Avoiding 'Cannot retrieve roles for User' with internaluser and LDAP

Opendistro: v1.9.0

I have been adding certain users via the internalusers REST API call and this results in the successful creation of the user. For Kibana access I am authenticating front-end users via LDAP, so ‘basic_internal_auth_domain’ at order 4 and ‘ldap’ at order 5 are setup in config.xml

When the internal users are created via the API calls, I see the following in the logs.

[2020-12-29T12:05:33,409][ERROR][c.a.o.s.a.BackendRegistry] [odfe-cluster1] Cannot retrieve roles for User [name=mytestuser, backend_roles=[mytestrole], requestedTenant=null] from ldap due to ElasticsearchSecurityException[ElasticsearchSecurityException[No user mytestuser found]]; nested: ElasticsearchSecurityException[No user mytestuser found];
org.elasticsearch.ElasticsearchSecurityException: ElasticsearchSecurityException[No user mytestuser found]

Am I correct in thinking the only way to resolve the throwing of this ERROR is to also add the user to the skip_users: section of authz (ldap)?

It seems odd that you can create internal users through the API, yet have them throw the error above, and have to resolve this by adding the user to config.xml and running securityadmin.sh (being careful not to then reset all the permissions).

If this is the case, then I guess a workaround is to prefix all internal users with ‘int_’, and then use a regex pattern in the skip_users section to match ‘/int_\S*/’?

Have others run into a similar issue?

Thanks, Will.

not sure if this help but… here is what i see in my case…

I have internal users and ldap users. With internal being first priority for resolution. Not sure why its checking an internal user against ldap since it should succeed on first check.

whenever i make a security change from UI, i see errors like that . I do not think it is a problem. I think when changes are made, security is “initialized” and while that is happening any authentication calls error out.

[2021-01-07T12:45:16,218][ERROR][c.a.o.s.a.BackendRegistry] [wamapnap01] Cannot retrieve roles for User [name=kibanaserver, backend_roles=, requestedTenant=null] from ldap due to ElasticsearchSecurityException[ElasticsearchSecurityException[No user kibanaserver found]]; nested: ElasticsearchSecurityException[No user kibanaserver found];
org.elasticsearch.ElasticsearchSecurityException: ElasticsearchSecurityException[No user kibanaserver found]


Did you find the solution to your issue?