Security-exception-action-[indices:admin/settings/update] 在索引 [apm-7.6.0-error-000001] 上未授权用户 [kibana]
Security-exception-action-[indices:admin/settings/update] is unauthorized for user [kibana] on indices [apm-7.6.0-error-000001]
我在 ec2 实例中设置了 elasticsearch、kibana、apm-server。
APM 服务器正在设置并从其他应用程序服务器实例获取数据。
查看栈管理apm-7.6.0相关索引有错误
ilm.step:错误
apm-7.6.0-error-000001
apm-7.6.0-span-000001
apm-7.6.0-profile-000001
apm-7.6.0-transaction-000001
apm-7.6.0-metric-000001
_GET /apm-7.6.0-span-000001/_ilm/explain -> 查询
"step_info" : {
"type" : "security_exception",
"reason" : "action [indices:admin/settings/update] is unauthorized for user [kibana] on indices [apm-7.6.0-span-000001], this action is granted by the index privileges [manage,all]",
"stack_trace" : """ElasticsearchSecurityException[action [indices:admin/settings/update] is unauthorized for user [kibana] on indices [apm-7.6.0-span-000001], this action is granted by the index privileges [manage,all]]
错误显示我正在为没有 ilm 访问权限的 apm-server 使用 kibana 用户,但我正在使用单独的用户 'apm-server-kibana' 和 kibana_system、kibana_admin、apm_system,apm-ilm 角色..我使用 apm-ilm 角色为 apm* 索引添加了 ilm 的“所有”访问权限。
ElasticsearchSecurityException[action [indices:admin/settings/update] is unauthorized for user [kibana] on indices [apm-7.6.0-error-000001],
this action is granted by the index privileges [manage,all]]
at org.elasticsearch.xpack.core.security.support.Exceptions.authorizationError(Exceptions.java:35)
at org.elasticsearch.xpack.security.authz.AuthorizationService.denialException(AuthorizationService.java:656)
at org.elasticsearch.xpack.security.authz.AuthorizationService.access0(AuthorizationService.java:101)
at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.handleFailure(AuthorizationService.java:704)
at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.onResponse(AuthorizationService.java:689)
at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.onResponse(AuthorizationService.java:659)
at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:32)
at org.elasticsearch.xpack.security.authz.RBACEngine.buildIndicesAccessControl(RBACEngine.java:556)
at org.elasticsearch.xpack.security.authz.RBACEngine.lambda$authorizeIndexAction(RBACEngine.java:336)
at org.elasticsearch.action.ActionListener.onResponse(ActionListener.java:117)
at org.elasticsearch.xpack.security.authz.AuthorizationService$CachingAsyncSupplier.lambda$getAsync[=13=](AuthorizationService.java:722)
at org.elasticsearch.action.ActionListener.onResponse(ActionListener.java:117)
at org.elasticsearch.xpack.security.authz.AuthorizationService.resolveIndexNames(AuthorizationService.java:599)
at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorizeAction(AuthorizationService.java:290)
at org.elasticsearch.action.ActionListener.onResponse(ActionListener.java:117)
at org.elasticsearch.xpack.security.authz.AuthorizationService$CachingAsyncSupplier.lambda$getAsync[=13=](AuthorizationService.java:722)
at org.elasticsearch.action.ActionListener.onResponse(ActionListener.java:117)
at org.elasticsearch.xpack.security.authz.RBACEngine.loadAuthorizedIndices(RBACEngine.java:367)
at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorizeAction(AuthorizationService.java:286)
at org.elasticsearch.xpack.security.authz.AuthorizationService$CachingAsyncSupplier.getAsync(AuthorizationService.java:720)
at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorizeAction(AuthorizationService.java:289)
at org.elasticsearch.xpack.security.authz.AuthorizationService$CachingAsyncSupplier.getAsync(AuthorizationService.java:720)
at org.elasticsearch.xpack.security.authz.RBACEngine.lambda$authorizeIndexAction(RBACEngine.java:328)
at org.elasticsearch.action.ActionListener.onResponse(ActionListener.java:117)
at org.elasticsearch.xpack.security.authz.RBACEngine.authorizeIndexActionName(RBACEngine.java:352)
at org.elasticsearch.xpack.security.authz.RBACEngine.authorizeIndexAction(RBACEngine.java:325)
at org.elasticsearch.xpack.security.authz.AuthorizationService.authorizeAction(AuthorizationService.java:300)
at org.elasticsearch.xpack.security.authz.AuthorizationService.maybeAuthorizeRunAs(AuthorizationService.java:265)
at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorize(AuthorizationService.java:229)
at org.elasticsearch.action.ActionListener.onResponse(ActionListener.java:117)
at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:32)
at org.elasticsearch.xpack.security.authz.RBACEngine.lambda$resolveAuthorizationInfo(RBACEngine.java:127)
at org.elasticsearch.action.ActionListener.onResponse(ActionListener.java:117)
at org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.roles(CompositeRolesStore.java:161)
at org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.getRoles(CompositeRolesStore.java:278)
at org.elasticsearch.xpack.security.authz.RBACEngine.getRoles(RBACEngine.java:133)
at org.elasticsearch.xpack.security.authz.RBACEngine.resolveAuthorizationInfo(RBACEngine.java:121)
at org.elasticsearch.xpack.security.authz.AuthorizationService.authorize(AuthorizationService.java:231)
at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.authorizeRequest(SecurityActionFilter.java:181)
at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal(SecurityActionFilter.java:159)
at org.elasticsearch.action.ActionListener.onResponse(ActionListener.java:117)
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync(AuthenticationService.java:330)
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication(AuthenticationService.java:391)
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:402)
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:327)
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.access[=13=]0(AuthenticationService.java:268)
at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:161)
at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.applyInternal(SecurityActionFilter.java:154)
at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.apply(SecurityActionFilter.java:106)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:171)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:149)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:77)
at org.elasticsearch.client.node.NodeClient.executeLocally(NodeClient.java:86)
at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:66)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:402)
at org.elasticsearch.xpack.core.ClientHelper.executeWithHeadersAsync(ClientHelper.java:196)
at org.elasticsearch.xpack.ilm.LifecyclePolicySecurityClient.doExecute(LifecyclePolicySecurityClient.java:52)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:402)
at org.elasticsearch.client.support.AbstractClient$IndicesAdmin.execute(AbstractClient.java:1286)
at org.elasticsearch.client.support.AbstractClient$IndicesAdmin.updateSettings(AbstractClient.java:1672)
at org.elasticsearch.xpack.core.ilm.UpdateSettingsStep.performAction(UpdateSettingsStep.java:42)
at org.elasticsearch.xpack.ilm.IndexLifecycleRunner.maybeRunAsyncAction(IndexLifecycleRunner.java:290)
at org.elasticsearch.xpack.ilm.IndexLifecycleRunner.clusterStateProcessed(IndexLifecycleRunner.java:246)
at org.elasticsearch.cluster.service.MasterService$SafeClusterStateTaskListener.clusterStateProcessed(MasterService.java:523)
at org.elasticsearch.cluster.service.MasterService$TaskOutputs.lambda$processedDifferentClusterState(MasterService.java:410)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
at org.elasticsearch.cluster.service.MasterService$TaskOutputs.processedDifferentClusterState(MasterService.java:410)
at org.elasticsearch.cluster.service.MasterService.onPublicationSuccess(MasterService.java:270)
at org.elasticsearch.cluster.service.MasterService.publish(MasterService.java:262)
at org.elasticsearch.cluster.service.MasterService.runTasks(MasterService.java:239)
at org.elasticsearch.cluster.service.MasterService.access[=13=]0(MasterService.java:62)
at org.elasticsearch.cluster.service.MasterService$Batcher.run(MasterService.java:140)
at org.elasticsearch.cluster.service.TaskBatcher.runIfNotProcessed(TaskBatcher.java:139)
at org.elasticsearch.cluster.service.TaskBatcher$BatchedTask.run(TaskBatcher.java:177)
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:673)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:241)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:204)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
在Kibana.yml
elasticsearch.username:kibana
在apm-server.yml
我没有在任何地方使用用户 'kibana',而是使用 'apm-server-kibana'
为什么这个错误显示为 Kibana 用户?
如何解决这个错误?
此 apm 滚动策略是在使用 apm 时默认创建的,这些策略使用默认用户 'kibana' 创建它。因此 Kibana 用户无权更新。
因此,根据文档行,如果我使用登录用户[有权更新 ilm] 修改默认的 apm 翻转策略,则 select 'retry index' 选项已解决此错误。
文档:
如果您使用 Elasticsearch 的安全功能,ILM 将作为上次更新策略的用户执行操作。 ILM 仅具有在上次策略更新时分配给用户的角色。
我在 ec2 实例中设置了 elasticsearch、kibana、apm-server。 APM 服务器正在设置并从其他应用程序服务器实例获取数据。
查看栈管理apm-7.6.0相关索引有错误
ilm.step:错误
apm-7.6.0-error-000001
apm-7.6.0-span-000001
apm-7.6.0-profile-000001
apm-7.6.0-transaction-000001
apm-7.6.0-metric-000001
_GET /apm-7.6.0-span-000001/_ilm/explain -> 查询
"step_info" : {
"type" : "security_exception",
"reason" : "action [indices:admin/settings/update] is unauthorized for user [kibana] on indices [apm-7.6.0-span-000001], this action is granted by the index privileges [manage,all]",
"stack_trace" : """ElasticsearchSecurityException[action [indices:admin/settings/update] is unauthorized for user [kibana] on indices [apm-7.6.0-span-000001], this action is granted by the index privileges [manage,all]]
错误显示我正在为没有 ilm 访问权限的 apm-server 使用 kibana 用户,但我正在使用单独的用户 'apm-server-kibana' 和 kibana_system、kibana_admin、apm_system,apm-ilm 角色..我使用 apm-ilm 角色为 apm* 索引添加了 ilm 的“所有”访问权限。
ElasticsearchSecurityException[action [indices:admin/settings/update] is unauthorized for user [kibana] on indices [apm-7.6.0-error-000001],
this action is granted by the index privileges [manage,all]]
at org.elasticsearch.xpack.core.security.support.Exceptions.authorizationError(Exceptions.java:35)
at org.elasticsearch.xpack.security.authz.AuthorizationService.denialException(AuthorizationService.java:656)
at org.elasticsearch.xpack.security.authz.AuthorizationService.access0(AuthorizationService.java:101)
at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.handleFailure(AuthorizationService.java:704)
at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.onResponse(AuthorizationService.java:689)
at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.onResponse(AuthorizationService.java:659)
at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:32)
at org.elasticsearch.xpack.security.authz.RBACEngine.buildIndicesAccessControl(RBACEngine.java:556)
at org.elasticsearch.xpack.security.authz.RBACEngine.lambda$authorizeIndexAction(RBACEngine.java:336)
at org.elasticsearch.action.ActionListener.onResponse(ActionListener.java:117)
at org.elasticsearch.xpack.security.authz.AuthorizationService$CachingAsyncSupplier.lambda$getAsync[=13=](AuthorizationService.java:722)
at org.elasticsearch.action.ActionListener.onResponse(ActionListener.java:117)
at org.elasticsearch.xpack.security.authz.AuthorizationService.resolveIndexNames(AuthorizationService.java:599)
at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorizeAction(AuthorizationService.java:290)
at org.elasticsearch.action.ActionListener.onResponse(ActionListener.java:117)
at org.elasticsearch.xpack.security.authz.AuthorizationService$CachingAsyncSupplier.lambda$getAsync[=13=](AuthorizationService.java:722)
at org.elasticsearch.action.ActionListener.onResponse(ActionListener.java:117)
at org.elasticsearch.xpack.security.authz.RBACEngine.loadAuthorizedIndices(RBACEngine.java:367)
at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorizeAction(AuthorizationService.java:286)
at org.elasticsearch.xpack.security.authz.AuthorizationService$CachingAsyncSupplier.getAsync(AuthorizationService.java:720)
at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorizeAction(AuthorizationService.java:289)
at org.elasticsearch.xpack.security.authz.AuthorizationService$CachingAsyncSupplier.getAsync(AuthorizationService.java:720)
at org.elasticsearch.xpack.security.authz.RBACEngine.lambda$authorizeIndexAction(RBACEngine.java:328)
at org.elasticsearch.action.ActionListener.onResponse(ActionListener.java:117)
at org.elasticsearch.xpack.security.authz.RBACEngine.authorizeIndexActionName(RBACEngine.java:352)
at org.elasticsearch.xpack.security.authz.RBACEngine.authorizeIndexAction(RBACEngine.java:325)
at org.elasticsearch.xpack.security.authz.AuthorizationService.authorizeAction(AuthorizationService.java:300)
at org.elasticsearch.xpack.security.authz.AuthorizationService.maybeAuthorizeRunAs(AuthorizationService.java:265)
at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorize(AuthorizationService.java:229)
at org.elasticsearch.action.ActionListener.onResponse(ActionListener.java:117)
at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:32)
at org.elasticsearch.xpack.security.authz.RBACEngine.lambda$resolveAuthorizationInfo(RBACEngine.java:127)
at org.elasticsearch.action.ActionListener.onResponse(ActionListener.java:117)
at org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.roles(CompositeRolesStore.java:161)
at org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.getRoles(CompositeRolesStore.java:278)
at org.elasticsearch.xpack.security.authz.RBACEngine.getRoles(RBACEngine.java:133)
at org.elasticsearch.xpack.security.authz.RBACEngine.resolveAuthorizationInfo(RBACEngine.java:121)
at org.elasticsearch.xpack.security.authz.AuthorizationService.authorize(AuthorizationService.java:231)
at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.authorizeRequest(SecurityActionFilter.java:181)
at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal(SecurityActionFilter.java:159)
at org.elasticsearch.action.ActionListener.onResponse(ActionListener.java:117)
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync(AuthenticationService.java:330)
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication(AuthenticationService.java:391)
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:402)
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:327)
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.access[=13=]0(AuthenticationService.java:268)
at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:161)
at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.applyInternal(SecurityActionFilter.java:154)
at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.apply(SecurityActionFilter.java:106)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:171)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:149)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:77)
at org.elasticsearch.client.node.NodeClient.executeLocally(NodeClient.java:86)
at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:66)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:402)
at org.elasticsearch.xpack.core.ClientHelper.executeWithHeadersAsync(ClientHelper.java:196)
at org.elasticsearch.xpack.ilm.LifecyclePolicySecurityClient.doExecute(LifecyclePolicySecurityClient.java:52)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:402)
at org.elasticsearch.client.support.AbstractClient$IndicesAdmin.execute(AbstractClient.java:1286)
at org.elasticsearch.client.support.AbstractClient$IndicesAdmin.updateSettings(AbstractClient.java:1672)
at org.elasticsearch.xpack.core.ilm.UpdateSettingsStep.performAction(UpdateSettingsStep.java:42)
at org.elasticsearch.xpack.ilm.IndexLifecycleRunner.maybeRunAsyncAction(IndexLifecycleRunner.java:290)
at org.elasticsearch.xpack.ilm.IndexLifecycleRunner.clusterStateProcessed(IndexLifecycleRunner.java:246)
at org.elasticsearch.cluster.service.MasterService$SafeClusterStateTaskListener.clusterStateProcessed(MasterService.java:523)
at org.elasticsearch.cluster.service.MasterService$TaskOutputs.lambda$processedDifferentClusterState(MasterService.java:410)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
at org.elasticsearch.cluster.service.MasterService$TaskOutputs.processedDifferentClusterState(MasterService.java:410)
at org.elasticsearch.cluster.service.MasterService.onPublicationSuccess(MasterService.java:270)
at org.elasticsearch.cluster.service.MasterService.publish(MasterService.java:262)
at org.elasticsearch.cluster.service.MasterService.runTasks(MasterService.java:239)
at org.elasticsearch.cluster.service.MasterService.access[=13=]0(MasterService.java:62)
at org.elasticsearch.cluster.service.MasterService$Batcher.run(MasterService.java:140)
at org.elasticsearch.cluster.service.TaskBatcher.runIfNotProcessed(TaskBatcher.java:139)
at org.elasticsearch.cluster.service.TaskBatcher$BatchedTask.run(TaskBatcher.java:177)
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:673)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:241)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:204)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at java.base/java.lang.Thread.run(Thread.java:832)
在Kibana.yml
elasticsearch.username:kibana
在apm-server.yml
我没有在任何地方使用用户 'kibana',而是使用 'apm-server-kibana'
为什么这个错误显示为 Kibana 用户?
如何解决这个错误?
此 apm 滚动策略是在使用 apm 时默认创建的,这些策略使用默认用户 'kibana' 创建它。因此 Kibana 用户无权更新。
因此,根据文档行,如果我使用登录用户[有权更新 ilm] 修改默认的 apm 翻转策略,则 select 'retry index' 选项已解决此错误。
文档: 如果您使用 Elasticsearch 的安全功能,ILM 将作为上次更新策略的用户执行操作。 ILM 仅具有在上次策略更新时分配给用户的角色。