6.4.0 can't login and kibanaserver user can't access .kibana

Benedikt_Haug · September 12, 2018, 4:01pm

Dear searchguard,

when upgrading a fully functional test setup from 6.3.0-22.3 to 6.4.0-23.0 I can no longer log into kibana afterwards. The browser just gets an connection reset after waiting for the 30sec tcp timeout. I use proxy authentication via local apache proxy.

It throws the strange errors about .kibana not being found but I can totally see that index:

green open .kibana gd00htRbRUOXEzcyaGLQTQ 1 1 1 0 8kb 4kb

journalctl -f kibana shows an error like this:

Sep 12 17:56:27 mes-any-logwfe-dev001 kibana[15920]: {“type”:“error”,“@timestamp”:“2018-09-12T15:56:27Z”,“tags”:[“warning”,“stats-collection”],“pid”:15920,“level”:“error”,“error”:{“message”:“[security_exception] Unexpected exception indices:data/read/search”,“name”:“Error”,“stack”:“[security_exception] Unexpected exception indices:data/read/search :: {"path":"/.kibana/_search","query":{"ignore_unavailable":true,"filter_path":"aggregations.types.buckets"},"body":"{\"size\":0,\"query\":{\"terms\":{\"type\":[\"dashboard\",\"visualization\",\"search\",\"index-pattern\",\"graph-workspace\",\"timelion-sheet\"]}},\"aggs\":{\"types\":{\"terms\":{\"field\":\"type\",\"size\":6}}}}","statusCode":500,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"Unexpected exception indices:data/read/search\"}],\"type\":\"security_exception\",\"reason\":\"Unexpected exception indices:data/read/search\"},\"status\":500}"}\n at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)\n at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)\n at HttpConnector. (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)\n at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)\n at emitNone (events.js:111:20)\n at IncomingMessage.emit (events.js:208:7)\n at endReadableNT (_stream_readable.js:1064:12)\n at _combinedTickCallback (internal/process/next_tick.js:138:11)\n at process._tickDomainCallback (internal/process/next_tick.js:218:9)”},“message”:“[security_exception] Unexpected exception indices:data/read/search”}

I have tried to purge searchguard and the error disappeared thus posting it here.

If anything is unclear or not verbose enough please feel free to ask.

Thank you

When asking questions, please provide the following information:

Search Guard and Elasticsearch version

6.4.0-23.0

Installed and used enterprise modules, if any

none/default

JVM version and operating system version

java version “1.8.0_121”
Java™ SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot™ 64-Bit Server VM (build 25.121-b13, mixed mode)

Debian 8

Search Guard configuration files

attached

Elasticsearch log messages on debug level

attached

Other installed Elasticsearch or Kibana plugins, if any

sudo ./kibana-plugin list
searchguard@6.4.0-14

sudo ./elasticsearch-plugin list
search-guard-6

sg_config.yml (1.11 KB)

sg_roles_mapping.yml (704 Bytes)

sg_roles.yml (4.47 KB)

elasticsearch.log (20.5 KB)

jkressin · September 17, 2018, 1:28pm

According to the ES log file there seems to be an issue when accessing the Search Guard index:

[2018

-09-12T17:43:42,182][ERROR][c.f.s.f.SearchGuardFilter] Unexpected exception [] IndexNotFoundException[no such index]
org.elasticsearch.index.IndexNotFoundException: no such index
...

at com.floragunn.searchguard.sgconf.ConfigModel$IndexPattern.getResolvedIndexPattern(ConfigModel.java:598) ~[?:?]
at com.floragunn.searchguard.sgconf.ConfigModel$IndexPattern.access$900(ConfigModel.java:484) ~[?:?]
at com.floragunn.searchguard.sgconf.ConfigModel.impliesTypePerm(ConfigModel.java:768) ~[?:?]
at com.floragunn.searchguard.sgconf.ConfigModel.access$1100(ConfigModel.java:47) ~[?:?]
at com.floragunn.searchguard.sgconf.ConfigModel$SgRoles.get(ConfigModel.java:321) ~[?:?]


``

 Which would also explain the 30 seconds timeout you experienced. When you say:

"I have tried to purge searchguard and the error disappeared thus posting it here."

Do you mean you reinitialized the SG index and the error went away? This would then indicate some problems with the availability of the SG index primary/replica shards. How did you perform the upgrade? Was it a rolling restart? Did you set anything regarding shard allocation before performing the upgrade?

<details class='elided'>
<summary title='Show trimmed content'>&#183;&#183;&#183;</summary>

On Wednesday, September 12, 2018 at 6:01:08 PM UTC+2, benedikt.haug@gmx.de wrote:
> Dear searchguard,

> 

> when upgrading a fully functional test setup from 6.3.0-22.3 to 6.4.0-23.0 I can no longer log into kibana afterwards. The browser just gets an connection reset after waiting for the 30sec tcp timeout. I use proxy authentication via local apache proxy.

> 

> It throws the strange errors about .kibana not being found but I can totally see that index:

> green open .kibana                         gd00htRbRUOXEzcyaGLQTQ 1 1     1  0     8kb     4kb

> 

> journalctl -f kibana shows an error like this:

> 

> Sep 12 17:56:27 mes-any-logwfe-dev001 kibana[15920]: {"type":"error","@timestamp":"2018-09-12T15:56:27Z","tags":["warning","stats-collection"],"pid":15920,"level":"error","error":{"message":"[security_exception] Unexpected exception indices:data/read/search","name":"Error","stack":"[security_exception] Unexpected exception indices:data/read/search :: {\"path\":\"/.kibana/_search\",\"query\":{\"ignore_unavailable\":true,\"filter_path\":\"aggregations.types.buckets\"},\"body\":\"{\\\"size\\\":0,\\\"query\\\":{\\\"terms\\\":{\\\"type\\\":[\\\"dashboard\\\",\\\"visualization\\\",\\\"search\\\",\\\"index-pattern\\\",\\\"graph-workspace\\\",\\\"timelion-sheet\\\"]}},\\\"aggs\\\":{\\\"types\\\":{\\\"terms\\\":{\\\"field\\\":\\\"type\\\",\\\"size\\\":6}}}}\",\"statusCode\":500,\"response\":\"{\\\"error\\\":{\\\"root_cause\\\":[{\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"Unexpected exception indices:data/read/search\\\"}],\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"Unexpected exception indices:data/read/search\\\"},\\\"status\\\":500}\"}\n    at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)\n    at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)\n    at HttpConnector.<anonymous> (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)\n    at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)\n    at emitNone (events.js:111:20)\n    at IncomingMessage.emit (events.js:208:7)\n    at endReadableNT (_stream_readable.js:1064:12)\n    at _combinedTickCallback (internal/process/next_tick.js:138:11)\n    at process._tickDomainCallback (internal/process/next_tick.js:218:9)"},"message":"[security_exception] Unexpected exception indices:data/read/search"}
> 

> I have tried to purge searchguard and the error disappeared thus posting it here.

> 

> If anything is unclear or not verbose enough please feel free to ask.

> 

> Thank you

> 

> 

> When asking questions, please provide the following information:

> 

> * Search Guard and Elasticsearch version

> 

> 6.4.0-23.0

> 

> * Installed and used enterprise modules, if any

> 

> none/default

> 

> * JVM version and operating system version

> 

> java version "1.8.0_121"
> Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
> Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)

> 

> Debian 8

> 

> * Search Guard configuration files

> 

> attached

> 

> * Elasticsearch log messages on debug level

> 

> attached

> 

> * Other installed Elasticsearch or Kibana plugins, if any

> sudo ./kibana-plugin list
> searchguard@6.4.0-14

> sudo ./elasticsearch-plugin list
> search-guard-6

</details>

Benedikt_Haug · September 17, 2018, 1:55pm

Thank you for having a look!

  No, it never worked. I meant that i removed searchguard

completely by removing the plugin and it started to work without
searchguard.

  The upgrade was done by installing the new plugin version and

restarting the cluster altogether. After it didn’t work I also
tried to remove the old plugin version before installing the new
one.

I did not change the shard allocation.

The searchguard indices content is here:

  I just tried to remove the searchguard index with -dci and

recreated it afterwards but the kibana journal still looks like
this:

  Sep 17 15:54:08 mes-any-logwfe-dev001 kibana[23739]:

{“type”:“error”,“@timestamp”:“2018-09-17T13:54:08Z”,“tags”:[“warning”,“stats-collection”],“pid”:23739,“level”:“error”,“error”:{“message”:“[security_exception]
Unexpected exception
indices:data/read/search”,“name”:“Error”,“stack”:“[security_exception]
Unexpected exception indices:data/read/search ::
{"path":"/.kibana/_search","query":{"ignore_unavailable":true,"filter_path":"aggregations.types.buckets"},"body":"{\"size\":0,\"query\":{\"terms\":{\"type\":[\"dashboard\",\"visualization\",\"search\",\"index-pattern\",\"graph-workspace\",\"timelion-sheet\"]}},\"aggs\":{\"types\":{\"terms\":{\"field\":\"type\",\"size\":6}}}}","statusCode":500,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"Unexpected
exception
indices:data/read/search\"}],\"type\":\"security_exception\",\"reason\":\"Unexpected
exception
indices:data/read/search\"},\"status\":500}"}\n at
respond
(/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)\n
at checkRespForFailure
(/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)\n
at HttpConnector.
(/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)\n
at IncomingMessage.bound
(/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)\n
at emitNone (events.js:111:20)\n at IncomingMessage.emit
(events.js:208:7)\n at endReadableNT
(_stream_readable.js:1064:12)\n at _combinedTickCallback
(internal/process/next_tick.js:138:11)\n at
process._tickDomainCallback
(internal/process/next_tick.js:218:9)”},“message”:“[security_exception]
Unexpected exception indices:data/read/search”}

  As this is a dev host I could drop the .kibana index but I don't

want to do this for live environments.

Thank you for your help!

···

https://gist.github.com/gna582/da1d2439a2c51ed3e41d96fd2385bdbe
On 9/17/18 3:28 PM, Jochen Kressin
wrote:

    According to the ES log file there seems to be an
issue when accessing the Search Guard index:

[2018-09-12T17:43:42,182][ERROR][c.f.s.f.SearchGuardFilter] Unexpected exception [] IndexNotFoundException[no such index]
org.elasticsearch.index.IndexNotFoundException: no such index

…

at com.floragunn.searchguard.sgconf.ConfigModel$IndexPattern.getResolvedIndexPattern(ConfigModel.java:598) ~[?:?]
at com.floragunn.searchguard.sgconf.ConfigModel$IndexPattern.access$900(ConfigModel.java:484) ~[?:?]
at com.floragunn.searchguard.sgconf.ConfigModel.impliesTypePerm(ConfigModel.java:768) ~[?:?]
at com.floragunn.searchguard.sgconf.ConfigModel.access$1100(ConfigModel.java:47) ~[?:?]
at com.floragunn.searchguard.sgconf.ConfigModel$SgRoles.get(ConfigModel.java:321) ~[?:?]

``

       Which would also explain the 30 seconds timeout you

experienced. When you say:

      "I have tried to purge searchguard and the error
disappeared thus posting it here."

      Do you mean you reinitialized the SG index and the error
went away? This would then indicate some problems with the
availability of the SG index primary/replica shards. How did
you perform the upgrade? Was it a rolling restart? Did you set
anything regarding shard allocation before performing the
upgrade?

      On Wednesday, September 12, 2018 at 6:01:08 PM UTC+2,

wrote:

–

  You received this message because you are subscribed to the Google

Groups “Search Guard Community Forum” group.

  To unsubscribe from this group and stop receiving emails from it,

send an email to search-guard+unsubscribe@googlegroups.com.

  To post to this group, send email to search-guard@googlegroups.com.

  To view this discussion on the web visit [https://groups.google.com/d/msgid/search-guard/de3e56d5-8c8e-4de9-9d2e-4e0dfd702cbc%40googlegroups.com](https://groups.google.com/d/msgid/search-guard/de3e56d5-8c8e-4de9-9d2e-4e0dfd702cbc%40googlegroups.com?utm_medium=email&utm_source=footer).

  For more options, visit [https://groups.google.com/d/optout](https://groups.google.com/d/optout).

benedikt.haug@gmx.de

Dear searchguard,

            when upgrading a fully functional test setup from
6.3.0-22.3 to 6.4.0-23.0 I can no longer log into kibana
afterwards. The browser just gets an connection reset
after waiting for the 30sec tcp timeout. I use proxy
authentication via local apache proxy.

            It throws the strange errors about .kibana not being

found but I can totally see that index:

green open .kibana
gd00htRbRUOXEzcyaGLQTQ 1 1 1 0 8kb 4kb

journalctl -f kibana shows an error like this:

            Sep 12 17:56:27 mes-any-logwfe-dev001 kibana[15920]:
{“type”:“error”,“@timestamp”:“2018-09-12T15:56:27Z”,“tags”:[“warning”,“stats-collection”],“pid”:15920,“level”:“error”,“error”:{“message”:“[security_ exception]
Unexpected exception indices:data/read/search”,“name”:“Error”,“stack”:“[ security_exception]
Unexpected exception indices:data/read/search ::
{"path":"/.kibana/_search","query":{"ignore_unavailable":true,"filter_path":"aggregations.types.buckets"},"body":"{\"size\":0,\"query\":{\"terms\":{\"type\":[\"dashboard\",\"visualization\",\"search\",\"index-pattern\",\"graph-workspace\",\"timelion-sheet\"]}},\"aggs\":{\"types\":{\"terms\":{\"field\":\"type\",\"size\":6}}}}","statusCode":500,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\" reason\":\"Unexpected
exception indices:data/read/search\"}],\"type\":\"security_exception\",\"reason\":\ \“Unexpected
exception indices:data/read/search\"}, \"status\":500}"}\n
at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/ transport.js:307:15)\n
at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/ transport.js:266:7)\n
at HttpConnector.
(/usr/share/kibana/node_modules/elasticsearch/src/lib/ connectors/http.js:159:7)\n
at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js: 729:21)\n
at emitNone (events.js:111:20)\n at
IncomingMessage.emit (events.js:208:7)\n at
endReadableNT (_stream_readable.js:1064:12)\ n at
_combinedTickCallback (internal/process/next_tick. js:138:11)\n
at process._tickDomainCallback
(internal/process/next_tick.js:218:9)”},“message”:”[ security_exception]
Unexpected exception indices:data/read/search"}

            I have tried to purge searchguard and the error

disappeared thus posting it here.

            If anything is unclear or not verbose enough please

feel free to ask.

Thank you

            When asking questions, please provide the following

information:

Search Guard and Elasticsearch version

6.4.0-23.0

Installed and used enterprise modules, if any

none/default

JVM version and operating system version

java version “1.8.0_121”

              Java(TM) SE Runtime Environment (build 1.8.0_121-b13)

              Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13,

mixed mode)

Debian 8

Search Guard configuration files

attached

Elasticsearch log messages on debug level

attached

            * Other installed Elasticsearch or Kibana plugins, if

any

sudo ./kibana-plugin list

sudo ./elasticsearch-plugin list
            search-guard-6

searchguard@6.4.0-14

jkressin · September 17, 2018, 2:15pm

To me, this does not look like a problem with the .kibana index per se. I conclude this from the error message, with is an “Unexpected Exception” with status code 500:

"statusCode":500,"
…
Unexpected exception indices:data/read/search

``

This means it is an internal Search Guard error. If the .kibana index would not be accerssible, say, because of wrong roles or permissions, you would see a different message.

The message you see on the ES side:

org.elasticsearch.index.IndexNotFoundException: no such index

``

Refers to the Search Guard index not being accessible. It roots in SG not being able to read the roles from the index:

at com.floragunn.searchguard.sgconf.ConfigModel$SgRoles.get(ConfigModel.java:321) ~[?:?]

``

That’s why I was asking for the shards, because the node does not seem to have the “searchguard” index accessible.

So after recreating the SG index, is the error message on Elasticsearch side still the same? Means, the “no such index” message? This would seem very strange since the SG index is an index like any other index on your cluster. Means, it is completely managed by Elasticsearch.

Thanks for the link to the gist - but it contains the mapping only, can you do a _search on the SG index? The actual documents in this index should be base64 encoded strings.

···

On Monday, September 17, 2018 at 3:55:50 PM UTC+2, Benedikt Haug wrote:

Thank you for having a look!

  No, it never worked. I meant that i removed searchguard
completely by removing the plugin and it started to work without
searchguard.

  The upgrade was done by installing the new plugin version and
restarting the cluster altogether. After it didn’t work I also
tried to remove the old plugin version before installing the new
one.

I did not change the shard allocation.

The searchguard indices content is here:

https://gist.github.com/gna582/da1d2439a2c51ed3e41d96fd2385bdbe

  I just tried to remove the searchguard index with -dci and
recreated it afterwards but the kibana journal still looks like
this:

Sep 17 15:54:08 mes-any-logwfe-dev001 kibana[23739]:
{“type”:“error”,“@timestamp”:“2018-09-17T13:54:08Z”,“tags”:[“warning”,“stats-collection”],“pid”:23739,“level”:“error”,“error”:{“message”:“[security_ exception]
Unexpected exception
indices:data/read/search”,“name”:“Error”,“stack”:“[ security_exception]
Unexpected exception indices:data/read/search ::
{"path":"/.kibana/_search","query":{"ignore_unavailable":true,"filter_path":"aggregations.types.buckets"},"body":"{\"size\":0,\"query\":{\"terms\":{\"type\":[\"dashboard\",\"visualization\",\"search\",\"index-pattern\",\"graph-workspace\",\"timelion-sheet\"]}},\"aggs\":{\"types\":{\"terms\":{\"field\":\"type\",\"size\":6}}}}","statusCode":500,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\" reason\":\"Unexpected
exception
indices:data/read/search\"}],\"type\":\"security_exception\",\"reason\":\ \“Unexpected
exception
indices:data/read/search\"}, \"status\":500}"}\n at
respond
(/usr/share/kibana/node_modules/elasticsearch/src/lib/ transport.js:307:15)\n
at checkRespForFailure
(/usr/share/kibana/node_modules/elasticsearch/src/lib/ transport.js:266:7)\n
at HttpConnector.
(/usr/share/kibana/node_modules/elasticsearch/src/lib/ connectors/http.js:159:7)\n
at IncomingMessage.bound
(/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js: 729:21)\n
at emitNone (events.js:111:20)\n at IncomingMessage.emit
(events.js:208:7)\n at endReadableNT
(_stream_readable.js:1064:12)\ n at _combinedTickCallback
(internal/process/next_tick. js:138:11)\n at
process._tickDomainCallback
(internal/process/next_tick.js:218:9)”},“message”:”[ security_exception]
Unexpected exception indices:data/read/search"}

  As this is a dev host I could drop the .kibana index but I don't
want to do this for live environments.

Thank you for your help!

  On 9/17/18 3:28 PM, Jochen Kressin > wrote:

    According to the ES log file there seems to be an
issue when accessing the Search Guard index:

[2018-09-12T17:43:42,182][ERROR][c.f.s.f.SearchGuardFilter] Unexpected exception [] IndexNotFoundException[no such index]
org.elasticsearch.index.IndexNotFoundException: no such index

…

at com.floragunn.searchguard.sgconf.ConfigModel$IndexPattern.getResolvedIndexPattern(ConfigModel.java:598) ~[?:?]
at com.floragunn.searchguard.sgconf.ConfigModel$IndexPattern.access$900(ConfigModel.java:484) ~[?:?]
at com.floragunn.searchguard.sgconf.ConfigModel.impliesTypePerm(ConfigModel.java:768) ~[?:?]
at com.floragunn.searchguard.sgconf.ConfigModel.access$1100(ConfigModel.java:47) ~[?:?]
at com.floragunn.searchguard.sgconf.ConfigModel$SgRoles.get(ConfigModel.java:321) ~[?:?]

``

       Which would also explain the 30 seconds timeout you

experienced. When you say:

      "I have tried to purge searchguard and the error
disappeared thus posting it here."

      Do you mean you reinitialized the SG index and the error
went away? This would then indicate some problems with the
availability of the SG index primary/replica shards. How did
you perform the upgrade? Was it a rolling restart? Did you set
anything regarding shard allocation before performing the
upgrade?

      On Wednesday, September 12, 2018 at 6:01:08 PM UTC+2, > > benedikt.haug@gmx.de wrote:

Dear searchguard,

            when upgrading a fully functional test setup from
6.3.0-22.3 to 6.4.0-23.0 I can no longer log into kibana
afterwards. The browser just gets an connection reset
after waiting for the 30sec tcp timeout. I use proxy
authentication via local apache proxy.

            It throws the strange errors about .kibana not being

found but I can totally see that index:

green open .kibana
gd00htRbRUOXEzcyaGLQTQ 1 1 1 0 8kb 4kb

journalctl -f kibana shows an error like this:

            Sep 12 17:56:27 mes-any-logwfe-dev001 kibana[15920]:
{“type”:“error”,“@timestamp”:“2018-09-12T15:56:27Z”,“tags”:[“warning”,“stats-collection”],“pid”:15920,“level”:“error”,“error”:{“message”:“[security_ exception]
Unexpected exception indices:data/read/search”,“name”:“Error”,“stack”:“[ security_exception]
Unexpected exception indices:data/read/search ::
{"path":"/.kibana/_search","query":{"ignore_unavailable":true,"filter_path":"aggregations.types.buckets"},"body":"{\"size\":0,\"query\":{\"terms\":{\"type\":[\"dashboard\",\"visualization\",\"search\",\"index-pattern\",\"graph-workspace\",\"timelion-sheet\"]}},\"aggs\":{\"types\":{\"terms\":{\"field\":\"type\",\"size\":6}}}}","statusCode":500,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\" reason\":\"Unexpected
exception indices:data/read/search\"}],\"type\":\"security_exception\",\"reason\":\ \“Unexpected
exception indices:data/read/search\"}, \"status\":500}"}\n
at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/ transport.js:307:15)\n
at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/ transport.js:266:7)\n
at HttpConnector.
(/usr/share/kibana/node_modules/elasticsearch/src/lib/ connectors/http.js:159:7)\n
at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js: 729:21)\n
at emitNone (events.js:111:20)\n at
IncomingMessage.emit (events.js:208:7)\n at
endReadableNT (_stream_readable.js:1064:12)\ n at
_combinedTickCallback (internal/process/next_tick. js:138:11)\n
at process._tickDomainCallback
(internal/process/next_tick.js:218:9)”},“message”:”[ security_exception]
Unexpected exception indices:data/read/search"}

            I have tried to purge searchguard and the error

disappeared thus posting it here.

            If anything is unclear or not verbose enough please

feel free to ask.

Thank you

            When asking questions, please provide the following

information:

Search Guard and Elasticsearch version

6.4.0-23.0

Installed and used enterprise modules, if any

none/default

JVM version and operating system version

java version “1.8.0_121”

              Java(TM) SE Runtime Environment (build 1.8.0_121-b13)

              Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13,

mixed mode)

Debian 8

Search Guard configuration files

attached

Elasticsearch log messages on debug level

attached

            * Other installed Elasticsearch or Kibana plugins, if

any

sudo ./kibana-plugin list

            searchguard@6.4.0-14

sudo ./elasticsearch-plugin list
            search-guard-6

–

  You received this message because you are subscribed to the Google

Groups “Search Guard Community Forum” group.

  To unsubscribe from this group and stop receiving emails from it,

send an email to search-guard+unsubscribe@googlegroups.com.

  To post to this group, send email to search-guard@googlegroups.com.

  To view this discussion on the web visit [https://groups.google.com/d/msgid/search-guard/de3e56d5-8c8e-4de9-9d2e-4e0dfd702cbc%40googlegroups.com](https://groups.google.com/d/msgid/search-guard/de3e56d5-8c8e-4de9-9d2e-4e0dfd702cbc%40googlegroups.com?utm_medium=email&utm_source=footer).

  For more options, visit [https://groups.google.com/d/optout](https://groups.google.com/d/optout).

Benedikt_Haug · September 17, 2018, 2:48pm

Sure! Here it is:

  But I can retrieve the config via sgadmin -r and it looks

identical except quotation and indention.

Thank you

···

https://gist.github.com/gna582/cdc9e628330808a23443fd71c348e250
On 9/17/18 4:15 PM, Jochen Kressin
wrote:

    To me, this does not look like a problem with the
.kibana index per se. I conclude this from the error message,
with is an “Unexpected Exception” with status code 500:

"statusCode":500,"

              ...

                                Unexpected exception

indices:data/read/search

``

      This means it is an internal Search Guard error. If the
.kibana index would not be accerssible, say, because of wrong
roles or permissions, you would see a different message.

The message you see on the ES side:

org.elasticsearch.index.IndexNotFoundException: no such index

``

      Refers to the Search Guard index not being accessible. It
roots in SG not being able to read the roles from the index:

at com.floragunn.searchguard.sgconf.ConfigModel$SgRoles.get(ConfigModel.java:321) ~[?:?]

``

      That's why I was asking for the shards, because the node does
not seem to have the “searchguard” index accessible.

      So after recreating the SG index, is the error message on
Elasticsearch side still the same? Means, the “no such index”
message? This would seem very strange since the SG index is an
index like any other index on your cluster. Means, it is
completely managed by Elasticsearch.

      Thanks for the link to the gist - but it contains the
mapping only, can you do a _search on the SG index? The actual
documents in this index should be base64 encoded strings.

      On Monday, September 17, 2018 at 3:55:50 PM UTC+2, Benedikt
Haug wrote:

Thank you for having a look!

            No, it never worked. I meant that i removed searchguard
completely by removing the plugin and it started to work
without searchguard.

            The upgrade was done by installing the new plugin
version and restarting the cluster altogether. After it
didn’t work I also tried to remove the old plugin
version before installing the new one.

I did not change the shard allocation.

The searchguard indices content is here:

https://gist.github.com/gna582/da1d2439a2c51ed3e41d96fd2385bdbe

            I just tried to remove the searchguard index with -dci
and recreated it afterwards but the kibana journal still
looks like this:

            Sep 17 15:54:08 mes-any-logwfe-dev001 kibana[23739]:
{“type”:“error”,“@timestamp”:“2018-09-17T13:54:08Z”,“tags”:[“warning”,“stats-collection”],“pid”:23739,“level”:“error”,“error”:{“message”:“[security_ exception]
Unexpected exception indices:data/read/search”,“name”:“Error”,“stack”:“[ security_exception]
Unexpected exception indices:data/read/search ::
{"path":"/.kibana/_search","query":{"ignore_unavailable":true,"filter_path":"aggregations.types.buckets"},"body":"{\"size\":0,\"query\":{\"terms\":{\"type\":[\"dashboard\",\"visualization\",\"search\",\"index-pattern\",\"graph-workspace\",\"timelion-sheet\"]}},\"aggs\":{\"types\":{\"terms\":{\"field\":\"type\",\"size\":6}}}}","statusCode":500,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\" reason\":\"Unexpected
exception
indices:data/read/search\"}],\"type\":\"security_exception\",\"reason\":\ \“Unexpected
exception indices:data/read/search\"}, \"status\":500}"}\n
at respond
(/usr/share/kibana/node_modules/elasticsearch/src/lib/ transport.js:307:15)\n
at checkRespForFailure
(/usr/share/kibana/node_modules/elasticsearch/src/lib/ transport.js:266:7)\n
at HttpConnector.
(/usr/share/kibana/node_modules/elasticsearch/src/lib/ connectors/http.js:159:7)\n
at IncomingMessage.bound
(/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js: 729:21)\n
at emitNone (events.js:111:20)\n at
IncomingMessage.emit (events.js:208:7)\n at
endReadableNT (_stream_readable.js:1064:12)\ n at
_combinedTickCallback (internal/process/next_tick. js:138:11)\n
at process._tickDomainCallback
(internal/process/next_tick.js:218:9)”},“message”:”[ security_exception]
Unexpected exception indices:data/read/search"}

            As this is a dev host I could drop the .kibana index
but I don’t want to do this for live environments.

Thank you for your help!

On 9/17/18 3:28 PM, Jochen Kressin wrote:

              According to the ES log file there seems
to be an issue when accessing the Search Guard index:

[2018-09-12T17:43:42,182][ERROR][c.f.s.f.SearchGuardFilter] Unexpected exception [] IndexNotFoundException[no such index]
org.elasticsearch.index.IndexNotFoundException: no such index

…

at com.floragunn.searchguard.sgconf.ConfigModel$IndexPattern.getResolvedIndexPattern(ConfigModel.java:598) ~[?:?]
at com.floragunn.searchguard.sgconf.ConfigModel$IndexPattern.access$900(ConfigModel.java:484) ~[?:?]
at com.floragunn.searchguard.sgconf.ConfigModel.impliesTypePerm(ConfigModel.java:768) ~[?:?]
at com.floragunn.searchguard.sgconf.ConfigModel.access$1100(ConfigModel.java:47) ~[?:?]
at com.floragunn.searchguard.sgconf.ConfigModel$SgRoles.get(ConfigModel.java:321) ~[?:?]

``

                 Which would also explain the 30 seconds timeout you

experienced. When you say:

                "I have tried to purge searchguard and the error

disappeared thus posting it here."

                Do you mean you reinitialized the SG index and
the error went away? This would then indicate some
problems with the availability of the SG index
primary/replica shards. How did you perform the
upgrade? Was it a rolling restart? Did you set
anything regarding shard allocation before
performing the upgrade?

                On Wednesday, September 12, 2018 at 6:01:08 PM
UTC+2, benedikt.haug@gmx.de
wrote:

Dear searchguard,

                      when upgrading a fully functional test
setup from 6.3.0-22.3 to 6.4.0-23.0 I can no
longer log into kibana afterwards. The browser
just gets an connection reset after waiting
for the 30sec tcp timeout. I use proxy
authentication via local apache proxy.

                      It throws the strange errors about .kibana

not being found but I can totally see that
index:

green open .kibana
gd00htRbRUOXEzcyaGLQTQ 1 1 1 0
8kb 4kb

                      journalctl -f kibana shows an error like

this:

                      Sep 12 17:56:27 mes-any-logwfe-dev001
kibana[15920]: {“type”:“error”,“@timestamp”:“2018-09-12T15:56:27Z”,“tags”:[“warning”,“stats-collection”],“pid”:15920,“level”:“error”,“error”:{“message”:“[security_ exception]
Unexpected exception
indices:data/read/search”,“name”:“Error”,“stack”:“[ security_exception]
Unexpected exception indices:data/read/search
:: {"path":"/.kibana/_search","query":{"ignore_unavailable":true,"filter_path":"aggregations.types.buckets"},"body":"{\"size\":0,\"query\":{\"terms\":{\"type\":[\"dashboard\",\"visualization\",\"search\",\"index-pattern\",\"graph-workspace\",\"timelion-sheet\"]}},\"aggs\":{\"types\":{\"terms\":{\"field\":\"type\",\"size\":6}}}}","statusCode":500,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\" reason\":\"Unexpected
exception indices:data/read/search\"}],\"type\":\"security_exception\",\"reason\":\ \“Unexpected
exception indices:data/read/search\"}, \"status\":500}"}\n
at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/ transport.js:307:15)\n
at checkRespForFailure
(/usr/share/kibana/node_modules/elasticsearch/src/lib/ transport.js:266:7)\n
at HttpConnector.
(/usr/share/kibana/node_modules/elasticsearch/src/lib/ connectors/http.js:159:7)\n
at IncomingMessage.bound
(/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js: 729:21)\n
at emitNone (events.js:111:20)\n at
IncomingMessage.emit (events.js:208:7)\n at
endReadableNT (_stream_readable.js:1064:12)\ n
at _combinedTickCallback
(internal/process/next_tick. js:138:11)\n
at process._tickDomainCallback
(internal/process/next_tick.js:218:9)”},“message”:”[ security_exception]
Unexpected exception
indices:data/read/search"}

                      I have tried to purge searchguard and the

error disappeared thus posting it here.

                      If anything is unclear or not verbose

enough please feel free to ask.

Thank you

                      When asking questions, please provide the

following information:

Search Guard and Elasticsearch version

6.4.0-23.0

                        * Installed and used enterprise modules,

if any

none/default

                        * JVM version and operating system

version

java version “1.8.0_121”

                        Java(TM) SE Runtime Environment (build

1.8.0_121-b13)

                        Java HotSpot(TM) 64-Bit Server VM (build

25.121-b13, mixed mode)

Debian 8

Search Guard configuration files

attached

                        * Elasticsearch log messages on debug

level

attached

                      * Other installed Elasticsearch or Kibana

plugins, if any

sudo ./kibana-plugin list

                      searchguard@6.4.0-14

sudo ./elasticsearch-plugin list

                      search-guard-6

–

            You received this message because you are subscribed to

the Google Groups “Search Guard Community Forum” group.

            To unsubscribe from this group and stop receiving emails

from it, send an email to search-guard+unsubscribe@googlegroups.com.

            To post to this group, send email to search-guard@googlegroups.com.

            To view this discussion on the web visit [https://groups.google.com/d/msgid/search-guard/de3e56d5-8c8e-4de9-9d2e-4e0dfd702cbc%40googlegroups.com](https://groups.google.com/d/msgid/search-guard/de3e56d5-8c8e-4de9-9d2e-4e0dfd702cbc%40googlegroups.com?utm_medium=email&utm_source=footer).

            For more options, visit [https://groups.google.com/d/optout](https://groups.google.com/d/optout).

–

  You received this message because you are subscribed to the Google

Groups “Search Guard Community Forum” group.

  To unsubscribe from this group and stop receiving emails from it,

send an email to search-guard+unsubscribe@googlegroups.com.

  To post to this group, send email to search-guard@googlegroups.com.

  To view this discussion on the web visit [https://groups.google.com/d/msgid/search-guard/3c5adfac-ee43-453c-a18a-dd1d501c6ae6%40googlegroups.com](https://groups.google.com/d/msgid/search-guard/3c5adfac-ee43-453c-a18a-dd1d501c6ae6%40googlegroups.com?utm_medium=email&utm_source=footer).

  For more options, visit [https://groups.google.com/d/optout](https://groups.google.com/d/optout).

jkressin · September 20, 2018, 11:09am

This is pretty strange, but I would still say this is somewhat more ES related, since the underlying problem is the index not found.

So, a couple of questions:

are you saying that you can retrieve the configs via sgadmin -r from the running cluster?
are you able to access Elasticsearch directly, means without Kibana?
can you try to apply the configuration again with sgadmin? Any errors in the logs?
can you start ES with debug logging? We would need the debug outputs from ES and SG while starting the node, and when the error occurs.

To enable debug logging, in your log4j2.properties, add:

logger.searchguard.name = com.floragunn
logger.searchguard.level = debugOn Monday, September 17, 2018 at

And set the ES logger to debug as well:

logger.action.name = org.elasticsearch.action

logger.action.level = debug

That will produce a lot of output, but will hopefully help to clear things up.

4:48:29 PM UTC+2, Benedikt Haug wrote:

···

Sure! Here it is:

https://gist.github.com/gna582/cdc9e628330808a23443fd71c348e250

  But I can retrieve the config via sgadmin -r and it looks
identical except quotation and indention.

Thank you

  On 9/17/18 4:15 PM, Jochen Kressin > wrote:

    To me, this does not look like a problem with the
.kibana index per se. I conclude this from the error message,
with is an “Unexpected Exception” with status code 500:

"statusCode":500,"

              ...

                                Unexpected exception

indices:data/read/search

``

      This means it is an internal Search Guard error. If the
.kibana index would not be accerssible, say, because of wrong
roles or permissions, you would see a different message.

The message you see on the ES side:

org.elasticsearch.index.IndexNotFoundException: no such index

``

      Refers to the Search Guard index not being accessible. It
roots in SG not being able to read the roles from the index:

at com.floragunn.searchguard.sgconf.ConfigModel$SgRoles.get(ConfigModel.java:321) ~[?:?]

``

      That's why I was asking for the shards, because the node does
not seem to have the “searchguard” index accessible.

      So after recreating the SG index, is the error message on
Elasticsearch side still the same? Means, the “no such index”
message? This would seem very strange since the SG index is an
index like any other index on your cluster. Means, it is
completely managed by Elasticsearch.

      Thanks for the link to the gist - but it contains the
mapping only, can you do a _search on the SG index? The actual
documents in this index should be base64 encoded strings.

      On Monday, September 17, 2018 at 3:55:50 PM UTC+2, Benedikt > > Haug wrote:

Thank you for having a look!

            No, it never worked. I meant that i removed searchguard
completely by removing the plugin and it started to work
without searchguard.

            The upgrade was done by installing the new plugin
version and restarting the cluster altogether. After it
didn’t work I also tried to remove the old plugin
version before installing the new one.

I did not change the shard allocation.

The searchguard indices content is here:

https://gist.github.com/gna582/da1d2439a2c51ed3e41d96fd2385bdbe

            I just tried to remove the searchguard index with -dci
and recreated it afterwards but the kibana journal still
looks like this:

            Sep 17 15:54:08 mes-any-logwfe-dev001 kibana[23739]:
{“type”:“error”,“@timestamp”:“2018-09-17T13:54:08Z”,“tags”:[“warning”,“stats-collection”],“pid”:23739,“level”:“error”,“error”:{“message”:“[security_ exception]
Unexpected exception indices:data/read/search”,“name”:“Error”,“stack”:“[ security_exception]
Unexpected exception indices:data/read/search ::
{"path":"/.kibana/_search","query":{"ignore_unavailable":true,"filter_path":"aggregations.types.buckets"},"body":"{\"size\":0,\"query\":{\"terms\":{\"type\":[\"dashboard\",\"visualization\",\"search\",\"index-pattern\",\"graph-workspace\",\"timelion-sheet\"]}},\"aggs\":{\"types\":{\"terms\":{\"field\":\"type\",\"size\":6}}}}","statusCode":500,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\" reason\":\"Unexpected
exception
indices:data/read/search\"}],\"type\":\"security_exception\",\"reason\":\ \“Unexpected
exception indices:data/read/search\"}, \"status\":500}"}\n
at respond
(/usr/share/kibana/node_modules/elasticsearch/src/lib/ transport.js:307:15)\n
at checkRespForFailure
(/usr/share/kibana/node_modules/elasticsearch/src/lib/ transport.js:266:7)\n
at HttpConnector.
(/usr/share/kibana/node_modules/elasticsearch/src/lib/ connectors/http.js:159:7)\n
at IncomingMessage.bound
(/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js: 729:21)\n
at emitNone (events.js:111:20)\n at
IncomingMessage.emit (events.js:208:7)\n at
endReadableNT (_stream_readable.js:1064:12)\ n at
_combinedTickCallback (internal/process/next_tick. js:138:11)\n
at process._tickDomainCallback
(internal/process/next_tick.js:218:9)”},“message”:”[ security_exception]
Unexpected exception indices:data/read/search"}

            As this is a dev host I could drop the .kibana index
but I don’t want to do this for live environments.

Thank you for your help!

On 9/17/18 3:28 PM, Jochen Kressin wrote:

              According to the ES log file there seems
to be an issue when accessing the Search Guard index:

[2018-09-12T17:43:42,182][ERROR][c.f.s.f.SearchGuardFilter] Unexpected exception [] IndexNotFoundException[no such index]
org.elasticsearch.index.IndexNotFoundException: no such index

…

at com.floragunn.searchguard.sgconf.ConfigModel$IndexPattern.getResolvedIndexPattern(ConfigModel.java:598) ~[?:?]
at com.floragunn.searchguard.sgconf.ConfigModel$IndexPattern.access$900(ConfigModel.java:484) ~[?:?]
at com.floragunn.searchguard.sgconf.ConfigModel.impliesTypePerm(ConfigModel.java:768) ~[?:?]
at com.floragunn.searchguard.sgconf.ConfigModel.access$1100(ConfigModel.java:47) ~[?:?]
at com.floragunn.searchguard.sgconf.ConfigModel$SgRoles.get(ConfigModel.java:321) ~[?:?]

``

                 Which would also explain the 30 seconds timeout you

experienced. When you say:

                "I have tried to purge searchguard and the error

disappeared thus posting it here."

                Do you mean you reinitialized the SG index and
the error went away? This would then indicate some
problems with the availability of the SG index
primary/replica shards. How did you perform the
upgrade? Was it a rolling restart? Did you set
anything regarding shard allocation before
performing the upgrade?

                On Wednesday, September 12, 2018 at 6:01:08 PM > > > > UTC+2, benedikt.haug@gmx.de > > > >                     wrote:

Dear searchguard,

                      when upgrading a fully functional test
setup from 6.3.0-22.3 to 6.4.0-23.0 I can no
longer log into kibana afterwards. The browser
just gets an connection reset after waiting
for the 30sec tcp timeout. I use proxy
authentication via local apache proxy.

                      It throws the strange errors about .kibana

not being found but I can totally see that
index:

green open .kibana
gd00htRbRUOXEzcyaGLQTQ 1 1 1 0
8kb 4kb

                      journalctl -f kibana shows an error like

this:

                      Sep 12 17:56:27 mes-any-logwfe-dev001
kibana[15920]: {“type”:“error”,“@timestamp”:“2018-09-12T15:56:27Z”,“tags”:[“warning”,“stats-collection”],“pid”:15920,“level”:“error”,“error”:{“message”:“[security_ exception]
Unexpected exception
indices:data/read/search”,“name”:“Error”,“stack”:“[ security_exception]
Unexpected exception indices:data/read/search
:: {"path":"/.kibana/_search","query":{"ignore_unavailable":true,"filter_path":"aggregations.types.buckets"},"body":"{\"size\":0,\"query\":{\"terms\":{\"type\":[\"dashboard\",\"visualization\",\"search\",\"index-pattern\",\"graph-workspace\",\"timelion-sheet\"]}},\"aggs\":{\"types\":{\"terms\":{\"field\":\"type\",\"size\":6}}}}","statusCode":500,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\" reason\":\"Unexpected
exception indices:data/read/search\"}],\"type\":\"security_exception\",\"reason\":\ \“Unexpected
exception indices:data/read/search\"}, \"status\":500}"}\n
at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/ transport.js:307:15)\n
at checkRespForFailure
(/usr/share/kibana/node_modules/elasticsearch/src/lib/ transport.js:266:7)\n
at HttpConnector.
(/usr/share/kibana/node_modules/elasticsearch/src/lib/ connectors/http.js:159:7)\n
at IncomingMessage.bound
(/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js: 729:21)\n
at emitNone (events.js:111:20)\n at
IncomingMessage.emit (events.js:208:7)\n at
endReadableNT (_stream_readable.js:1064:12)\ n
at _combinedTickCallback
(internal/process/next_tick. js:138:11)\n
at process._tickDomainCallback
(internal/process/next_tick.js:218:9)”},“message”:”[ security_exception]
Unexpected exception
indices:data/read/search"}

                      I have tried to purge searchguard and the

error disappeared thus posting it here.

                      If anything is unclear or not verbose

enough please feel free to ask.

Thank you

                      When asking questions, please provide the

following information:

Search Guard and Elasticsearch version

6.4.0-23.0

                        * Installed and used enterprise modules,

if any

none/default

                        * JVM version and operating system

version

java version “1.8.0_121”

                        Java(TM) SE Runtime Environment (build

1.8.0_121-b13)

                        Java HotSpot(TM) 64-Bit Server VM (build

25.121-b13, mixed mode)

Debian 8

Search Guard configuration files

attached

                        * Elasticsearch log messages on debug

level

attached

                      * Other installed Elasticsearch or Kibana

plugins, if any

sudo ./kibana-plugin list

                      searchguard@6.4.0-14

sudo ./elasticsearch-plugin list

                      search-guard-6

–

            You received this message because you are subscribed to

the Google Groups “Search Guard Community Forum” group.

            To unsubscribe from this group and stop receiving emails

from it, send an email to search-guard+unsubscribe@googlegroups.com.

            To post to this group, send email to search-guard@googlegroups.com.

            To view this discussion on the web visit [https://groups.google.com/d/msgid/search-guard/de3e56d5-8c8e-4de9-9d2e-4e0dfd702cbc%40googlegroups.com](https://groups.google.com/d/msgid/search-guard/de3e56d5-8c8e-4de9-9d2e-4e0dfd702cbc%40googlegroups.com?utm_medium=email&utm_source=footer).

            For more options, visit [https://groups.google.com/d/optout](https://groups.google.com/d/optout).

–

  You received this message because you are subscribed to the Google

Groups “Search Guard Community Forum” group.

  To unsubscribe from this group and stop receiving emails from it,

send an email to search-guard+unsubscribe@googlegroups.com.

  To post to this group, send email to search-guard@googlegroups.com.

  To view this discussion on the web visit [https://groups.google.com/d/msgid/search-guard/3c5adfac-ee43-453c-a18a-dd1d501c6ae6%40googlegroups.com](https://groups.google.com/d/msgid/search-guard/3c5adfac-ee43-453c-a18a-dd1d501c6ae6%40googlegroups.com?utm_medium=email&utm_source=footer).

  For more options, visit [https://groups.google.com/d/optout](https://groups.google.com/d/optout).

Benedikt_Haug · September 20, 2018, 11:33am

Thanks for the help!

      - are you saying that you can retrieve the configs via
sgadmin -r from the running cluster?

Yes. It seems to be the same except quotation and indentation.

      - are you able to access Elasticsearch directly, means

without Kibana?

  I pulled the data from the search api via curl so yes that is

working. E.g. this would result in a whole lot of output, so i
pasted only a small portion

  curl --header "x-forwarded-for: 10.90.30.226" --user ttlko

–header “x-proxy-user: myuser” --header “x-proxy-roles: mygroup”

  ...}, "segments" : { "count" : 5, "memory_in_bytes" : 18562,

“terms_memory_in_bytes” : 14045, “stored_fields_memory_in_bytes” :
1560, “term_vectors_memory_in_bytes” : 0, “norms_memory_in_bytes”
: 0, “points_memory_in_bytes” : 689, “doc_values_memory_in_bytes”
: 2268, “index_writer_memory_in_bytes” : 0,
“version_map_memory_in_bytes” : 0, “fixed_bit_set_memory_in_bytes”
: 0 }, “request_cache” : {…

      - can you try to apply the configuration again with
sgadmin? Any errors in the logs?

Yes. No errors in the logs:

  root@mes-any-logwfe-dev001:~#

/usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh
-cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/
-cacert /etc/ssl/mailcore/certs/padminmesanylogqa.pem -cert
/etc/ssl/mailcore/certs/padminmesanylogqa.pem -h
mes-any-logwfe-dev001.qa.server.lan -cn mes_any_log -key
/etc/ssl/mailcore/certs/padminmesanylogqa.pem -nhnv

  WARNING: JAVA_HOME not set, will use /usr/bin/java

  Search Guard Admin v6

  Will connect to mes-any-logwfe-dev001.qa.server.lan:9300 ... done

  Elasticsearch Version: 6.4.0

  Search Guard Version: 6.4.0-23.0

  Connected as UID=XXXXX,CN=padminmesanylogqa,O=ClientCert

  Contacting elasticsearch cluster 'mes_any_log' and wait for YELLOW

clusterstate …

  Clustername: mes_any_log

  Clusterstate: GREEN

  Number of nodes: 3

  Number of data nodes: 2

  searchguard index already exists, so we do not need to create one.

  Populate config from

/usr/share/elasticsearch/plugins/search-guard-6/sgconfig/

  Will update 'sg/config' with

/usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_config.yml

     SUCC: Configuration for 'config' created or updated

  Will update 'sg/roles' with

/usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles.yml

     SUCC: Configuration for 'roles' created or updated

  Will update 'sg/rolesmapping' with

/usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml

     SUCC: Configuration for 'rolesmapping' created or updated

  Will update 'sg/internalusers' with

/usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_internal_users.yml

     SUCC: Configuration for 'internalusers' created or updated

  Will update 'sg/actiongroups' with

/usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_action_groups.yml

     SUCC: Configuration for 'actiongroups' created or updated

  Done with success

      - can you start ES with debug logging? We would need the
debug outputs from ES and SG while starting the node, and when
the error occurs.

To enable debug logging, in your log4j2.properties, add:

logger.searchguard.name = com.floragunn
      logger.searchguard.level = debugOn Monday, September 17, 2018
at

And set the ES logger to debug as well:

logger.action.name = org.elasticsearch.action

logger.action.level = debug

Sure! The gist is here:

Thank you!

···

https://mes-any-logwfe-dev001.qa.server.lan:9200/.monitoring-es-6-2018.09.14/_search?pretty
https://gist.github.com/gna582/354a9205457b89aa4fefa1a617b0569d

searchguard_google_group · September 21, 2018, 1:34pm

What is the “base version” of this installation? Means: What was the first ES/SG version you installed and started with?
Was it originally a 5.x cluster or did you start with 6.3.0? This is important because if you migrated

from 5.x. to 6.x then .kibana is converted into an alias and maybe that causes the trouble (although it seemed working before upgrading to SG 23.0)

···

On Wednesday, 12 September 2018 18:01:08 UTC+2, be....g@gmx.de wrote:

Dear searchguard,

when upgrading a fully functional test setup from 6.3.0-22.3 to 6.4.0-23.0 I can no longer log into kibana afterwards. The browser just gets an connection reset after waiting for the 30sec tcp timeout. I use proxy authentication via local apache proxy.

It throws the strange errors about .kibana not being found but I can totally see that index:

green open .kibana gd00htRbRUOXEzcyaGLQTQ 1 1 1 0 8kb 4kb

journalctl -f kibana shows an error like this:

Sep 12 17:56:27 mes-any-logwfe-dev001 kibana[15920]: {“type”:“error”,“@timestamp”:“2018-09-12T15:56:27Z”,“tags”:[“warning”,“stats-collection”],“pid”:15920,“level”:“error”,“error”:{“message”:“[security_exception] Unexpected exception indices:data/read/search”,“name”:“Error”,“stack”:“[security_exception] Unexpected exception indices:data/read/search :: {"path":"/.kibana/_search","query":{"ignore_unavailable":true,"filter_path":"aggregations.types.buckets"},"body":"{\"size\":0,\"query\":{\"terms\":{\"type\":[\"dashboard\",\"visualization\",\"search\",\"index-pattern\",\"graph-workspace\",\"timelion-sheet\"]}},\"aggs\":{\"types\":{\"terms\":{\"field\":\"type\",\"size\":6}}}}","statusCode":500,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"Unexpected exception indices:data/read/search\"}],\"type\":\"security_exception\",\"reason\":\"Unexpected exception indices:data/read/search\"},\"status\":500}"}\n at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)\n at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)\n at HttpConnector. (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)\n at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)\n at emitNone (events.js:111:20)\n at IncomingMessage.emit (events.js:208:7)\n at endReadableNT (_stream_readable.js:1064:12)\n at _combinedTickCallback (internal/process/next_tick.js:138:11)\n at process._tickDomainCallback (internal/process/next_tick.js:218:9)”},“message”:“[security_exception] Unexpected exception indices:data/read/search”}

I have tried to purge searchguard and the error disappeared thus posting it here.

If anything is unclear or not verbose enough please feel free to ask.

Thank you

When asking questions, please provide the following information:

Search Guard and Elasticsearch version

6.4.0-23.0

Installed and used enterprise modules, if any

none/default

JVM version and operating system version

java version “1.8.0_121”
Java™ SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot™ 64-Bit Server VM (build 25.121-b13, mixed mode)

Debian 8

Search Guard configuration files

attached

Elasticsearch log messages on debug level

attached

Other installed Elasticsearch or Kibana plugins, if any

sudo ./kibana-plugin list
searchguard@6.4.0-14

sudo ./elasticsearch-plugin list
search-guard-6

Benedikt_Haug · September 21, 2018, 1:46pm

The first SG version was definitely 6.3.0-22.3. The cluster was
deployed with 6.3.0 initially and was upgraded to 6.4.0-23.0.

···

On 9/21/18 3:34 PM, Search Guard wrote:

    What is the "base version" of this installation?
Means: What was the first ES/SG version you installed and
started with?
Was it originally a 5.x cluster or did you start with
6.3.0? This is important because if you migrated

      from 5.x. to 6.x then .kibana is converted into an alias
and maybe that causes the trouble (although it seemed working
before upgrading to SG 23.0)

      On Wednesday, 12 September 2018 18:01:08 UTC+2, wrote:

–

  You received this message because you are subscribed to the Google

Groups “Search Guard Community Forum” group.

  To unsubscribe from this group and stop receiving emails from it,

send an email to search-guard+unsubscribe@googlegroups.com.

  To post to this group, send email to search-guard@googlegroups.com.

  To view this discussion on the web visit [https://groups.google.com/d/msgid/search-guard/9e32db2b-f3b2-4e6c-95a7-98984138ec4c%40googlegroups.com](https://groups.google.com/d/msgid/search-guard/9e32db2b-f3b2-4e6c-95a7-98984138ec4c%40googlegroups.com?utm_medium=email&utm_source=footer).

  For more options, visit [https://groups.google.com/d/optout](https://groups.google.com/d/optout).

be....g@gmx.de

Dear searchguard,

            when upgrading a fully functional test setup from
6.3.0-22.3 to 6.4.0-23.0 I can no longer log into kibana
afterwards. The browser just gets an connection reset
after waiting for the 30sec tcp timeout. I use proxy
authentication via local apache proxy.

            It throws the strange errors about .kibana not being

found but I can totally see that index:

green open .kibana
gd00htRbRUOXEzcyaGLQTQ 1 1 1 0 8kb 4kb

journalctl -f kibana shows an error like this:

            Sep 12 17:56:27 mes-any-logwfe-dev001 kibana[15920]:
{“type”:“error”,“@timestamp”:“2018-09-12T15:56:27Z”,“tags”:[“warning”,“stats-collection”],“pid”:15920,“level”:“error”,“error”:{“message”:“[security_ exception]
Unexpected exception indices:data/read/search”,“name”:“Error”,“stack”:“[ security_exception]
Unexpected exception indices:data/read/search ::
{"path":"/.kibana/_search","query":{"ignore_unavailable":true,"filter_path":"aggregations.types.buckets"},"body":"{\"size\":0,\"query\":{\"terms\":{\"type\":[\"dashboard\",\"visualization\",\"search\",\"index-pattern\",\"graph-workspace\",\"timelion-sheet\"]}},\"aggs\":{\"types\":{\"terms\":{\"field\":\"type\",\"size\":6}}}}","statusCode":500,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\" reason\":\"Unexpected
exception indices:data/read/search\"}],\"type\":\"security_exception\",\"reason\":\ \“Unexpected
exception indices:data/read/search\"}, \"status\":500}"}\n
at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/ transport.js:307:15)\n
at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/ transport.js:266:7)\n
at HttpConnector.
(/usr/share/kibana/node_modules/elasticsearch/src/lib/ connectors/http.js:159:7)\n
at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js: 729:21)\n
at emitNone (events.js:111:20)\n at
IncomingMessage.emit (events.js:208:7)\n at
endReadableNT (_stream_readable.js:1064:12)\ n at
_combinedTickCallback (internal/process/next_tick. js:138:11)\n
at process._tickDomainCallback
(internal/process/next_tick.js:218:9)”},“message”:”[ security_exception]
Unexpected exception indices:data/read/search"}

            I have tried to purge searchguard and the error

disappeared thus posting it here.

            If anything is unclear or not verbose enough please

feel free to ask.

Thank you

            When asking questions, please provide the following

information:

Search Guard and Elasticsearch version

6.4.0-23.0

Installed and used enterprise modules, if any

none/default

JVM version and operating system version

java version “1.8.0_121”

              Java(TM) SE Runtime Environment (build 1.8.0_121-b13)

              Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13,

mixed mode)

Debian 8

Search Guard configuration files

attached

Elasticsearch log messages on debug level

attached

            * Other installed Elasticsearch or Kibana plugins, if

any

sudo ./kibana-plugin list

sudo ./elasticsearch-plugin list
            search-guard-6

searchguard@6.4.0-14

searchguard_google_group · September 21, 2018, 1:48pm

another question with regards to sg_config.yml:

you should not have an entry like

'.kibana':
      '*':
        - INDICES_ALL

because dots are not permitted here.

Where did this entry come from?

Pls. remove this entry and try again.

Therefore we use something like:

    '?kibana':
      '*':
        - INDICES_ALL

sg_kibana_server:
  readonly: true
  cluster:
    - CLUSTER_MONITOR
    - CLUSTER_COMPOSITE_OPS
    - cluster:admin/xpack/monitoring/*
    - indices:admin/template/*
  indices:
    '?kibana':
      '*':
        - INDICES_ALL
    '.kibana':
      '*':
        - INDICES_ALL
        # - indices:admin/template/put
    '?kibana-6':
      '*':
        - INDICES_ALL
    '?reporting*':
      '*':
        - INDICES_ALL
    '?monitoring*':
      '*':
        - INDICES_ALL

···

On Wednesday, 12 September 2018 18:01:08 UTC+2, benedikt haug wrote:

Dear searchguard,

when upgrading a fully functional test setup from 6.3.0-22.3 to 6.4.0-23.0 I can no longer log into kibana afterwards. The browser just gets an connection reset after waiting for the 30sec tcp timeout. I use proxy authentication via local apache proxy.

It throws the strange errors about .kibana not being found but I can totally see that index:

green open .kibana gd00htRbRUOXEzcyaGLQTQ 1 1 1 0 8kb 4kb

journalctl -f kibana shows an error like this:

Sep 12 17:56:27 mes-any-logwfe-dev001 kibana[15920]: {“type”:“error”,“@timestamp”:“2018-09-12T15:56:27Z”,“tags”:[“warning”,“stats-collection”],“pid”:15920,“level”:“error”,“error”:{“message”:“[security_exception] Unexpected exception indices:data/read/search”,“name”:“Error”,“stack”:“[security_exception] Unexpected exception indices:data/read/search :: {"path":"/.kibana/_search","query":{"ignore_unavailable":true,"filter_path":"aggregations.types.buckets"},"body":"{\"size\":0,\"query\":{\"terms\":{\"type\":[\"dashboard\",\"visualization\",\"search\",\"index-pattern\",\"graph-workspace\",\"timelion-sheet\"]}},\"aggs\":{\"types\":{\"terms\":{\"field\":\"type\",\"size\":6}}}}","statusCode":500,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"Unexpected exception indices:data/read/search\"}],\"type\":\"security_exception\",\"reason\":\"Unexpected exception indices:data/read/search\"},\"status\":500}"}\n at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)\n at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)\n at HttpConnector. (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)\n at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)\n at emitNone (events.js:111:20)\n at IncomingMessage.emit (events.js:208:7)\n at endReadableNT (_stream_readable.js:1064:12)\n at _combinedTickCallback (internal/process/next_tick.js:138:11)\n at process._tickDomainCallback (internal/process/next_tick.js:218:9)”},“message”:“[security_exception] Unexpected exception indices:data/read/search”}

I have tried to purge searchguard and the error disappeared thus posting it here.

If anything is unclear or not verbose enough please feel free to ask.

Thank you

When asking questions, please provide the following information:

Search Guard and Elasticsearch version

6.4.0-23.0

Installed and used enterprise modules, if any

none/default

JVM version and operating system version

java version “1.8.0_121”
Java™ SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot™ 64-Bit Server VM (build 25.121-b13, mixed mode)

Debian 8

Search Guard configuration files

attached

Elasticsearch log messages on debug level

attached

Other installed Elasticsearch or Kibana plugins, if any

sudo ./kibana-plugin list
searchguard@6.4.0-14

sudo ./elasticsearch-plugin list
search-guard-6

Benedikt_Haug · September 26, 2018, 1:43pm

You are correct! Thank you! This solved the strange .kibana
issues. I have consequently reviewed all diffs to upstream config
so this doesn’t happen again. Sry.

  Sadly I can still not log in via proxy authentication due to: "no

xff done for class
org.elasticsearch.http.netty4.Netty4HttpRequest". The same config
works fine with 6.3.0-22.3

  I think I have found the cause of this to be the new Netty

4.1.25.Final release newly introduced in ES 6.4.0 after I realized
there is a trace debug level and had a look at the code.

  Would it be possible for you to have a look and check whether

proxy authentication is still working as intended with ES 6.4.0? I
made a Gist where I have commented what I think goes wrong in the
RemoteIpDetector.java:

Thank you for your help!

···

https://gist.github.com/gna582/cc8f33835054b71cb44d2f6cba4d8765
On 9/21/18 3:48 PM, Search Guard wrote:

another question with regards to sg_config.yml:

you should not have an entry like

'.kibana':
      '*':
        - INDICES_ALL

because dots are not permitted here.

Where did this entry come from?

Pls. remove this entry and try again.

Therefore we use something like:

    '?kibana':
      '*':
        - INDICES_ALL

sg_kibana_server:
  readonly:   true
cluster:
        - CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- cluster:admin/xpack/monitoring/*
- indices:admin/template/*
indices:
    '?kibana':
      '*':
        - INDICES_ALL
    '.kibana':
      '*':
                - INDICES_ALL
# - indices:admin/template/put
    '?kibana-6':
      '*':
            - INDICES_ALL
'?reporting*':
      '*':
            - INDICES_ALL
'?monitoring*':
      '*':
        - INDICES_ALL

      On Wednesday, 12 September 2018 18:01:08 UTC+2, benedikt haug

wrote:

Dear searchguard,

            when upgrading a fully functional test setup from
6.3.0-22.3 to 6.4.0-23.0 I can no longer log into kibana
afterwards. The browser just gets an connection reset
after waiting for the 30sec tcp timeout. I use proxy
authentication via local apache proxy.

            It throws the strange errors about .kibana not being

found but I can totally see that index:

green open .kibana
gd00htRbRUOXEzcyaGLQTQ 1 1 1 0 8kb 4kb

journalctl -f kibana shows an error like this:

            Sep 12 17:56:27 mes-any-logwfe-dev001 kibana[15920]:
{“type”:“error”,“@timestamp”:“2018-09-12T15:56:27Z”,“tags”:[“warning”,“stats-collection”],“pid”:15920,“level”:“error”,“error”:{“message”:“[security_ exception]
Unexpected exception indices:data/read/search”,“name”:“Error”,“stack”:“[ security_exception]
Unexpected exception indices:data/read/search ::
{"path":"/.kibana/_search","query":{"ignore_unavailable":true,"filter_path":"aggregations.types.buckets"},"body":"{\"size\":0,\"query\":{\"terms\":{\"type\":[\"dashboard\",\"visualization\",\"search\",\"index-pattern\",\"graph-workspace\",\"timelion-sheet\"]}},\"aggs\":{\"types\":{\"terms\":{\"field\":\"type\",\"size\":6}}}}","statusCode":500,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\" reason\":\"Unexpected
exception indices:data/read/search\"}],\"type\":\"security_exception\",\"reason\":\ \“Unexpected
exception indices:data/read/search\"}, \"status\":500}"}\n
at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/ transport.js:307:15)\n
at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/ transport.js:266:7)\n
at HttpConnector.
(/usr/share/kibana/node_modules/elasticsearch/src/lib/ connectors/http.js:159:7)\n
at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js: 729:21)\n
at emitNone (events.js:111:20)\n at
IncomingMessage.emit (events.js:208:7)\n at
endReadableNT (_stream_readable.js:1064:12)\ n at
_combinedTickCallback (internal/process/next_tick. js:138:11)\n
at process._tickDomainCallback
(internal/process/next_tick.js:218:9)”},“message”:”[ security_exception]
Unexpected exception indices:data/read/search"}

            I have tried to purge searchguard and the error

disappeared thus posting it here.

            If anything is unclear or not verbose enough please

feel free to ask.

Thank you

            When asking questions, please provide the following

information:

Search Guard and Elasticsearch version

6.4.0-23.0

Installed and used enterprise modules, if any

none/default

JVM version and operating system version

java version “1.8.0_121”

              Java(TM) SE Runtime Environment (build 1.8.0_121-b13)

              Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13,

mixed mode)

Debian 8

Search Guard configuration files

attached

Elasticsearch log messages on debug level

attached

            * Other installed Elasticsearch or Kibana plugins, if

any

sudo ./kibana-plugin list

sudo ./elasticsearch-plugin list
            search-guard-6

–

  You received this message because you are subscribed to the Google

Groups “Search Guard Community Forum” group.

  To unsubscribe from this group and stop receiving emails from it,

send an email to search-guard+unsubscribe@googlegroups.com.

  To post to this group, send email to search-guard@googlegroups.com.

  To view this discussion on the web visit [https://groups.google.com/d/msgid/search-guard/2c95a7a4-a85f-4599-8501-a66f95fec1dd%40googlegroups.com](https://groups.google.com/d/msgid/search-guard/2c95a7a4-a85f-4599-8501-a66f95fec1dd%40googlegroups.com?utm_medium=email&utm_source=footer).

  For more options, visit [https://groups.google.com/d/optout](https://groups.google.com/d/optout).

searchguard@6.4.0-14

searchguard_google_group · December 12, 2018, 10:28am

We test every release thoroughly with a fully automated integration test suite also containing xff/proxy tests with nginx.

That said are you sure its nothing related to proxy/sg_config configuration? Does it work with recent 6.5.x builds?

Proxy auth is used widely spread and we received no other complaints so far.

···

On Wednesday, 26 September 2018 15:43:12 UTC+2, Benedikt Haug wrote:

  You are correct! Thank you! This solved the strange .kibana
issues. I have consequently reviewed all diffs to upstream config
so this doesn’t happen again. Sry.

  Sadly I can still not log in via proxy authentication due to: "no
xff done for class
org.elasticsearch.http.netty4. Netty4HttpRequest". The same config
works fine with 6.3.0-22.3

  I think I have found the cause of this to be the new Netty
4.1.25.Final release newly introduced in ES 6.4.0 after I realized
there is a trace debug level and had a look at the code.

  Would it be possible for you to have a look and check whether
proxy authentication is still working as intended with ES 6.4.0? I
made a Gist where I have commented what I think goes wrong in the
RemoteIpDetector.java:

https://gist.github.com/gna582/cc8f33835054b71cb44d2f6cba4d8765

Thank you for your help!

On 9/21/18 3:48 PM, Search Guard wrote:

another question with regards to sg_config.yml:

you should not have an entry like

'.kibana':
      '*':
        - INDICES_ALL

because dots are not permitted here.

Where did this entry come from?

Pls. remove this entry and try again.

Therefore we use something like:

    '?kibana':
      '*':
        - INDICES_ALL

sg_kibana_server:
  readonly:   true
cluster:
        - CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- cluster:admin/xpack/    monitoring/*
- indices:admin/template/*
indices:
    '?kibana':
      '*':
        - INDICES_ALL
    '.kibana':
      '*':
                - INDICES_ALL
# - indices:admin/template/put
    '?kibana-6':
      '*':
            - INDICES_ALL
'?reporting*':
      '*':
            - INDICES_ALL
'?monitoring*':
      '*':
        - INDICES_ALL

      On Wednesday, 12 September 2018 18:01:08 UTC+2, benedikt haug > > wrote:

Dear searchguard,

            when upgrading a fully functional test setup from
6.3.0-22.3 to 6.4.0-23.0 I can no longer log into kibana
afterwards. The browser just gets an connection reset
after waiting for the 30sec tcp timeout. I use proxy
authentication via local apache proxy.

            It throws the strange errors about .kibana not being

found but I can totally see that index:

green open .kibana
gd00htRbRUOXEzcyaGLQTQ 1 1 1 0 8kb 4kb

journalctl -f kibana shows an error like this:

            Sep 12 17:56:27 mes-any-logwfe-dev001 kibana[15920]:
{“type”:“error”,“@timestamp”:“2018-09-12T15:56:27Z”,“tags”:[“warning”,“stats-collection”],“pid”:15920,“level”:“error”,“error”:{“message”:“[security_ exception]
Unexpected exception indices:data/read/search”,“name”:“Error”,“stack”:“[ security_exception]
Unexpected exception indices:data/read/search ::
{"path":"/.kibana/_search","query":{"ignore_unavailable":true,"filter_path":"aggregations.types.buckets"},"body":"{\"size\":0,\"query\":{\"terms\":{\"type\":[\"dashboard\",\"visualization\",\"search\",\"index-pattern\",\"graph-workspace\",\"timelion-sheet\"]}},\"aggs\":{\"types\":{\"terms\":{\"field\":\"type\",\"size\":6}}}}","statusCode":500,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\" reason\":\"Unexpected
exception indices:data/read/search\"}],\"type\":\"security_exception\",\"reason\":\ \“Unexpected
exception indices:data/read/search\"}, \"status\":500}"}\n
at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/ transport.js:307:15)\n
at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/ transport.js:266:7)\n
at HttpConnector.
(/usr/share/kibana/node_modules/elasticsearch/src/lib/ connectors/http.js:159:7)\n
at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js: 729:21)\n
at emitNone (events.js:111:20)\n at
IncomingMessage.emit (events.js:208:7)\n at
endReadableNT (_stream_readable.js:1064:12)\ n at
_combinedTickCallback (internal/process/next_tick. js:138:11)\n
at process._tickDomainCallback
(internal/process/next_tick.js:218:9)”},“message”:”[ security_exception]
Unexpected exception indices:data/read/search"}

            I have tried to purge searchguard and the error

disappeared thus posting it here.

            If anything is unclear or not verbose enough please

feel free to ask.

Thank you

            When asking questions, please provide the following

information:

Search Guard and Elasticsearch version

6.4.0-23.0

Installed and used enterprise modules, if any

none/default

JVM version and operating system version

java version “1.8.0_121”

              Java(TM) SE Runtime Environment (build 1.8.0_121-b13)

              Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13,

mixed mode)

Debian 8

Search Guard configuration files

attached

Elasticsearch log messages on debug level

attached

            * Other installed Elasticsearch or Kibana plugins, if

any

sudo ./kibana-plugin list

            searchguard@6.4.0-14

sudo ./elasticsearch-plugin list
            search-guard-6

–

  You received this message because you are subscribed to the Google

Groups “Search Guard Community Forum” group.

  To unsubscribe from this group and stop receiving emails from it,

send an email to search-guard+unsubscribe@googlegroups.com.

  To post to this group, send email to search-guard@googlegroups.com.

  To view this discussion on the web visit [https://groups.google.com/d/msgid/search-guard/2c95a7a4-a85f-4599-8501-a66f95fec1dd%40googlegroups.com](https://groups.google.com/d/msgid/search-guard/2c95a7a4-a85f-4599-8501-a66f95fec1dd%40googlegroups.com?utm_medium=email&utm_source=footer).

  For more options, visit [https://groups.google.com/d/optout](https://groups.google.com/d/optout).

Topic		Replies	Views
Proxy authentication Search Guard	4	537	September 20, 2018
kibana cannot connect to elasticsearch when searchguard is on with ArrayIndexOutOfBoundsException[0] Search Guard	6	803	September 17, 2015
Cannot login into Kibana after installing SearchGuard Search Guard	5	3943	May 14, 2022
Kibana is not logging in with no errors Search Guard	2	487	March 4, 2019
Kibana does not access Search Guard	8	414	December 4, 2017

6.4.0 can't login and kibanaserver user can't access .kibana

Related Topics