Invalid role definition in roles file . document and field level security is not – How to solve related issues

Average Read Time

2 Mins

Invalid role definition in roles file . document and field level security is not – How to solve related issues

Opster Team

Jan-20, Version: 1.7-8.0

Before you begin reading this guide, we recommend you run Elasticsearch Error Check-Up which can resolve issues that cause many errors.

This guide will help you check for common problems that cause the log ” Invalid role definition in roles file . document and field level security is not ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: discovery-file and plugin.

Advanced users might want to skip right to the common problems section in each concept or try running the Check-Up to analyze Elasticsearch configuration and help resolve this error.

Log Context

Log “Invalid role definition [{}] in roles file [{}]. document and field level security is not” classname is FileRolesStore.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :

         String roleName = descriptor.getName();
        // first check if FLS/DLS is enabled on the role...
        for (RoleDescriptor.IndicesPrivileges privilege : descriptor.getIndicesPrivileges()) {
            if ((privilege.getQuery() != null || privilege.getGrantedFields() != null || privilege.getDeniedFields() != null)
                    && XPackSettings.DLS_FLS_ENABLED.get(settings) == false) {
                logger.error("invalid role definition [{}] in roles file [{}]. document and field level security is not " +
                        "enabled. set [{}] to [true] in the configuration file. skipping role..."; roleName; path
                        .toAbsolutePath(); XPackSettings.DLS_FLS_ENABLED.getKey());
                return null;
            }
        }




 

Run the Check-Up to get customized insights on your system:

Overview

A plugin is used to enhance the core functionalities of Elasticsearch. Elasticsearch provides some core plugins as a part of their release installation. In addition to those core plugins, it is possible to write your own custom plugins as well. There are several community plugins available on GitHub for various use cases.

Examples

Get all of the instructions for the plugin:

sudo bin/elasticsearch-plugin -h

Installing the S3 plugin for storing Elasticsearch snapshots on S3:

sudo bin/elasticsearch-plugin install repository-s3

Removing a plugin:

sudo bin/elasticsearch-plugin remove repository-s3

Installing a plugin using the file’s path:

sudo bin/elasticsearch-plugin install file:///path/to/plugin.zip

Notes and good things to know

  • Plugins are installed and removed using the elasticsearch-plugin script, which ships as a part of the Elasticsearch installation and can be found inside the bin/ directory of the Elasticsearch installation path.
  • A plugin has to be installed on every node of the cluster and each of the nodes has to be restarted to make the plugin visible.
  • You can also download the plugin manually and then install it using the elasticsearch-plugin install command, providing the file name/path of the plugin’s source file.
  • When a plugin is removed, you will need to restart every Elasticsearch node in order to complete the removal process.

Common issues

  • Managing permission issues during and after plugin installation is the most common problem. If Elasticsearch was installed using the DEB or RPM packages then the plugin has to be installed using the root user. Otherwise you can install the plugin as the user that owns all of the Elasticsearch files.
  • In the case of DEB or RPM package installation, it is important to check the permissions of the plugins directory after you install it. You can update the permission if it has been modified using the following command:
chown -R elasticsearch:elasticsearch path_to_plugin_directory 
  • If your Elasticsearch nodes are running in a private subnet without internet access, you cannot install a plugin directly. In this case, you can simply download the plugins and copy the files inside the plugins directory of the Elasticsearch installation path on every node. The node has to be restarted in this case as well.

Log Context

Log “Invalid role definition [{}] in roles file [{}]. document and field level security is not” classname is FileRolesStore.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :

         String roleName = descriptor.getName();
        // first check if FLS/DLS is enabled on the role...
        for (RoleDescriptor.IndicesPrivileges privilege : descriptor.getIndicesPrivileges()) {
            if ((privilege.getQuery() != null || privilege.getGrantedFields() != null || privilege.getDeniedFields() != null)
                    && XPackSettings.DLS_FLS_ENABLED.get(settings) == false) {
                logger.error("invalid role definition [{}] in roles file [{}]. document and field level security is not " +
                        "enabled. set [{}] to [true] in the configuration file. skipping role..."; roleName; path
                        .toAbsolutePath(); XPackSettings.DLS_FLS_ENABLED.getKey());
                return null;
            }
        }




 

Run the Check-Up to get customized insights on your system:

Analyze your cluster

Skip to content