How to troubleshoot the "forbidden" error, when it appears on Kibana portal during saving a search result?
This error message usually comes up when an item is interfering with the saving of data to the Elasticsearch indices.
The following steps can be done to troubleshoot this issue:
Check if there is enough free space on Elasticsearch storage drive. If there is less free space, check if the index for the current month ("TenantName-yyyy.mm") is set to read only mode. Steps to validate read only mode and remove out of the same are given below **.
Check if the .kibana index is set into read only mode. Steps to validate read only mode and remove out of the same are given below .
If X-Pack is enabled, ensure the appropriate roles are provided to the user being used. If not sure, ensure "Minimum privileges set for all spaces" is set to "All".
Steps to validate "Read only" mode for index and fixing it:
- Navigate to "Management" pane.
- Select Index management, under Elasticsearch section.
- If you are searching for system indices (.kibana, .monitoring etc.) enable the "Show system indices" option.
- Select the index from the list whose setting that needs validation.
- On the index pane that appears, select "Settings" tab. The "read_only_allow_delete" property is available here. If the property is set to true, this would mean the index is in read only mode and does not accept new data.
- To remove the read only property on the index, navigate to the "Edit settings" pane and set the "read_only_allow_delete" to false and click on Save.