New Elastic/Kibana User

I am trying to understand how one goes about creating and changing permissions for Kibana users. RockNSM created a user for me when I ran the install script, which was awful nice of them. However, that user does not have permissions to fully utilize or manage Kibana.

I am requesting help from any of you more knowledgable folks. Based on everything that I’ve read thus far, I need to log into Kibana with the built-in Elastic account. However, I have no idea what those credentials are. Please advise me on this, as I’m quite confounded as to why this isn’t something that is covered in the documentation… I’m guessing that it’s because I am simply missing something pretty obvious… That’s how I roll, though.

Thank you in advance.

It should be in the home directory of the user used to install. If the user was bob then the directory would be /home/bob/KIBANA_CREDS.txt

Thank you @koelslaw, but I fear that I didn’t explain my predicament properly. Please, allow me to restate my issue in a more succinct manner.

I have access to the initial account that was created during the installation of Rock. This account information is indeed in /home/“bob”/KIBANA_CREDS, and in fact, I have actually created another Kibana user account, for sake of argument “Tim”. I used the kibanapw USER PASSWORD command. However, both Bob and Tim accounts are no more than standard user accounts within Elasticsearch. I am interested in creating an account, or using an existing account, that has admin privileges in Elastichsearch. There are several aspects of Elasticsearch/Kibana that I do not have access to, and would very much like to be able to manipulate.

What I am specifically after, is elevation of a user account, or more accurately, administrative role assignment to user accounts within Elasticsearch. Now, I believe it is possible that the initial Bob account may be an admin, and I simply am using this system incorrectly. If so, that also is something that I need to understand.

Please see below for an example of what I am running into, when attempting to use the initial Bob account that was created upon installation. This is in the Security>Detections in the left side menu. I also cannot manage users from within Kibana, in the Security>Users selection, as the “Users” option does not even appear for the Bob Elasticsearch account.

I am following you now. That is a setting that needs to be set in etc/elasticsearch/elasticsearch.yml file. To my knowledge there is not a way to do it from Kibana. One the changes are made restart elasticsearch and you should be able to use security features

Please see for Sec : https://www.elastic.co/guide/en/elasticsearch/reference/current/get-started-enable-security.html

Please see for description of Basic Tier :

Please See for Creating Users:

@hellix22 you can also check this training out on securing Elasticsearch. It may cover what you’re looking for WRT users and roles in Elasticsearch. It’s free.

1 Like

Well gentlemen, I want to thank you. You two have certainly put me on the correct path. Once enabled, it ALMOST worked. As it turns out, I now have some errors popping up. Upon further research with the new errors, there appears to be a bit more to the process than simply enabling security in the elasticsearch.yml file. I have been hopping about on the internet, and in different forums belonging to Elastic, and there is a need for me to configure authentication at the low-level Java REST client.

Now I am confident that I will EVENTUALLY figure this out, especially since I have access to a great web dev at my place of employment. However, if there is something that either of you, or anyone else on this forum, can do to help me expedite this process, it would be VERY much appreciated. I do not have much experience with the backend of Kibana and Elasticsearch, but have a fair bit of experience utilizing these tools in a cyber security setting. I state this, because I really need to get this up and running in our environment, especially in light of the current world cyber situation.

That being said, if anyone could spend a bit of time with me, helping me get through this more rapidly, I would be eternally grateful. My biggest issue is knowing the location of the associated files, with regard to this particular configuration. Again though, I do not wish to impose upon anyone, and completely understand if the popular stance is that I should go through the learning curve just like everyone else. I do indeed understand that outlook. Please advise if you wish to help me out, and I’ll post any logs that you may need. In the interim, I shall be studying and researching to the fullest abilities of my little brain.

Thank you again for your already very valuable help!

Are you talking about TLS? If you could drop an copy of the error that would certainly help.

Ill try and help where I can, when I can. In an effort to better understand the end goal, what kind of data are you going for? Network? Endpoint? Both? ROCK has its own set of dashboards and visualizations prebuilt. Some of data (indices) translates over to the Security app while others do not. If your more focused on network then vanilla ROCK deployment should offer you what you are looking for without enabling the security app. If you are wanting more then the defaults will need a little work. Extending ROCK is certainly possible and expected but not as easy to get an answer for.

@koelslaw I appreciate anything you can provide. My goal is both network and endpoint. I am going to attempt to put this issue in a way that makes sense to people other than myself, as I tend to think in odd circles.

When I attempt to activate security in the elasticsearch.yml file, I get an error upon restarting Kibana services. The error is a mess, with a lot of slashes in it, so I am going to post a condensed version from curl:

[root@rocknsm-1 ~]# curl http://localhost:9200/_cluster/health?pretty

{
“error” : {
“root_cause” : [
{
“type” : “security_exception”,
“reason” : “missing authentication credentials for REST request [/_cluster/health?pretty]”,
“header” : {
“WWW-Authenticate” : "Basic realm=“security” charset=“UTF-8"”
}
}
],
“type” : “security_exception”,
“reason” : “missing authentication credentials for REST request [/_cluster/health?pretty]”,
“header” : {
“WWW-Authenticate” : "Basic realm=“security” charset=“UTF-8"”
}
},
“status” : 401
}
[root@rocknsm-1 ~]#

When I start looking into this on discuss.elastic.co, I found that another person ran into an identical problem. Please see this link - Identical Issue

The first response from Ikakavas (Elastic Team Member) points to a page that provides instruction for configuring basic authentication. That page is at this link - Configure Auth

My problem is that I don’t understand where in RockNSM to accomplish this task. I believe if I knew how to manipulate org.apache.http.impl.nio.client.HttpAsyncClientBuilder was located, I could easily get this problem fixed.

As you said, RockNSM dashboards are pretty robust, and for the most part all that I need. However, I do intend b egin incorporating endpoint aspects in the very near future. I do hope that this is the information that you need…

Thank you again for any assistance you may be able to provide.

you may need to pass -u username:password option with that curl.

does the logs in /var/log/elasticsearch/rocknsm.log give anything useful?