Notice that “groups” contains “group_does_not_exist”. Not surprisingly, this group does not exist on my LDAP server. In spite of this, though, it appears that the first (and only) access control rule is being used for all users.
If I simply execute the statement curl 'localhost:9200/_cat/indices?v' (even from an external machine), it returns a valid list of indexes. If I set “indexes” to “", all indices will be returned. But if I set “indexes” to "logs-”, then only the subset of indices are returned. This indicates to me that this rule is being used for authorization. Yet how is it being matched if the LDAP group doesn’t exist (and I’m not even specifying a user when executing the statement)?
FYI, when I execute a GET x.x.x.x:9200/_cat/indices?v from Postman on my local machine it works and I get the following response. It seems to be matching the only access control rule. Just not sure how.
BTW, I’m using “ldap_authentication” and “ldap_authorization” in my configuration because I couldn’t get “ldap_auth” to work. (When I configure with “ldap_auth” I get endlessly repeating “SSL: Disabled” statements in the logs.) Maybe this is part of the issue.
Once I got my “ldap_auth” configuration to work (see Possible documentation issue 2), the rule now seems to correctly restrict access.
I’m guessing my use of “ldap_authentication” and “ldap_authorization” was incorrect. (If you can suggest what I did wrong, I’d be interested to know. Always want to learn.)
the busy loop is something that happens in ES when there’s an exception in the handlers setup phase (which is when ROR reads the settings). Not much we can do there, except defer the settings read to a separate thread. But ideally settings parsers should not throw unhandled exceptions.