[undefined] Forbidden, with { due_to={ 0=“OPERATION_NOT_ALLOWED” } } on Kibana when accessing ILM

When I try to open Kibana Index Lifecycle Policies page I get Error loading policies "401: Unauthorized. [undefined] Forbidden by ReadonlyREST ES plugin, with { due_to={ 0=“OPERATION_NOT_ALLOWED” } } .

How do I check what is my plugin version?

The ROR version strign is right beside the “pony”.

Give your user kibana_access: unrestricted (in the ACL) so they can change those structural things in Kibana.
In ROR, kibana_access: admin is intended as the admin of the ROR features. Not a Kibana super user.

Anyway, you can always inspect Elasticsearch logs and grep for “FORBIDDEN” string, it will show you what rule in what ACL block has rejected the request (see “HIS” field).

‏I don’t use the application shown in the provided image .
i only use kibana .
what is that application?

Wait, what Kibana version are you using? Maybe you have a Kibana older than 7.9.0, and you are using ROR “old platform” that does not have that drop down menu?

Or you are using ROR for Elasticsearch and your Kibana does not have ROR plugin for Kibana installed?

That menu comes from a Kibana 8.x with ROR plugin installed.

We use elasticsearch version 7.5

Yeah makes sense then you never saw that menu. My recommendation remains valid: the user you are using to change the ILM settings should be granted kibana_access: unrestricted .

How do I grant kibana_access: unrestricted ?
I work on Microsoft Windows OS

You should edit the ACL yaml. I don’t know if you are keeping it in the readonlyrest.yml file in the same folder with elasticsearch.yml in the Elasticsearch nodes, or you use the ROR Kibana app GUI.
Anyway, if you have configured ROR once, you will know.

When you see the ACL you will notice a lot of “blocks” that look more or less like this:

- name: My admin User login
  auth_key: myuser:mypassword
  kibana_access: unrestricted # <-- add this

If you don’t know what to modify, show us your sanitised ACL code and we’ll point out what to do.

I use readonlyrest.yml in same folder with elasticsearch.yml.

  1. Is a server restart needed after the change?
  2. the auth_key parameter could have a value of a windows group name than contains several users?

How can I inspect Elasticsearch logs?

Yes if you use file based configuration the elasticsearch nodes need to be restarted

Not sure what you mean with windows groups. You mean Active Directory / LDAP? We have that connector, yes. You need to configure it appropriately.

See the ror docs

A restart of the elasticsearch service is needed or restart of the whole node?

Where are the Elasticsearch logs in order to search for my error cause?

What do you mean by : show us your sanitised ACL code ?

Restarting the node means the elasticsearch process.

Not sure how and where you installed elasticsearch. The file should be called elasticsearch.log

Sanitised means with passwords and sensitive data removed.

ACL is the yaml that is contained in readonlyrest.yml

what do you mean by yaml?

This worked for me.
What other rights can be granted besides unrestricted?
Can I limit the kibana index management menu to some users?

Can you paste a screenshot of the working thing?