Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Stack Monitoring] Missing remote_cluster_client role is reported as "access denied" #129546

Closed
Tracked by #127224
matschaffer opened this issue Apr 5, 2022 · 6 comments · Fixed by #140738
Closed
Tracked by #127224

[Stack Monitoring] Missing remote_cluster_client role is reported as "access denied" #129546

matschaffer opened this issue Apr 5, 2022 · 6 comments · Fixed by #140738
Assignees
@miltonhultgren
Labels
bug Fixes for quality problems that affect the customer experience Feature:Stack Monitoring Team:Infra Monitoring UI - DEPRECATED DEPRECATED - Label for the Infra Monitoring UI team. Use Team:obs-ux-infra_services

Comments

@matschaffer
Copy link
Contributor

matschaffer commented Apr 5, 2022
edited

This was originally reported as #125756 to which #120384 will provide a workaround, but the error case is still quite confusing.

When attempting to load Stack Monitoring UI with monitoring.ui.ccs.enabled: true (the current default and proposed ongoing default in #120384) but missing the remote_cluster_client role, the user will get this error message:

image

Which says nothing about what needs to be done to resolve the error (either disable css or add the remote_cluster_client node role).

We should update the error handling in our access check to make the error clearer for both the end user, and ourselves fielding support or forum issues like these:
@matschaffer matschaffer added bug Fixes for quality problems that affect the customer experience Team:Infra Monitoring UI - DEPRECATED DEPRECATED - Label for the Infra Monitoring UI team. Use Team:obs-ux-infra_services Feature:Stack Monitoring labels Apr 5, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/infra-monitoring-ui (Team:Infra Monitoring UI)

@matschaffer matschaffer changed the title [Stack Monitoring] Missing remote_cluster_client is reported as "access denied" [Stack Monitoring] Missing remote_cluster_client role is reported as "access denied" Apr 5, 2022
@liza-mae
Copy link
Contributor

I just came across this same issue in upgrade testing, will try remedy in discuss ticket.

Screenshot from 2022-04-19 16-20-48

@liza-mae
Copy link
Contributor

liza-mae commented Apr 19, 2022
edited

I tried a user with kibana_admin and monitoring_user roles and it did not work, the error still is present.

@matschaffer
Copy link
Contributor Author

@liza-mae check if the ES nodes have remote_cluster_client. This error sounds like user adjustment is required, but usually I see it happen because the ES node roles are unable to support CCS.

@bar0n36
Copy link

bar0n36 commented May 26, 2022

@matschaffer - I have replicated this issue, but even with monitoring.ui.ccs.enabled: false, I was unable to access Stack Monitoring without the remote_cluster_client role assigned to my cluster nodes (2 x nodes)

This is a new build of 8.2.1.

@matschaffer matschaffer mentioned this issue May 30, 2022
Closed
39 tasks
@matschaffer
Copy link
Contributor Author

matschaffer commented May 30, 2022
edited

Thanks @bar0n36

Can you provide more details about your test environment? ESTF or ESS? Just regular downloads to a laptop? cluster roles, possibly an ES diagnostic, etc

@miltonhultgren miltonhultgren self-assigned this Sep 12, 2022
miltonhultgren added a commit to miltonhultgren/kibana that referenced this issue Sep 14, 2022
@miltonhultgren
[Stack Monitoring] Verify remote cluster client role when CCS is enab…
fb414f5 
…led (elastic#129546)
@miltonhultgren miltonhultgren mentioned this issue Sep 14, 2022
Merged
miltonhultgren added a commit that referenced this issue Sep 15, 2022
@miltonhultgren @kibanamachine
[Stack Monitoring] Verify remote cluster client role when CCS is enab…
f014ca4 
…led (#140738)

* [Stack Monitoring] Verify remote cluster client role when CCS is enabled (#129546)

* Only show UI hint if CCS is enabled

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Sep 15, 2022
@miltonhultgren
[Stack Monitoring] Verify remote cluster client role when CCS is enab…
c341e4c 
…led (elastic#140738)

* [Stack Monitoring] Verify remote cluster client role when CCS is enabled (elastic#129546)

* Only show UI hint if CCS is enabled

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
(cherry picked from commit f014ca4)
kibanamachine added a commit that referenced this issue Sep 15, 2022
@kibanamachine @miltonhultgren
[Stack Monitoring] Verify remote cluster client role when CCS is enab…
7b2eae6 
…led (#140738) (#140801)

* [Stack Monitoring] Verify remote cluster client role when CCS is enabled (#129546)

* Only show UI hint if CCS is enabled

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
(cherry picked from commit f014ca4)

Co-authored-by: Milton Hultgren <milton.hultgren@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@miltonhultgren miltonhultgren

Labels
bug Fixes for quality problems that affect the customer experience Feature:Stack Monitoring Team:Infra Monitoring UI - DEPRECATED DEPRECATED - Label for the Infra Monitoring UI team. Use Team:obs-ux-infra_services
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Stack Monitoring] Verify remote cluster client role when CCS is enabled miltonhultgren/kibana
5 participants
@matschaffer @miltonhultgren @elasticmachine @liza-mae @bar0n36