X-Pack Security - Created Role not Apply to AD Users

I have installed a cluster ELK on a VM:

  • Logstash 5.4.0
  • ElasticSearch 5.4.0
  • Kibana 5.4.0

I have installed X-Pack on each nodes of the cluster and I can connect to kibana with any users of my AD. Here the elasticsearch.yml

         type: active_directory
         order: 0
         domain_name: my.domain
         url: ldap://@IP:XXX
         unmapped_groups_as_roles: false
         user_search.base_dn: "ou=users,dc=my,dc=domain"
          filter: "(&(objectClass=user)(sAMAccountName={0}))"
           role_mapping: /etc/elasticsearch/x-pack/role_mapping.yml

I have mapped users with built-in roles provided by Elasticsearch and it works. Here the role_mapping.yml :

// Built-In Role - It Works ! //
//  - "cn=CARTES John,ou=users,dc=my,dc=domain"

// Personalized Roles - It doesn't work //
 - "cn=CARTES John,ou=users,dc=my,dc=domain"

I also created a role name clicks_admin with the API REST of Elasticsearch:

"clicks_admin" : {
  "cluster" : [
  "indices" : [
      "names" : [
      "privileges" : [
      "field_security" : {
        "grant" : [
  "run_as" : [ ],
  "metadata" : { },
  "transient_metadata" : {
    "enabled" : true

But when I want to connect to kibana using an AD User that I have mapped with the role clicks_admin. It says Config: Error 403 Forbidden: [security_exception] action [indices:data/write/update] is unauthorized for user [jcartais].

Whereas when I search through the logs of elasticsearch everythings seems to be fine. Here the logs of elasticsearch during it's start and when I try to connect via Kibana with an AD user :

 [2018-04-24T16:58:42,469][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [myServerElasticSearch] [1] role mappings found in file [/etc/elasticsearch/x-pack/role_mapping.yml] for realm [active_directory/active_directory]

... (parts omitted)

[2018-04-24T16:59:06,785][DEBUG][o.e.x.s.a.l.LdapRealm    ] [myServerElasticSearch] user [jcartes] not found in cache for realm [active_directory], proceeding with normal authentication

[2018-04-24T16:59:06,874][DEBUG][o.e.x.s.a.l.ActiveDirectorySessionFactory] [lancyelasticdevsi01.ancy.fr.sopra] group SID to DN [cn=CARTES John,ou=users,dc=my,dc=domain] search filter: [(|(objectSid=...))]

[2018-04-24T16:59:07,106][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [myServerElasticSearch] the roles [[]], are mapped from these [active_directory] groups [[My_AD_Groups]] for realm [active_directory/active_directory]

[2018-04-24T16:59:07,107][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [myServerElasticSearch] the roles [[clicks_admin]], are mapped from the user [cn=CARTES John,ou=users,dc=my,dc=domain] for realm [active_directory/active_directory]

[2018-04-24T16:59:07,114][DEBUG][o.e.x.s.a.l.LdapRealm    ] [myServerElasticSearch] realm [active_directory] authenticated user [jcartais], with roles [[clicks_admin]]

[2018-04-24T16:59:07,449][DEBUG][o.e.x.s.a.e.ReservedRealm] [myServerElasticSearch] user [jcartes] not found in cache for realm [reserved], proceeding with normal authentication


 [2018-04-24T16:59:08,475][DEBUG][o.e.x.s.a.e.ReservedRealm] [myServerElasticSearch] user [jcartes] not found in cache for realm [reserved], proceeding with normal authentication

[2018-04-24T16:59:08,476][DEBUG][o.e.x.s.a.l.LdapRealm    ] [myServerElasticSearch] realm [active_directory] authenticated user [jcartes], with roles [[clicks_admin]]

Can you please look at this. If you need any additionnal informations please tell me.

Please take the time to format your post so that it is as easy to read as possible. You should use the </> button for config files or JSON bodies. When a post is easy to read, people are more likely to take the time to follow along and help you.

This message is accurate. Your clicks_admin role does not have access to Kibana.
You need to grant the kibana_user role as well as clocks_admin.
See Kibana and Security | X-Pack for the Elastic Stack [5.4] | Elastic

Thanks for your response. Sorry for the formatting of my message it's the first time I post a message on this platform :sweat_smile:.

So I just have to decomment the kibana_user section in my role_mapping.yml. In order for my AD user to be able to connect to kibana ?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.