Hi guys
I am trying to setup saml on kibana and attempted to update security via config.yml with command:
sh securityadmin.sh -cd ../securityconfig/ -h xxxx.xxx.xxx.xxx -p 9301 -icl -noopenssl -nhnv -cacert /usr/share/elasticsearch/config/rootCA.pem -cert /usr/share/elasticsearch/config/admin.pem -key /usr/share/elasticsearch/config/admin-key.pem -t config
I am getting the following result
Connected as EMAILADDRESS=xxxxx,CN= xxxxx.xxx.xxx,OU= xxxxx,O= xxxxx,L=xxxxx,C= xxxxx
Elasticsearch Version: 7.10.2
Open Distro Security Version: 1.13.0.0
Contacting elasticsearch cluster 'xxxxxx' and wait for YELLOW clusterstate ...
Cannot retrieve cluster state due to: no permissions for [cluster:monitor/health] and User [name= EMAILADDRESS=xxxxx,CN= xxxxx.xxx.xxx,OU= xxxxx,O= xxxxx,L=xxxxx,C= xxxxx, backend_roles=[], requestedTenant=null]. This is not an error, will keep on trying ...
Root cause: ElasticsearchSecurityException[no permissions for [cluster:monitor/health] and User [name= EMAILADDRESS=xxxxx,CN= xxxxx.xxx.xxx,OU= xxxxx,O= xxxxx,L=xxxxx,C= xxxxx, backend_roles=[], requestedTenant=null]] (org.elasticsearch.ElasticsearchSecurityException/org.elasticsearch.ElasticsearchSecurityException)
* Try running securityadmin.sh with -icl (but no -cl) and -nhnv (If that works you need to check your clustername as well as hostnames in your TLS certificates)
* Make sure that your keystore or PEM certificate is a client certificate (not a node certificate) and configured properly in elasticsearch.yml
* If this is not working, try running securityadmin.sh with --diagnose and see diagnose trace log file)
* Add --accept-red-cluster to allow securityadmin to operate on a red cluster.
admin_dn has been set in elasticsearch yml:
opendistro_security.ssl.http.pemtrustedcas_filepath: rootCA.pem
opendistro_security.allow_unsafe_democertificates: false
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
- “EMAILADDRESS=xxxxx,CN= xxxxx.xxx.xxx,OU= xxxxx,O= xxxxx,L=xxxxx,C= xxxxx”
Other things to point out is that when I log into kibana as admin (changed password from default), I do not see the security plugin on the menu dropdown.
I believe this is an authorization issue but not sure how to proceed. Would greatly appreciate some help on this.
Thanks in advance.