This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
« Some settings are not returned via the nodes settings API Users command fails due to extra arguments »
Elastic Docs Elasticsearch Guide [master] Secure the Elastic Stack Troubleshooting security

Authorization exceptions

edit

Authorization exceptions

edit

Symptoms:

  • I configured the appropriate roles and the users, but I still get an authorization exception.
  • I can authenticate to LDAP, but I still get an authorization exception.

Resolution:

  1. Verify that the role names associated with the users match the roles defined in the roles.yml file. You can use the elasticsearch-users tool to list all the users. Any unknown roles are marked with *.

    bin/elasticsearch-users list
rdeniro        : admin
alpacino       : power_user
jacknich       : monitoring,unknown_role*

    unknown_role was not found in roles.yml

    For more information about this command, see the elasticsearch-users command.

  2. If you are authenticating to LDAP, a number of configuration options can cause this error.

    group identification

    Groups are located by either an LDAP search or by the "memberOf" attribute on the user. Also, If subtree search is turned off, it will search only one level deep. For all the options, see LDAP realm settings. There are many options here and sticking to the defaults will not work for all scenarios.

    group to role mapping

    Either the role_mapping.yml file or the location for this file could be misconfigured. For more information, see Security files.

    role definition

    The role definition might be missing or invalid.

    To help track down these possibilities, enable additional logging to troubleshoot further. You can enable debug logging by configuring the following persistent setting:

    resp = client.cluster.put_settings(
    persistent={
        "logger.org.elasticsearch.xpack.security.authc": "debug"
    },
)
print(resp)
    response = client.cluster.put_settings(
  body: {
    persistent: {
      'logger.org.elasticsearch.xpack.security.authc' => 'debug'
    }
  }
)
puts response
    const response = await client.cluster.putSettings({
  persistent: {
    "logger.org.elasticsearch.xpack.security.authc": "debug",
  },
});
console.log(response);
    PUT /_cluster/settings
{
  "persistent": {
    "logger.org.elasticsearch.xpack.security.authc": "debug"
  }
}

    Alternatively, you can add the following lines to the end of the log4j2.properties configuration file in the ES_PATH_CONF:

    logger.authc.name = org.elasticsearch.xpack.security.authc
logger.authc.level = DEBUG

    Refer to configuring logging levels for more information.

    A successful authentication should produce debug statements that list groups and role mappings.

« Some settings are not returned via the nodes settings API Users command fails due to extra arguments »