No permissions for [cluster:monitor/main

Hi

Given
backend roles : admin, security_rest_api_access,cluster:monitor/main
While accessing localhost:9200
Getting below error.

{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for [cluster:monitor/main] and User [name=CN=xxxxx xxxxxx,CN=Users,DC=xxxxxx,DC=com, backend_roles=[Token], requestedTenant=null]”}],“type”:“security_exception”,“reason”:“no permissions for [cluster:monitor/main] and User [name=CN=xxxxx xxxxxx,CN=Users,DC=xxxxxx,DC=com, backend_roles=[Token], requestedTenant=null]”},“status”:403}

Hi Sharath,

please post your configuration. That would make it easier to debug.

Regards
Clifford

======================== Elasticsearch Configuration =========================

NOTE: Elasticsearch comes with reasonable defaults for most settings.

Before you set out to tweak and tune the configuration, make sure you

understand what are you trying to accomplish and the consequences.

The primary way of configuring a node is via this file. This template lists

the most important settings you may want to configure for a production cluster.

Please consult the documentation for further information on configuration options:

Elasticsearch Guide | Elastic

---------------------------------- Cluster -----------------------------------

Use a descriptive name for your cluster:

cluster.name: test-poc

------------------------------------ Node ------------------------------------

Use a descriptive name for the node:

#node.name: node-1

Add custom attributes to the node:

#node.attr.rack: r1

----------------------------------- Paths ------------------------------------

Path to directory where to store the data (separate multiple locations by comma):

path.data: /elastic/data/open_distro

Path to log files:

path.logs: /elastic/log

----------------------------------- Memory -----------------------------------

Lock the memory on startup:

#bootstrap.memory_lock: true

Make sure that the heap size is set to about half the memory available

on the system and that the owner of the process is allowed to use this

limit.

Elasticsearch performs poorly when the system is swapping the memory.

---------------------------------- Network -----------------------------------

Set the bind address to a specific IP (IPv4 or IPv6):

#network.host: 192.168.0.1

Set a custom port for HTTP:

http.port: 9200
network.bind_host: “0.0.0.0”
transport.tcp.port: 9300
network.host: “0.0.0.0”
transport.host: “es-poc-md1.xxxxxxx.com

For more information, consult the network module documentation.

--------------------------------- Discovery ----------------------------------

Pass an initial list of hosts to perform discovery when this node is started:

The default list of hosts is [“127.0.0.1”, “[::1]”]

discovery.seed_hosts: [“es-poc-md3.xxxxxxx.com”, “es-poc-md1.xxxxxxx.com”, “es-poc-md2.xxxxxxx.com”]

Bootstrap the cluster using an initial set of master-eligible nodes:

cluster.initial_master_nodes: [“es-poc-md3.xxxxxxx.com”, “es-poc-md1.xxxxxxx.com”, “es-poc-md2.xxxxxxx.com”]

For more information, consult the discovery and cluster formation module documentation.

---------------------------------- Gateway -----------------------------------

Block initial recovery after a full cluster restart until N nodes are started:

#gateway.recover_after_nodes: 3

For more information, consult the gateway module documentation.

---------------------------------- Various -----------------------------------

Require explicit names when deleting indices:

#action.destructive_requires_name: true

######## Start OpenDistro for Elasticsearch Security Demo Configuration ########

WARNING: revise all the lines below before you go into production

opendistro_security.ssl.transport.pemcert_filepath: node.pem
opendistro_security.ssl.transport.pemkey_filepath: node-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.transport.resolve_hostname: false
opendistro_security.ssl.http.enabled: false
#opendistro_security.ssl.http.pemcert_filepath: servercer.pem
#opendistro_security.ssl.http.pemkey_filepath: wildcard.key.pem
#opendistro_security.ssl.http.pemtrustedcas_filepath: ca.pem
opendistro_security.allow_unsafe_democertificates: true
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:

- cn=svc.elastic,ou=Generic,ou=serviceaccounts,ou=Corp,ou=Common,DC=xxxxxxx,DC=com

 - 'CN=ADMIN,OU=IT,O=xxxxxxx\, Inc.,L=Palo Alto,ST=California,C=US'

opendistro_security.nodes_dn:

  • ‘CN=*.xxxxxxx.com,OU=IT,O=xxxxxxx, Inc.,L=Palo Alto,ST=California,C=US’

- ‘CN=es-poc-md2.xxxxxxx.com,OU=IT,O=xxxxxxx, Inc.,L=Palo Alto,ST=California,C=US’

- ‘CN=es-poc-md3.xxxxxxx.com,OU=IT,O=xxxxxxx, Inc.,L=Palo Alto,ST=California,C=US’

#opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3

opendistro_security.audit.type: debug

opendistro_security.audit.config.log4j.logger_name: audit
opendistro_security.audit.config.log4j.level: DEBUG

Thanks but would you be so kind to surround the code with backticks ```your config``` for code formatting.

It will be easier to read and indentation in YAML files is extremely important to their execution.

Regards
Clifford

Uploaded elasticsearch.yml & config.yml

You misunderstood me. The link I posted describes how to format code in Markdown.
Please remove the issue you created in the GitHub project and reformat your messages above so that it looks something like this:

ldap:
  description: "Authenticate via LDAP or Active Directory"
  http_enabled: true
  transport_enabled: true
  order: 1

Regards
Clifford

cluster.name: test-poc
path.data: /elastic/data/open_distro
path.logs: /elastic/log
http.port: 9200
network.bind_host: 0.0.0.0
transport.tcp.port: 9300
network.host: 0.0.0.0
transport.host: es-poc-md1.xxxx.com
discovery.seed_hosts: [es-poc-md3.xxxx.com, es-poc-md1.xxxx.com,es-poc-md2.xxxx.com]
cluster.initial_master_nodes: [es-poc-md3.xxxx.com, es-poc-md1.xxxx.com,es-poc-md2.xxxx.com]
opendistro_security.ssl.transport.pemcert_filepath: node.pem
opendistro_security.ssl.transport.pemkey_filepath: node-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.transport.resolve_hostname: false
opendistro_security.ssl.http.enabled: false
opendistro_security.allow_unsafe_democertificates: true
opendistro_security.allow_default_init_securityindex: true
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: [ all_access, security_rest_api_access]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3
opendistro_security.audit.type: debug
opendistro_security.audit.config.log4j.logger_name: audit
opendistro_security.audit.config.log4j.level: DEBUG

opendistro_security.authcz.admin_dn:

  • ‘CN=ADMIN,OU=IT,O=xxxx, Inc.,L=Palo Alto,ST=California,C=US’
    opendistro_security.nodes_dn:
  • ‘CN=*.xxxx.com,OU=IT,O=xxxx, Inc.,L=Palo Alto,ST=California,C=US’

{
“elk-admins-1” : {
“reserved” : false,
“hidden” : false,
“cluster_permissions” : [
“unlimited”,
“cluster:monitor/main”,
“indices:admin/shards/search_shards”
],
“index_permissions” : [
{
“index_patterns” : [
“*”
],
“dls” : “”,
“fls” : ,
“masked_fields” : ,
“allowed_actions” : [
“unlimited”,
“indices:admin/shards/search_shards”,
“cluster:monitor/main”
]
}
],
“tenant_permissions” : [
{
“tenant_patterns” : [
“global_tenant”
],
“allowed_actions” : [
“kibana_all_read”,
“kibana_all_write”
]
}
],
“static” : false
}
}

{
“elk-admins-1” : {
“reserved” : false,
“hidden” : false,
“backend_roles” : [
“admin”,
“CN=xxxxxx,OU=Generic,OU=Groups,OU=Corp,OU=Common,DC=xxxxxx,DC=com”,
“elk-admins-1”
],
“hosts” : ,
“users” : ,
“and_backend_roles” :
}
}

It still is very hard to read.

I can only guess because I haven’t configured LDAP access yet but the error message tells me that the backend role of your user is Token.

no permissions for [cluster:monitor/main] and User [name=CN=xxxxx xxxxxx,CN=Users,DC=xxxxxx,DC=com, backend_roles=[Token]

There is no role mapping for this role. So maybe determining the role is wrong?

rolebase: “OU=Generic,OU=Groups,OU=Corp,OU=Common,DC=xxxxxxx,DC=com”
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(member={0})’
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: roles
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is “name”.
# Can also be “dn” to use the full DN as rolename.
rolename: “cn”
# Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true

Regards
Clifford

I have solved the problem.

Would you like to share your solution?

Regards
Clifford

Will share the solution.

Hi Sharath,

i’m also facing the same issue with LDAP. would you mind sharing the solution that you have found?

Thanks in Advance!

Can you please share your configuration.

Please find my config for LDAP authz…

authz:
ldap:
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
challenge: false
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- “XXXXXX:369”
bind_dn: “cn=serviceuser,ou=ad,ou=users,dc=com”
password: “testpassword”
userbase: “ou=ad,ou=users,dc=com”
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(sAMAccountName={0})’
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: “cn”
rolebase: “cn=serviceuser,ou=ad,ou=groups,dc=com”
rolesearch: ‘(member={2})’
userroleattribute: cn

authz:
roles_from_myldap:
description: “Authorize via LDAP or Active Directory”
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config: enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false,
verify_hostnames: true
hosts:
-xxx.xx.xxx.xx:389
bind_dn: ‘cn=xxxxx,ou=Generic,ou=serviceaccounts,ou=Corp,ou=Common,DC=xxxxxx,DC=com’
password: xxxxxxxxx
userbase: ‘cn=users,dc=xxxxxx,dc=com’
usersearch: ‘(uid={0})’
username_attribute: uid
rolebase: ‘OU=Generic,OU=Groups,OU=Corp,OU=Common,DC=xxxxxx,DC=com’
rolesearch: ‘(member={0})’
userroleattribute: null
userrolename: none
rolename: cn
resolve_nested_roles: true
skip_users:
-kibanaserver

Use below command to validate your roles assigned in the Backend Role.
curl http://localhost:9200/_opendistro/_security/authinfo?pretty -u username

Add the appropriate Backend Role. (I’m using the CN of the LDAP Group name as I had configured the rolename: 'cn' in the security config)