Discover: [security_exception] action [indices:data/read/msearch] is unauthorized for user
If you select a date range in the Kibana discover tab that includes some data, everything will work correctly.
If you include a range that includes no data, you’ll get an authorization error because the user is not permitted to execute _msearch.
The _msearch it’s trying to execute is for .kibana-devnull.
This is with Elasticsearch 2.3.2 / Shield 2.3.2/ and no longer a requirement in 5.0.
For example, the following my_kibana_user role only allows users to discover and visualize data in the logstash-* indices.
my_kibana_user: cluster: - monitor indices: - names: 'logstash-*' privileges: - view_index_metadata - read - names: '.kibana*' privileges: - manage - read - index All Kibana users need access to the .kibana and .kibana-devnull indices.