How to create a user with internal_users.yml file?

I want to create a user with predefined roles: https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/users-roles/#predefined-roles

I tried editing the internal_users.yml file like below:

_meta:
  type: "internalusers"
  config_version: 2
# Define your internal users here

admin:
  hash: $2a$12$cTiFk0k0Ag2JEGlu4i6BDu.ESh0qzFHivIE/5uvaBdFpKMAo3ZPRa
  reserved: true
  backend_roles:
  - admin
  description: "Demo admin user"

# <--------------here----------->
readall_monitor:
  hash: $2a$12$5FS2ApvIzJpMi41ezyqr8eYzBY7B8p6mFD/QERjV6Z4cMOYQlKYBK
  opendistro_security_roles:
  - readall_and_monitor

But I can’t check the cluster health this new credential.

$ curl -XGET "https://localhost:9200/_cluster/health?pretty" -u "readall_monitor:fuuax6j2" --insecure
{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "no permissions for [cluster:monitor/health] and User [name=readall_monitor, opendistro_security_roles=[readall_and_monitor], requestedTenant=null]"
      }
    ],
    "type" : "security_exception",
    "reason" : "no permissions for [cluster:monitor/health] and User [name=readall_monitor, opendistro_security_roles=[readall_and_monitor], requestedTenant=null]"
  },
  "status" : 403

What am I missing here?

I am facing the same issue. I have added a new user and assigned some predefined roles as well. Followed the steps to create read user following this link “https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/users-roles/#set-up-a-read-only-user-in-kibana”.

However, the new user cannot see any indexed data, even though the permission is there to read “*” index.

The way I solved the issue:

  1. Create users using with internal_users.yml file
  2. Give permission with role_mapping.yml file
1 Like

Hi Kamol,

Thank you so much for the reply. I tried that but my new user is not created with that. I used the following configs

in “internal_users.yml” I added the following


kibana-read:
hash: “$2y$12$u6kQWiyhaRKpaqC3yGNac.baMrFflSinnVtcZeQ9wqgNYfthl5APO”
reserved: false
hidden: false
opendistro_security_roles:

  • “readall_and_monitor”
    backend_roles:
  • “readall_and_monitor”
    description: “kibana-read user”
    static: false

and in “roles_mapping.yml” added the following


readall_and_monitor:
reserved: false
backend_roles:

  • “kibana-read”
    description: “kibana read and cluster monitor”

Basically, I want to create users with kibana read access to check all the logs from discover and also have the access to create alerts. Some help on this would be greatly appreciated.