How To Solve Issues Related to Log – Invalid role definition in roles file . document and field level security is not

Prevent Your Next ELK Incident

Try our free Check Up to test if your ES issues are caused from misconfigured settings

Fix Issue

Updated: Jan-20

In Page Navigation (click to jump) :
Troubleshooting Background       
Related Issues  
Log Context
About Opster

Opster Offer’s World-Class Elasticsearch Expertise In One Powerful Product
Try Our Free ES Check-Up   Prevent Incident

Troubleshooting background

To troubleshoot Elasticsearch log “Invalid role definition in roles file . document and field level security is not” it’s important to understand common problems related to Elasticsearch concepts: discovery-file, plugin. See detailed explanations below complete with common problems, examples and useful tips.

Plugin in Elasticsearch

What it is

A plugin is used to enhance the core functionalities of Elasticsearch. Elasticsearch provides some core plugins as a part of their release installation. In addition to those core plugins, it is possible to write your own custom plugins as well. There are several community plugins available on GitHub for various use cases.

Examples:
  • Get all the instructions for the plugin usage
sudo bin/elasticsearch-plugin -h
  • Installing S3 plugin using URL for storing Elasticsearch snapshots on S3
sudo bin/elasticsearch-plugin install repository-s3
  • Removing a plugin
sudo bin/elasticsearch-plugin remove repository-s3
  • Installing a plugin using the file path
sudo bin/elasticsearch-plugin install file:///path/to/plugin.zip

Notes:
  • Plugins are installed and removed using the elasticsearch-plugin script, which ships as a part of Elasticsearch installation and can be found inside the bin/ directory of the Elasticsearch installation path.
  • A plugin has to be installed on every node of the cluster and each of the nodes has to be restarted to make the plugin visible.
  • You can also download the plugin manually and then install it using the elasticsearch-plugin install command, providing the file name/path of the plugin’s source file.
  • When a plugin is removed, you will need to restart every elasticsearch node in order to complete the removal process.

Common Problems:
  • Managing permission issues during and after plugin installation is the most common problem. If Elasticsearch was installed using the deb or rpm package then the plugin has to be installed using the root user, or else you can install the plugin as the user that owns all of the Elasticsearch files.
  • In case of deb or rpm package installation, it is important to check the permission of the plugins directory after plugin installation and update the permission if it has been modified using the following command:
chown -R elasticsearch:elasticsearch path_to_plugin_directory 
  • If your Elasticsearch nodes are running in a private subnet without internet access, you cannot install a plugin directly. In this case, you can simply download the plugins at once and copy the files inside the plugins directory of the Elasticsearch installation path on every node. The node has to be restarted in this case as well.

Document in Elasticsearch

Overview

A document is simply a json document that is stored in Elasticsearch index. It consists of one or more fields; where each field has its own data type. This field type defines the type of data that can be stored in the field such as integer, string, object. Document is schema-free, which means we do not require to specify schema before indexing document, when a field is indexed for the first time, its type is decided and set.

Examples:

Creating A document : to create a document in the users index.

POST  /users/_doc 
{
    "name" : "Petey",
    "lastname" : "Cruiser",
    "email" : "petey@gmail.com"
}

In the above request, we haven’t mentioned id for the document so index operation generates a unique ID for the document. Here _doc is the type of document. We can provide this type to user-defined type also where user index may store user type document.

POST  /users/_doc/1
{
    "name" : "Petey",
    "lastname" : "Cruiser",
    "email" : "petey@gmail.com"
}

In the above query, the document will be created with id 1.

You can use the below ‘GET’ query to get a document from the index using id

GET  /users/_doc/1

Bellow is the result containing the document (in _source field) with metadata:-

{
    "_index": "users",
    "_type": "_doc",
    "_id": "1",
    "_version": 1,    "_seq_no": 1,    "_primary_term": 1,
    "found": true,
    "_source": {
        "name": "Petey",
        "lastname": "Cruiser",
        "email": "petey@gmail.com"
    }
}
Notes

Starting version 7.0 types are deprecated, so for backward compatibility on version 7.x all docs are under type ‘_doc’, starting 8.x type will be completely removed from ES APIs


To help troubleshoot related issues we have gathered selected Q&A from the community and issues from Github , please review the following for further information :

1 Search-guard not integrating with elasticsearch 3.14 K 4

2 Kibana doesn’t show any results in “Discover” tab 53.76 K  76

Kibana Freezes On Document Level Se


Log Context

Log ”Invalid role definition [{}] in roles file [{}]. document and field level security is not” classname is FileRolesStore.java
We have extracted the following from Elasticsearch source code to get an in-depth context :

         String roleName = descriptor.getName();
        // first check if FLS/DLS is enabled on the role...
        for (RoleDescriptor.IndicesPrivileges privilege : descriptor.getIndicesPrivileges()) {
            if ((privilege.getQuery() != null || privilege.getGrantedFields() != null || privilege.getDeniedFields() != null)
                    && XPackSettings.DLS_FLS_ENABLED.get(settings) == false) {
                logger.error("invalid role definition [{}] in roles file [{}]. document and field level security is not " +
                        "enabled. set [{}] to [true] in the configuration file. skipping role..."; roleName; path
                        .toAbsolutePath(); XPackSettings.DLS_FLS_ENABLED.getKey());
                return null;
            }
        }






About Opster

Incorporating deep knowledge and broad history of Elasticsearch issues. Opster’s solution identifies and predicts root causes of Elasticsearch problems, provides recommendations and can automatically perform various actions to manage, troubleshoot and prevent issues.

Learn more: Glossary | Blog| Troubleshooting guides | Error Repository

Need help with any Elasticsearch issue ? Contact Opster

Did this page help you?