Elasticsearch Security Troubleshooting
Diagnose Elasticsearch authentication, authorization, and privilege issues using official security troubleshooting APIs.
Overview
Elasticsearch Security Troubleshooting is an agent skill most often used in Operate (also Ship security review) that documents diagnostic Elasticsearch security APIs such as Has Privileges for live privilege verification
Install
npx skills add https://github.com/elastic/agent-skills --skill elasticsearch-security-troubleshootingWhat is this skill?
- Documents POST /_security/user/_has_privileges for self-service privilege checks
- Cluster, index, and Kibana application privilege patterns in one request body
- Pointers to elasticsearch-authn and elasticsearch-authz companions for full auth flows
- No manage_security required for has-privileges self-check
- Structured tables for index names, patterns, and allow_restricted_indices
- Request body covers cluster, index, and application privilege dimensions
Adoption & trust: 1.1k installs on skills.sh; 502 GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
Users or pipelines fail against Elasticsearch with opaque security errors and you need the right diagnostic API payloads fast.
Who is it for?
Solo operators maintaining Elastic Stack search, logs, or metrics who debug RBAC and Kibana space access in production.
Skip if: Teams not running Elasticsearch or builders who only need application-level JWT design without the Elastic security plugin.
When should I use this skill?
Elasticsearch authentication, authorization, or privilege errors appear in production or staging clusters.
What do I get? / Deliverables
You can run documented privilege checks and know which companion authn/authz references to load for deeper fixes.
- Correct Has Privileges request JSON for your index and Kibana checks
- Pointers to authn/authz companion skills for follow-up
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is Operate → Infra because the skill is a diagnostic API reference for running Elasticsearch clusters, not for initial cluster design. Infra subphase matches production Elastic Stack operators fixing security-related access failures without necessarily rebuilding the app.
Where it fits
Ingest pipeline jobs fail with security exceptions and you verify monitor and manage_ingest_pipelines cluster rights.
Before go-live you confirm service accounts only have read on logs-* and metrics-* patterns.
A new dashboard space needs feature_discover.read and you test application privileges without granting manage_security.
How it compares
Elastic-specific API cheat sheet, not a generic OWASP auth guide or Terraform Elastic module.
Common Questions / FAQ
Who is elasticsearch-security-troubleshooting for?
Developers and operators on Elastic Stack who need accurate security troubleshooting endpoints while fixing access denials.
When should I use elasticsearch-security-troubleshooting?
Use it in Operate (infra) when production queries or Kibana features fail for privilege reasons; also in Ship (security) when validating least-privilege before launch.
Is elasticsearch-security-troubleshooting safe to install?
Check the Security Audits panel on this page; the skill describes APIs that query your cluster—run only against environments you control and avoid pasting secrets into chats.
SKILL.md
READMESKILL.md - Elasticsearch Security Troubleshooting
# Elasticsearch Security Troubleshooting API Reference Quick reference for diagnostic APIs used during security troubleshooting. For authentication and authorization APIs, see the **elasticsearch-authn** and **elasticsearch-authz** API references. ## Has Privileges ```text POST /_security/user/_has_privileges ``` Test whether the authenticated user holds specific privileges. Does not require `manage_security` — any authenticated user can check their own privileges. [Full documentation](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-has-privileges) ### Request body ```json { "cluster": ["monitor", "manage_ingest_pipelines"], "index": [ { "names": ["logs-*", "metrics-*"], "privileges": ["read", "view_index_metadata"], "allow_restricted_indices": false } ], "application": [ { "application": "kibana-.kibana", "privileges": ["feature_discover.read"], "resources": ["space:default"] } ] } ``` | Field | Type | Description | | ---------------------------------- | ------------- | --------------------------------------------- | | `cluster` | array[string] | Cluster privileges to test | | `index` | array[object] | Index privilege checks | | `index[].names` | array[string] | Index names or patterns | | `index[].privileges` | array[string] | Named index privileges to test | | `index[].allow_restricted_indices` | boolean | Include restricted indices (default: `false`) | | `application` | array[object] | Application privilege checks (e.g. Kibana) | | `application[].application` | string | Application name | | `application[].privileges` | array[string] | Application privileges to test | | `application[].resources` | array[string] | Resources to test against | ### Response ```json { "username": "joe", "has_all_requested": false, "cluster": { "monitor": true, "manage_ingest_pipelines": false }, "index": { "logs-*": { "read": true, "view_index_metadata": true }, "metrics-*": { "read": false, "view_index_metadata": false } }, "application": {} } ``` | Field | Type | Description | | ------------------- | ------- | ------------------------------------------------------- | | `has_all_requested` | boolean | `true` only if every requested privilege is granted | | `cluster` | object | Per-privilege boolean for each cluster privilege tested | | `index` | object | Per-index, per-privilege boolean for each index tested | | `application` | object | Per-application, per-resource, per-privilege boolean | ## XPack Info ```text GET /_xpack ``` Returns information about installed features and their status. ### Key response fields | Field | Type | Description | | ----------------------------- | ------- | --------------------------------------- | | `features.security.available` | boolean | Whether security is available (license) | | `features.security.enabled` | boolean | Whether security is currently enabled | If `features.security.enabled` is `false`, all `_security` APIs return errors. Enable security in `elasticsearch.yml` with `xpack.security.enabled: true`. ## API Key — Get ```text GET /_security/api_key ``` Retrieve API key information. Use query parameters to filter results. [Full documentation](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-get-api-key) ### Query parameters | Parameter | Type | Description