Afer Installing Readonlyrest plugin, LS stops creating new index in ES

Vg15 · April 24, 2017, 9:01am

Hi Experts,

I am using ELK5.2.2 and I am checking this plugin, after installation ES is working fine but logstash stops working . My configurations are

LS

output {     
              elasticsearch {
              action => "index"
						hosts=> ["localhost:9200"]
						user => admin
						password => test123
						index => "management"    						
                       
                }       
}

Elasticsearch.yml

    readonlyrest:
        enable: true
        response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
        access_control_rules:

        - name: "::LOGSTASH::"
          auth_key: admin:test123
          type: allow
          actions: ["indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
          indices: ["management*"]

        - name: kiabna
          type: allow
          auth_key: kibana:test123
          indices: [".kibana"]

        - name: Accept requests from users in group team1 on operations
          type: allow
          groups: ["team1"]
          indices: [".kibana","operations"]

        - name: Accept requests from users in group team2 on management
          type: allow
          groups: ["team2"]
          indices: [".kibana","management"]

        users:
        - username: vg
          auth_key: vg:test123
          groups: ["team1"]

        - username: gv
          auth_key: gv:test123
          groups: ["team2"]

        - username: vggv
          auth_key: vggv:test123
          groups: ["team1","team2"]

Operations index was already created before this plugin and now I want to create management index and LS gives below error.

 [2017-04-24T14:31:05,254][INFO ][o.e.p.r.a.RequestContext ] id: 9fa221d72e49462bb2ce5fe842bca364 - Replacing indices. Old:[_all] New:[.kibana, operations]
[2017-04-24T14:31:05,256][INFO ][o.e.p.r.a.ACL            ] request: { ID:9fa221d72e49462bb2ce5fe842bca364, TYP:GetIndexRequest, USR:vggv, BRS:true, ACT:indices:admin/get, OA:127.0.0.1, IDX:, MET:GET, PTH:/_aliases, CNT:<OMITTED, LENGTH=0>, HDR:Accept,Accept-Encoding,Accept-Language,Authorization,Connection,content-length,Host,User-Agent, EFF:0, HIS:[::LOGSTASH::->[indices->true, auth_key->false, actions->false]], [kiabna->[indices->true, auth_key->false]], [Accept requests from users in group team1 on operations->[]], [Accept requests from users in group team1 on operations->[indices->true, groups->true]] } matched block: Accept requests from users in group team1 on operations match: true}

sscarduzio · April 24, 2017, 9:43am

wait, the last lines look like they come from ES not LS…

Vg15 · April 24, 2017, 10:18am

My Bad,

You were right that was ES message here LS error
> 14:22:43.939 [Ruby-0-Thread-5: D:/logstash-5.2.2/vendor/bundle/jruby/1.9/gems/lo
> gstash-output-elasticsearch-6.2.6-java/lib/logstash/outputs/elasticsearch/http_c
> lient/pool.rb:222] WARN logstash.outputs.elasticsearch - Attempted to resurrect
> connection to dead ES instance, but got an error. {:url=>#<URI::HTTP:0x14b7f02
> URL:http://admin:xxxxxx@localhost:9200/>, :error_type=>LogStash::Outputs::Elasti
> cSearch::HttpClient::Pool::BadResponseCodeError, :error=>“Got response code '401
> ’ contacting Elasticsearch at URL ‘http://localhost:9200/’”}
> 14:22:48.960 [Ruby-0-Thread-5: D:/logstash-5.2.2/vendor/bundle/jruby/1.9/gems/lo
> gstash-output-elasticsearch-6.2.6-java/lib/logstash/outputs/elasticsearch/http_c
> lient/pool.rb:222] INFO logstash.outputs.elasticsearch - Running health check t
> o see if an Elasticsearch connection is working {:healthcheck_url=>http://admin:
> xxxxxx@localhost:9200/, :path=>“/”}

Vg15 · April 25, 2017, 11:55am

Any update on this please . I am still facing this issue .

sscarduzio · April 26, 2017, 9:26am

Hi @Vg15,

As you can see Logstash is sending a request to the “/” path as a “health check”.
In Elasticsearch logs, you should see some “forbidden by default” log line which include “PTH:/” (the request asks for the root URI path).

i.e.

no block has matched, forbidding by default: { ID:1546474727-1916968102, TYP:MainRequest, USR:[no basic auth header], BRS:true, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:GET, PTH:/, CNT:<OMITTED, LENGTH=0>, HDR:Accept,content-length,Host,User-Agent, HIS:[kiabna->[auth_key->false]], [Accept requests from users in group team2 on management->[indices->true, groups->false]], [::LOGSTASH::->[auth_key->false]], [Accept requests from users in group team1 on operations->[indices->true, groups->false]] }

Now if you examine further the same line, you’ll see also an “ACT” field showing what’s the Elasticsearch-level action name associated to such a request. In our case it’s cluster:monitor/main.

You can now literally copy and paste this string into the list of allowed actions for the “admin” account.

`

name: "::LOGSTASH::"
auth_key: admin:test123
type: allow
actions: [ “cluster:monitor/main”, “indices:admin/types/exists”,“indices:data/read/","indices:data/write/”,“indices:admin/template/",“indices:admin/create”]
indices: ["management”]
`

Repeat the above debugging technique should you find that newer versions of logstash (or other system) require other actions to be allowed.

I will add this action in the logstash-related snippets in the documentation. Thanks.