IMPORTANT: Version 6.6 of Elasticsearch has passed its maintenance date.
This documentation is no longer being updated. For the latest information, see the current release documentation.
- I configured the appropriate roles and the users, but I still get an authorization exception.
- I can authenticate to LDAP, but I still get an authorization exception.
Verify that the role names associated with the users match the roles defined in the
roles.ymlfile. You can use the
elasticsearch-userstool to list all the users. Any unknown roles are marked with
For more information about this command, see the
If you are authenticating to LDAP, a number of configuration options can cause this error.
Groups are located by either an LDAP search or by the "memberOf" attribute on the user. Also, If subtree search is turned off, it will search only one level deep. See the LDAP Settings for all the options. There are many options here and sticking to the defaults will not work for all scenarios.
group to role mapping
role_mapping.ymlfile or the location for this file could be misconfigured. For more information, see Security files.
The role definition might be missing or invalid.
To help track down these possibilities, add the following lines to the end of the
log4j2.propertiesconfiguration file in the
logger.authc.name = org.elasticsearch.xpack.security.authc logger.authc.level = DEBUG
A successful authentication should produce debug statements that list groups and role mappings.