I followed the procedure described here to upgrade searchguard to FLX beta 2 on one of my ES 7.10.2 clusters.
Everything went smoothly, until I tried to restart Kibana.
Now The browser displays an 50X error, and this is what I see in the kibana log:
kibana[13634]: [ResponseError]: Response Error
kibana[13634]: Multitenancy: Could not get authinfo AuthenticationError: Response Error
kibana[13634]: [security_exception]: Insufficient permissions
kibana[13634]: Error while retrieving auth config { ResponseError: security_exception
kibana[13634]: at IncomingMessage.response.on (/usr/share/kibana/node_modules/@elastic/elasticsearch/lib/Transport.js:272:25)
kibana[13634]: at IncomingMessage.emit (events.js:203:15)
kibana[13634]: at endReadableNT (_stream_readable.js:1145:12)
kibana[13634]: at process._tickCallback (internal/process/next_tick.js:63:19)
kibana[13634]: name: 'ResponseError',
kibana[13634]: meta:
kibana[13634]: { body: { error: [Object], status: 403 },
kibana[13634]: statusCode: 403,
kibana[13634]: headers:
kibana[13634]: { 'content-type': 'application/json; charset=UTF-8',
kibana[13634]: 'content-length': '319' },
kibana[13634]: meta:
kibana[13634]: { context: null,
kibana[13634]: request: [Object],
kibana[13634]: name: 'elasticsearch-js',
kibana[13634]: connection: [Object],
kibana[13634]: attempts: 0,
kibana[13634]: aborted: false } } }
kibana[13634]: POST /api/core/capabilities 200 102ms - 9.0B
kibana[13634]: [ResponseError]: Response Error
kibana[13634]: Multitenancy: Could not get authinfo AuthenticationError: Response Error
kibana[13634]: GET /api/v1/systeminfo 200 32ms - 9.0B
kibana[13634]: [ResponseError]: Response Error
kibana[13634]: Multitenancy: Could not get authinfo AuthenticationError: Response Error
kibana[13634]: GET /api/v1/systeminfo 200 25ms - 9.0B
kibana[13634]: [ResponseError]: Response Error
kibana[13634]: Multitenancy: Could not get authinfo AuthenticationError: Response Error
kibana[13634]: [security_exception]: Insufficient permissions
kibana[13634]: { ResponseError: security_exception
at IncomingMessage.response.on (/usr/share/kibana/node_modules/@elastic/elasticsearch/lib/Transport.js:272:25)
at IncomingMessage.emit (events.js:203:15)
at endReadableNT (_stream_readable.js:1145:12)
at process._tickCallback (internal/process/next_tick.js:63:19)
name: 'ResponseError',
meta:
{ body: { error: [Object], status: 403 },
statusCode: 403,
headers:
{ 'content-type': 'application/json; charset=UTF-8',
'content-length': '319' },
meta:
{ context: null,
request: [Object],
name: 'elasticsearch-js',
connection: [Object],
attempts: 0,
aborted: false } } }
kibana[13634]: Internal Server Error
kibana[13634]: GET /api/v1/auth/config 500 27ms - 9.0B
Error while mapping auth credentials for trusted_origin[adca255d]
Authentication failed for null from [request=/_searchguard/authinfo, directIpAddress=192.168.245.175, originatingIpAddress=192.168.245.175, clientCertSubject=null]
No cluster-level perm match for User kibana <basic/internal_users_db> UNKNOWN [Action [cluster:admin:searchguard:auth/frontend/config/get]] [RolesChecked [sg_role_kibana4_server]]:
Evaluated Privileges:
_/cluster:admin:searchguard:auth/frontend/config/get: MISSING
Error while mapping auth credentials for trusted_origin[adca255d]
Error while mapping auth credentials for trusted_origin[adca255d]
Error while mapping auth credentials for trusted_origin[adca255d]
Authentication failed for null from [request=/_searchguard/authinfo, directIpAddress=192.168.245.175, originatingIpAddress=192.168.245.175, clientCertSubject=null]
No cluster-level perm match for User kibana <basic/internal_users_db> UNKNOWN [Action [cluster:admin:searchguard:auth/frontend/config/get]] [RolesChecked [sg_role_kibana4_server]]:
Evaluated Privileges:
_/cluster:admin:searchguard:auth/frontend/config/get: MISSING
Authentication failed for null from [request=/_searchguard/authinfo, directIpAddress=192.168.245.175, originatingIpAddress=192.168.245.175, clientCertSubject=null]
Authentication failed for null from [request=/_searchguard/authinfo, directIpAddress=192.168.245.175, originatingIpAddress=192.168.245.175, clientCertSubject=null]
Authentication failed for null from [request=/_searchguard/authinfo, directIpAddress=192.168.245.175, originatingIpAddress=192.168.245.175, clientCertSubject=null]
No cluster-level perm match for User kibana <basic/internal_users_db> UNKNOWN [Action [cluster:admin:searchguard:auth/frontend/config/get]] [RolesChecked [sg_role_kibana4_server]]:
Evaluated Privileges:
_/cluster:admin:searchguard:auth/frontend/config/get: MISSING
Thank you. Can you please try to assign the role SGS_KIBANA_SERVER to search_guard_roles of the user kibana? Only then, the user will have sufficient privileges.
Error while mapping auth credentials for trusted_origin[adca255d]
Authentication failed for null from [request=/_searchguard/authinfo, directIpAddress=192.168.245.175, originatingIpAddress=192.168.245.175, clientCertSubject=null]
This indicates that the sg_frontend_authc.yml file is missing. Can you please double check that it is present? It should have been created by the sgctl migrate-config process.
You can upload it using `sgctl.sh update-config path/to/sg_frontend_authc.yml
I had done this, when following the documentation.
I just pushed it again, to no avail:
$ ../sgctl-0.2.5/sgctl.sh update-config sg_frontend_authc.yml
Successfully connected to elasticsearch as user CN=sgadmin,OU=client,O=client,L=Test,C=FR
Configuration has been updated