I have installed a cluster ELK on a VM:
- Logstash 5.4.0
- ElasticSearch 5.4.0
- Kibana 5.4.0
I have installed X-Pack on each nodes of the cluster and I can connect to kibana with any users of my AD. Here the elasticsearch.yml
xpack:
security:
authc:
realms:
active_directory:
type: active_directory
order: 0
domain_name: my.domain
url: ldap://@IP:XXX
unmapped_groups_as_roles: false
user_search.base_dn: "ou=users,dc=my,dc=domain"
user_search:
filter: "(&(objectClass=user)(sAMAccountName={0}))"
files:
role_mapping: /etc/elasticsearch/x-pack/role_mapping.yml
I have mapped users with built-in roles provided by Elasticsearch and it works. Here the role_mapping.yml :
// Built-In Role - It Works ! //
//kibana_user:
// - "cn=CARTES John,ou=users,dc=my,dc=domain"
// Personalized Roles - It doesn't work //
clicks_admin:
- "cn=CARTES John,ou=users,dc=my,dc=domain"
I also created a role name clicks_admin with the API REST of Elasticsearch:
{
"clicks_admin" : {
"cluster" : [
"all"
],
"indices" : [
{
"names" : [
"eventmanager2.0_data"
],
"privileges" : [
"all"
],
"field_security" : {
"grant" : [
"eventmanager_event_type",
"source",
"beat.hostname.keyword",
"beat.version"
]
}
}
],
"run_as" : [ ],
"metadata" : { },
"transient_metadata" : {
"enabled" : true
}
}
}
But when I want to connect to kibana using an AD User that I have mapped with the role clicks_admin. It says Config: Error 403 Forbidden: [security_exception] action [indices:data/write/update] is unauthorized for user [jcartais].
Whereas when I search through the logs of elasticsearch everythings seems to be fine. Here the logs of elasticsearch during it's start and when I try to connect via Kibana with an AD user :
[2018-04-24T16:58:42,469][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [myServerElasticSearch] [1] role mappings found in file [/etc/elasticsearch/x-pack/role_mapping.yml] for realm [active_directory/active_directory]
... (parts omitted)
[2018-04-24T16:59:06,785][DEBUG][o.e.x.s.a.l.LdapRealm ] [myServerElasticSearch] user [jcartes] not found in cache for realm [active_directory], proceeding with normal authentication
[2018-04-24T16:59:06,874][DEBUG][o.e.x.s.a.l.ActiveDirectorySessionFactory] [lancyelasticdevsi01.ancy.fr.sopra] group SID to DN [cn=CARTES John,ou=users,dc=my,dc=domain] search filter: [(|(objectSid=...))]
[2018-04-24T16:59:07,106][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [myServerElasticSearch] the roles [[]], are mapped from these [active_directory] groups [[My_AD_Groups]] for realm [active_directory/active_directory]
[2018-04-24T16:59:07,107][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [myServerElasticSearch] the roles [[clicks_admin]], are mapped from the user [cn=CARTES John,ou=users,dc=my,dc=domain] for realm [active_directory/active_directory]
[2018-04-24T16:59:07,114][DEBUG][o.e.x.s.a.l.LdapRealm ] [myServerElasticSearch] realm [active_directory] authenticated user [jcartais], with roles [[clicks_admin]]
[2018-04-24T16:59:07,449][DEBUG][o.e.x.s.a.e.ReservedRealm] [myServerElasticSearch] user [jcartes] not found in cache for realm [reserved], proceeding with normal authentication
...
[2018-04-24T16:59:08,475][DEBUG][o.e.x.s.a.e.ReservedRealm] [myServerElasticSearch] user [jcartes] not found in cache for realm [reserved], proceeding with normal authentication
[2018-04-24T16:59:08,476][DEBUG][o.e.x.s.a.l.LdapRealm ] [myServerElasticSearch] realm [active_directory] authenticated user [jcartes], with roles [[clicks_admin]]
Can you please look at this. If you need any additionnal informations please tell me.
.