- X-Pack Reference for 6.0-6.2 and 5.x:
- Introduction
- Setting Up X-Pack
- Breaking Changes
- X-Pack APIs
- Graphing Connections in Your Data
- Profiling your Queries and Aggregations
- Reporting from Kibana
- Securing the Elastic Stack
- Getting Started with Security
- How Security Works
- Setting Up User Authentication
- Configuring SAML Single-Sign-On on the Elastic Stack
- Configuring Role-based Access Control
- Auditing Security Events
- Encrypting Communications
- Restricting Connections with IP Filtering
- Cross Cluster Search, Tribe, Clients and Integrations
- Reference
- Monitoring the Elastic Stack
- Alerting on Cluster and Index Events
- Machine Learning in the Elastic Stack
- Troubleshooting
- Getting Help
- X-Pack security
- Can’t log in after upgrading to 6.2.4
- Some settings are not returned via the nodes settings API
- Authorization exceptions
- Users command fails due to extra arguments
- Users are frequently locked out of Active Directory
- Certificate verification fails for curl on Mac
- SSLHandshakeException causes connections to fail
- Common SSL/TLS exceptions
- Internal Server Error in Kibana
- Setup-passwords command fails due to connection failure
- X-Pack Watcher
- X-Pack monitoring
- X-Pack machine learning
- Limitations
- License Management
- Release Notes
WARNING: Version 6.2 of the Elastic Stack has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Authorization exceptions
editAuthorization exceptions
editSymptoms:
- I configured the appropriate roles and the users, but I still get an authorization exception.
- I can authenticate to LDAP, but I still get an authorization exception.
Resolution:
-
Verify that the role names associated with the users match the roles defined in the
roles.yml
file. You can use theusers
tool to list all the users. Any unknown roles are marked with*
.For more information about this command, see Users Command.
-
If you are authenticating to LDAP, a number of configuration options can cause this error.
group identification
Groups are located by either an LDAP search or by the "memberOf" attribute on the user. Also, If subtree search is turned off, it will search only one level deep. See the LDAP Settings for all the options. There are many options here and sticking to the defaults will not work for all scenarios.
group to role mapping
Either the
role_mapping.yml
file or the location for this file could be misconfigured. See Security Files for more.role definition
The role definition might be missing or invalid.
To help track down these possibilities, add the following lines to the end of the
log4j2.properties
configuration file in theES_PATH_CONF
:logger.authc.name = org.elasticsearch.xpack.security.authc logger.authc.level = DEBUG
A successful authentication should produce debug statements that list groups and role mappings.