at https://localhost:5601
  log   [08:26:41.827] [error][status][ui settings] Status changed from uninitialized to red - Elasticsearch plugin is red

elasticsearch.yml -

xpack.ssl.key: "CN=elastic,OU=IT,DC=mydomain,DC=com/CN=elastic,OU=IT,DC=mydomain,DC=com.key"
xpack.ssl.certificate: "CN=elastic,OU=IT,DC=mydomain,DC=com/CN=elastic,OU=IT,DC=mydomain,DC=com.crt"
xpack.ssl.certificate_authorities:
- "ca/ca.crt"
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.enabled: true
xpack.monitoring.enabled: true
xpack.security.transport.ssl.client_authentication: "optional"
xpack.ssl.verification_mode: "certificate"
xpack.security.transport.ssl.verification_mode: "certificate"

xpack.security.authc.realms:
  pki:
    type: pki
    order: 0
    certificate_authorities:
      - "ca/ca.crt"
  native:
    type: native
    order: 1

kibana.yml -

elasticsearch.url: "https://localhost:9200"
server.ssl.enabled: true
server.ssl.certificate: "/opt/elasticsearch-6.0.0/config/CN=elastic,OU=IT,DC=mydomain,DC=com/CN=elastic,OU=IT,DC=mydomain,DC=com.crt"
server.ssl.key: "/opt/elasticsearch-6.0.0/config/CN=elastic,OU=IT,DC=mydomain,DC=com/CN=elastic,OU=IT,DC=mydomain,DC=com.key"
elasticsearch.ssl.certificate: "/opt/elasticsearch-6.0.0/config/CN=elastic,OU=IT,DC=mydomain,DC=com/CN=elastic,OU=IT,DC=mydomain,DC=com.crt"
elasticsearch.ssl.key: "/opt/elasticsearch-6.0.0/config/CN=elastic,OU=IT,DC=mydomain,DC=com/CN=elastic,OU=IT,DC=mydomain,DC=com.key"

My default x-pack username is "elastic" and that is same as CN of certificate.

I used following configuration to generate certificate from certgen -

certgen.yml -

instances:
  - name: "CN=elastic,OU=IT,DC=mydomain,DC=com" 
    ip: 
      - "127.0.0.1"
    dns: 
      - "localhost"

(Ioannis Kakavas) #2

Hi,

You have enabled ssl.client_authentication for the transport layer only

xpack.security.transport.ssl.client_authentication: "optional"

but not for http ( which is how kibana "talks" to elasticsearch ). You need to set

xpack.security.http.ssl.client_authentication: "optional"

too. Also note that unless explicitly configured , your CN=elastic, OU=IT, DC=mydomain, DC=com user will not have any roles so you'll start getting Authorization errors in Kibana logs.


(Shivanshu Bagga) #3

Thanks for your reply ,

Getting same error even after enable

xpack.security.http.ssl.client_authentication: "optional"

kibana output-

  log   [10:43:09.911] [info][status][plugin:kibana@6.0.0] Status changed from uninitialized to green - Ready
  log   [10:43:09.994] [info][status][plugin:elasticsearch@6.0.0] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [10:43:10.003] [info][status][plugin:xpack_main@6.0.0] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [10:43:10.466] [info][status][plugin:graph@6.0.0] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [10:43:10.500] [info][status][plugin:monitoring@6.0.0] Status changed from uninitialized to green - Ready
  log   [10:43:12.367] [warning][reporting] Generating a random key for xpack.reporting.encryptionKey. To prevent pending reports from failing on restart, please set xpack.reporting.encryptionKey in kibana.yml
  log   [10:43:12.374] [info][status][plugin:reporting@6.0.0] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [10:43:12.452] [info][status][plugin:security@6.0.0] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [10:43:12.454] [warning][security] Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in kibana.yml
  log   [10:43:12.589] [info][status][plugin:searchprofiler@6.0.0] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [10:43:12.600] [info][status][plugin:ml@6.0.0] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [10:43:12.744] [error][status][plugin:xpack_main@6.0.0] Status changed from yellow to red - Authorization Exception
  log   [10:43:12.747] [error][status][plugin:graph@6.0.0] Status changed from yellow to red - Authorization Exception
  log   [10:43:12.749] [error][status][plugin:reporting@6.0.0] Status changed from yellow to red - Authorization Exception
  log   [10:43:12.756] [error][status][plugin:security@6.0.0] Status changed from yellow to red - Authorization Exception
  log   [10:43:12.764] [error][status][plugin:searchprofiler@6.0.0] Status changed from yellow to red - Authorization Exception
  log   [10:43:12.768] [error][status][plugin:ml@6.0.0] Status changed from yellow to red - Authorization Exception
  log   [10:43:12.770] [error][status][plugin:elasticsearch@6.0.0] Status changed from yellow to red - Authorization Exception
  log   [10:43:12.796] [error][status][plugin:tilemap@6.0.0] Status changed from uninitialized to red - Authorization Exception
  log   [10:43:12.851] [error][status][plugin:watcher@6.0.0] Status changed from uninitialized to red - Authorization Exception
  log   [10:43:12.895] [info][status][plugin:grokdebugger@6.0.0] Status changed from uninitialized to green - Ready
  log   [10:43:12.911] [info][status][plugin:dashboard_mode@6.0.0] Status changed from uninitialized to green - Ready
  log   [10:43:12.920] [error][status][plugin:logstash@6.0.0] Status changed from uninitialized to red - Authorization Exception
  log   [10:43:12.964] [info][status][plugin:console@6.0.0] Status changed from uninitialized to green - Ready
  log   [10:43:12.985] [info][status][plugin:metrics@6.0.0] Status changed from uninitialized to green - Ready
  log   [10:43:13.295] [info][status][plugin:timelion@6.0.0] Status changed from uninitialized to green - Ready
  log   [10:43:13.302] [info][listening] Server running at https://localhost:5601
  log   [10:43:13.305] [error][status][ui settings] Status changed from uninitialized to red - Elasticsearch plugin is red
  log   [10:43:33.090] [error][client][connection] Error: socket hang up
    at TLSSocket.<anonymous> (_tls_wrap.js:847:25)
    at emitOne (events.js:101:20)
    at TLSSocket.emit (events.js:188:7)
    at _handle.close (net.js:497:12)
    at Socket.done (_tls_wrap.js:332:7)
    at Socket.g (events.js:292:16)
    at emitOne (events.js:101:20)
    at Socket.emit (events.js:188:7)
    at TCP._handle.close [as _onclose] (net.js:497:12)

and I've already map PKI user.If I call-

GET https://localhost:9200/_xpack/security/role_mapping/users

Getting output -

{"users":{"enabled":true,"roles":["superuser"],"rules":{"field":{"dn":"cn=CN=elastic,OU=IT,DC=mydomain,DC=com"}},"metadata":{}}}

Any luck?


(Ioannis Kakavas) #4

Hi again,

This is not the same error :slight_smile: Before, you were seeing Authentication errors:

log [08:26:41.238] [error][status][plugin:elasticsearch@6.0.0] Status changed from yellow to red - Authentication Exception

now you're seeing Authorization errors:

log [10:43:12.770] [error][status][plugin:elasticsearch@6.0.0] Status changed from yellow to red - Authorization Exception

and that is because your role mapping seems to be incorrect. Assuming what you entered above

{"users":{"enabled":true,"roles":["superuser"],"rules":{"field":{"dn":"cn=CN=elastic,OU=IT,DC=mydomain,DC=com"}},"metadata":{}}}
is what you get from the /role_mapping/users endpoint

You should change:

"dn":"cn=CN=elastic,OU=IT,DC=mydomain,DC=com" to
"dn":"CN=elastic,OU=IT,DC=mydomain,DC=com"


(Shivanshu Bagga) #5

Thanks,

I changed

"dn":"cn=CN=elastic,OU=IT,DC=mydomain,DC=com" to
"dn":"CN=elastic,OU=IT,DC=mydomain,DC=com"

But still getting error

  log   [11:00:26.633] [info][status][plugin:kibana@6.0.0] Status changed from uninitialized to green - Ready
  log   [11:00:26.717] [info][status][plugin:elasticsearch@6.0.0] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [11:00:26.747] [info][status][plugin:xpack_main@6.0.0] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [11:00:26.984] [info][status][plugin:graph@6.0.0] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [11:00:27.006] [info][status][plugin:monitoring@6.0.0] Status changed from uninitialized to green - Ready
  log   [11:00:28.440] [warning][reporting] Generating a random key for xpack.reporting.encryptionKey. To prevent pending reports from failing on restart, please set xpack.reporting.encryptionKey in kibana.yml
  log   [11:00:28.446] [info][status][plugin:reporting@6.0.0] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [11:00:28.887] [error][status][plugin:xpack_main@6.0.0] Status changed from yellow to red - Authorization Exception
  log   [11:00:28.888] [error][status][plugin:graph@6.0.0] Status changed from yellow to red - Authorization Exception
  log   [11:00:28.889] [error][status][plugin:reporting@6.0.0] Status changed from yellow to red - Authorization Exception
  log   [11:00:28.889] [error][status][plugin:elasticsearch@6.0.0] Status changed from yellow to red - Authorization Exception
  log   [11:00:42.019] [error][status][plugin:security@6.0.0] Status changed from uninitialized to red - Authorization Exception
  log   [11:00:42.025] [warning][security] Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in kibana.yml
  log   [11:00:42.121] [error][status][plugin:searchprofiler@6.0.0] Status changed from uninitialized to red - Authorization Exception
  log   [11:00:42.159] [error][status][plugin:ml@6.0.0] Status changed from uninitialized to red - Authorization Exception
  log   [11:00:42.295] [info][status][plugin:ml@6.0.0] Status changed from red to yellow - Waiting for Elasticsearch
  log   [11:00:42.341] [error][status][plugin:tilemap@6.0.0] Status changed from uninitialized to red - Authorization Exception
  log   [11:00:42.356] [error][status][plugin:watcher@6.0.0] Status changed from uninitialized to red - Authorization Exception
  log   [11:00:42.417] [error][status][plugin:ml@6.0.0] Status changed from yellow to red - Authorization Exception
  log   [11:00:42.423] [info][status][plugin:grokdebugger@6.0.0] Status changed from uninitialized to green - Ready
  log   [11:00:42.432] [info][status][plugin:dashboard_mode@6.0.0] Status changed from uninitialized to green - Ready
  log   [11:00:42.437] [error][status][plugin:logstash@6.0.0] Status changed from uninitialized to red - Authorization Exception
  log   [11:00:42.485] [info][status][plugin:console@6.0.0] Status changed from uninitialized to green - Ready
  log   [11:00:42.499] [info][status][plugin:metrics@6.0.0] Status changed from uninitialized to green - Ready
  log   [11:00:42.783] [info][status][plugin:timelion@6.0.0] Status changed from uninitialized to green - Ready
  log   [11:00:42.790] [info][listening] Server running at https://localhost:5601
  log   [11:00:42.791] [error][status][ui settings] Status changed from uninitialized to red - Elasticsearch plugin is red

Am I missing something?


(Ioannis Kakavas) #6

If you run

curl -k -u elastic -XGET 'https://localhost:9200/_xpack/security/role_mapping/users?pretty'

does it return ?

{
  "users" : {
    "enabled" : true,
    "roles" : [
      "superuser"
    ],
    "rules" : {
      "field" : {
        "dn" : "CN=elastic, OU=IT, DC=mydomain, DC=com"
      }
    },
    "metadata" : { }
  }
}

If the above is true and you still get Authorization exceptions, I need to see some more logs so please add

logger.authc.name = org.elasticsearch.xpack.security.authc
logger.authc.level = DEBUG

in your $ES_HOME/config/log4j2.properties , restart Elasticsearch and Kibana and paste here (using </> ) the log from Elasticsearch .

We are mostly interested in lines starting with

[DEBUG][o.e.x.s.a.s.DnRoleMapper ]
[DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore ]

(Shivanshu Bagga) #7

Hi,

yes , API returns same output.

Output after enable debug logger for "org.elasticsearch.xpack.security.authc"

Elastic search output -

[2017-12-21T06:29:47,942][DEBUG][o.e.a.ActionModule       ] Using REST wrapper from plugin org.elasticsearch.xpack.XPackPlugin
[2017-12-21T06:29:49,134][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [c0OIqfJ] [0] role mappings found in file [/opt/shivanshu/tools/with-x-pack/elasticsearch-6.0.0/config/x-pack/role_mapping.yml] for realm [pki/pki]

Even then I add manually added user to es_home/config/x-pack/role_mapping.yml

role_mapping.yml

power_user:
  - "CN=elastic, OU=IT, DC=mydomain, DC=com"

And then elasticsearch output -

[2017-12-21T06:33:36,760][DEBUG][o.e.a.ActionModule       ] Using REST wrapper from plugin org.elasticsearch.xpack.XPackPlugin
[2017-12-21T06:33:37,773][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [c0OIqfJ] [1] role mappings found in file [/opt/shivanshu/tools/with-x-pack/elasticsearch-6.0.0/config/x-pack/role_mapping.yml] for realm [pki/pki]
[2017-12-21T06:33:38,484][INFO ][o.e.x.m.j.p.l.CppLogMessageHandler] [controller/12214] [Main.cc@128] controller (64 bit): Version 6.0.0 (Build 8e6ab35cf803a2) Copyright (c) 2017 Elasticsearch BV
[2017-12-21T06:33:38,506][INFO ][o.e.d.DiscoveryModule    ] [c0OIqfJ] using discovery type [zen]
[2017-12-21T06:33:40,352][INFO ][o.e.n.Node               ] initialized
[2017-12-21T06:33:40,352][INFO ][o.e.n.Node               ] [c0OIqfJ] starting ...

kibana output -

  log   [11:34:56.504] [info][status][plugin:kibana@6.0.0] Status changed from uninitialized to green - Ready
  log   [11:34:56.597] [info][status][plugin:elasticsearch@6.0.0] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [11:34:56.605] [info][status][plugin:xpack_main@6.0.0] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [11:34:57.035] [info][status][plugin:graph@6.0.0] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [11:34:57.046] [info][status][plugin:monitoring@6.0.0] Status changed from uninitialized to green - Ready
  log   [11:34:59.227] [warning][reporting] Generating a random key for xpack.reporting.encryptionKey. To prevent pending reports from failing on restart, please set xpack.reporting.encryptionKey in kibana.yml
  log   [11:34:59.233] [info][status][plugin:reporting@6.0.0] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [11:34:59.325] [info][status][plugin:security@6.0.0] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [11:34:59.329] [warning][security] Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in kibana.yml
  log   [11:34:59.414] [error][status][plugin:xpack_main@6.0.0] Status changed from yellow to red - Authorization Exception
  log   [11:34:59.415] [error][status][plugin:graph@6.0.0] Status changed from yellow to red - Authorization Exception
  log   [11:34:59.417] [error][status][plugin:reporting@6.0.0] Status changed from yellow to red - Authorization Exception
  log   [11:34:59.419] [error][status][plugin:security@6.0.0] Status changed from yellow to red - Authorization Exception
  log   [11:34:59.430] [error][status][plugin:elasticsearch@6.0.0] Status changed from yellow to red - Authorization Exception
  log   [11:34:59.493] [error][status][plugin:searchprofiler@6.0.0] Status changed from uninitialized to red - Authorization Exception
  log   [11:34:59.526] [error][status][plugin:ml@6.0.0] Status changed from uninitialized to red - Authorization Exception
  log   [11:34:59.633] [info][status][plugin:ml@6.0.0] Status changed from red to yellow - Waiting for Elasticsearch
  log   [11:34:59.666] [error][status][plugin:tilemap@6.0.0] Status changed from uninitialized to red - Authorization Exception
  log   [11:34:59.681] [error][status][plugin:ml@6.0.0] Status changed from yellow to red - Authorization Exception
  log   [11:34:59.698] [error][status][plugin:watcher@6.0.0] Status changed from uninitialized to red - Authorization Exception
  log   [11:34:59.763] [info][status][plugin:grokdebugger@6.0.0] Status changed from uninitialized to green - Ready
  log   [11:34:59.773] [info][status][plugin:dashboard_mode@6.0.0] Status changed from uninitialized to green - Ready
  log   [11:34:59.783] [error][status][plugin:logstash@6.0.0] Status changed from uninitialized to red - Authorization Exception
  log   [11:34:59.807] [info][status][plugin:console@6.0.0] Status changed from uninitialized to green - Ready
  log   [11:34:59.850] [info][status][plugin:metrics@6.0.0] Status changed from uninitialized to green - Ready
  log   [11:35:00.124] [info][status][plugin:timelion@6.0.0] Status changed from uninitialized to green - Ready
  log   [11:35:00.129] [info][listening] Server running at https://localhost:5601
  log   [11:35:00.131] [error][status][ui settings] Status changed from uninitialized to red - Elasticsearch plugin is red

And ES output during handshake-

[2017-12-21T06:35:44,785][DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [c0OIqfJ] Mapping user [UserData{username:elastic; CN=elastic, OU=IT, DC=mydomain, DC=com; groups:[]; metadata:{pki_dn=CN=elastic, OU=IT, DC=mydomain, DC=com}; realm=pki}] to roles [[]]
[2017-12-21T06:35:44,939][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [c0OIqfJ] the roles [[]], are mapped from these [pki] groups [[]] using file [role_mapping.yml] for realm [pki/pki]
[2017-12-21T06:35:44,939][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [c0OIqfJ] the roles [[]], are mapped from the user [CN=elastic, OU=IT, DC=mydomain, DC=com] using file [role_mapping.yml] for realm [pki/pki]
[2017-12-21T06:35:44,943][DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [c0OIqfJ] Mapping user [UserData{username:elastic; CN=elastic, OU=IT, DC=mydomain, DC=com; groups:[]; metadata:{pki_dn=CN=elastic, OU=IT, DC=mydomain, DC=com}; realm=pki}] to roles [[]]

(Ioannis Kakavas) #8

Two issues here :

  1. Your mapping via the Role mapping API seems to be wrong. Please paste the output of

curl -k -u elastic -XGET 'https://localhost:9200/_xpack/security/role_mapping/users?pretty' to make sure there's no typos there. You would expect lines like the following :

[o.e.x.s.a.s.m.NativeRoleMappingStore] [ogAb7Hx] Mapping user [UserData{username:elastic; dn:CN=elastic, OU=IT, DC=mydomain, DC=com; groups:[]; metadata:{pki_dn=CN=elastic, OU=IT, DC=mydomain, DC=com}; realm=pki}] to roles [[superuser]]

but you get

[2017-12-21T06:35:44,943][DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [c0OIqfJ] Mapping user [UserData{username:elastic; CN=elastic, OU=IT, DC=mydomain, DC=com; groups:[]; metadata:{pki_dn=CN=elastic, OU=IT, DC=mydomain, DC=com}; realm=pki}] to roles [[]]

  1. When you attempted to map the user via role_mapping.yml, you mapped it to a power_user role. I don't know what this role is, and how it is defined but it is possible that there are no permissions attached to this role and this is why you keep getting Authorization errors.

You don't attach your logs from when you tried this around [2017-12-21T06:33:40,352]

If you want to use the role_mapping file instead of the role mapping API , you need to set the mapping to a role that will give kibana the permissions it needs. Try setting this to superuser instead of power_user for example.


(Shivanshu Bagga) #9

Even I created a different user "shivanshu" instead of default "elastic" user. But it did not work for me.

API response -

[me@localhost x-pack]$ curl -k -u elastic -XGET 'https://localhost:9200/_xpack/security/role_mapping/users?pretty'
Enter host password for user 'elastic':
{
  "users" : {
    "enabled" : true,
    "roles" : [
      "superuser"
    ],
    "rules" : {
      "field" : {
        "dn" : "cn=shivanshu,ou=example,o=com"
      }
    },
    "metadata" : { }
  }
}

But I can see same ES output-

[2017-12-21T07:53:52,395][DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [jXj4sL5] Mapping user [UserData{username:shivanshu; dn:CN=shivanshu, OU=example, O=com; groups:[]; metadata:{pki_dn=CN=shivanshu, OU=example, O=com}; realm=pki}] to roles [[]]
[2017-12-21T07:53:52,640][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [jXj4sL5] the roles [[]], are mapped from these [pki] groups [[]] using file [role_mapping.yml] for realm [pki/pki]
[2017-12-21T07:53:52,640][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [jXj4sL5] the roles [[]], are mapped from the user [CN=shivanshu, OU=example, O=com] using file [role_mapping.yml] for realm [pki/pki]
[2017-12-21T07:53:52,644][DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [jXj4sL5] Mapping user [UserData{username:shivanshu; dn:CN=shivanshu, OU=example, O=com; groups:[]; metadata:{pki_dn=CN=shivanshu, OU=example, O=com}; realm=pki}] to roles [[]]
[2017-12-21T07:53:54,946][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [jXj4sL5] the roles [[]], are mapped from these [pki] groups [[]] using file [role_mapping.yml] for realm [pki/pki]
[2017-12-21T07:53:54,946][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [jXj4sL5] the roles [[]], are mapped from the user [CN=shivanshu, OU=example, O=com] using file [role_mapping.yml] for realm [pki/pki]
[2017-12-21T07:53:54,949][DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [jXj4sL5] Mapping user [UserData{username:shivanshu; dn:CN=shivanshu, OU=example, O=com; groups:[]; metadata:{pki_dn=CN=shivanshu, OU=example, O=com}; realm=pki}] to roles [[]]
[2017-12-21T07:53:55,151][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [jXj4sL5] the roles [[]], are mapped from these [pki] groups [[]] using file [role_mapping.yml] for realm [pki/pki]
[2017-12-21T07:53:55,152][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [jXj4sL5] the roles [[]], are mapped from the user [CN=shivanshu, OU=example, O=com] using file [role_mapping.yml] for realm [pki/pki]
[2017-12-21T07:53:55,155][DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [jXj4sL5] Mapping user [UserData{username:shivanshu; dn:CN=shivanshu, OU=example, O=com; groups:[]; metadata:{pki_dn=CN=shivanshu, OU=example, O=com}; realm=pki}] to roles [[]]

(Ioannis Kakavas) #10

Not sure what could be happening here..The mappings don't seem to be applied. Do you might have multiple native role mappings? What does

curl -k -u elastic -XGET 'https://localhost:9200/_xpack/security/role_mapping?pretty' return ?

As a workaround until we figure out the solution, you can use file role mapping for now and add

superuser:
   - "cn=elastic, OU=IT, DC=mydomain, DC=com"

to your $ES_HOME/config/x-pack/role_mapping.yml file


(Shivanshu Bagga) #11

Even not working after adding entry to role_mapping.yml file.

I can see following error when I run ES in debug mode,am I facing problem due to this?

[2017-12-21T08:51:01,014][DEBUG][i.n.u.NetUtil            ] Failed to get SOMAXCONN from sysctl and file /proc/sys/net/core/somaxconn. Default: 128
java.security.AccessControlException: access denied ("java.io.FilePermission" "/proc/sys/net/core/somaxconn" "read")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_131]
	at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_131]
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_131]
	at java.lang.SecurityManager.checkRead(SecurityManager.java:888) ~[?:1.8.0_131]
	at java.io.File.exists(File.java:814) ~[?:1.8.0_131]
	at io.netty.util.NetUtil$1.run(NetUtil.java:265) ~[?:?]
	at io.netty.util.NetUtil$1.run(NetUtil.java:251) ~[?:?]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
	at io.netty.util.NetUtil.<clinit>(NetUtil.java:251) ~[?:?]
	at io.netty.util.internal.MacAddressUtil.bestAvailableMac(MacAddressUtil.java:50) ~[?:?]
	at io.netty.util.internal.MacAddressUtil.defaultMachineId(MacAddressUtil.java:138) ~[?:?]
	at io.netty.channel.DefaultChannelId.<clinit>(DefaultChannelId.java:99) ~[?:?]
	at io.netty.channel.AbstractChannel.newId(AbstractChannel.java:107) ~[?:?]
	at io.netty.channel.AbstractChannel.<init>(AbstractChannel.java:79) ~[?:?]
	at io.netty.channel.nio.AbstractNioChannel.<init>(AbstractNioChannel.java:84) ~[?:?]
	at io.netty.channel.nio.AbstractNioMessageChannel.<init>(AbstractNioMessageChannel.java:42) ~[?:?]

(Ioannis Kakavas) #12

You need to provide more feedback as to what you are doing and what is the behavior you are getting/ errors you are seeing.

  • Is the role mapped to your user correctly - can you see something relevant in the logs ?
  • What is the error in Kibana logs?
  • What are the errors in Elasticsearch logs?
  • Where is the output of the CURL command I asked you to run ?

No this is unrelated


(Tim Vernum) #13

The role mapping API is, unfortunately, case sensitive and whitespace sensitive.
Your mapping is using cn=shivanshu,ou=example,o=com but you actual DN from the logs is CN=shivanshu, OU=example, O=com
You need to make the API match the logged DN exactly.


(Shivanshu Bagga) #14

That was the actual issue , fixed now. Thanks to you for great support.


(system) #15

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.