Auth_key_sha256 doesn't work with users/groups

(Vadim) #1

I’m running elasticsearch-5.6.3 and on RHEL.
I successfully tested Basic Auth (Base64) using users and groups in elasticsearch.yml and running cURL on server shell (where the es is running).
Unfortunately the same scenario is not working for me when using SHA256.
Here is the ror settings in my es yml file:

  enable: true
  response_if_req_forbidden:  "Access denied!!!"
  - name:  "Accepts requests from user in group team2  on index movies"
    type : allow
    groups:  ("team2")    #square brackets are here
    actions:  ("cluster:monitor/main", "indices:data/read/*")
    indices: ("movies")

- username: tstusr3
  auth_key_sha256: ***
  groups: ("team2")

Running curl as
curl -HGET -H 'Authorization: ***' ''
returns “Access denied!!!”

Log file shows:

FORBIDDEN by default ...
USR: no basic auth header...
HDR:Accept, Authorization, content-length, Host, User-Agent,
HIS: Accept requests from users in group team2  on index movies-(groups-false)

The value *** in the auth_key_sha256 has been generated by hashing the value tstusr3:tstpwd3 which actually is something like f74k…63nm.

I couldn’t figure out what is missing here.
Any advise or help will be appreciated.
Thanks in advance.

(Simone Scarduzio) #2

Wrong curl: should be -H 'Authorization: Basic xxxx' or much better have a look at -u option in curl.

(Vadim) #3

Thank you very much Simon for quick response.
I used the Format curl -HGET -H ‘Authorization Basic ***’ too when I tested Base64 successfully and then swiched to sha256. When I added the Basic to header with sha256 Im getting the response:
Error: status 400
Root cause:
Type: illegal_argument_exception
Reaso : cannot extract user name from base auth header

(Simone Scarduzio) #4

Your method option is wrong too, should use -XGET.

Anyway, see the unit test:

Basically the header should be -H’Authorization: Basic sha256(user:pass)’

Also, the hash you are looking for (according to your username and password in the example) should be:

(Vadim) #5

(1)I always used -XGET (not HGET), sorry for misstyping in my original post, using smartphone to communicate for some reason
(2)I’ve used exactly the same hashed value as you provided e88b34…91f3a

I’m running the followong
curl -XGET -H ‘Authorization: Basic e88b34…91f3a’ '’
And getting the response
Error:status 400
Type:illegal argument exception
Reason: cannot extract user name from base augh header

(Vadim) #6

One more thing, I’m running single node cluster with master and data roles and ror plugin, no logstash, no kibana

(Simone Scarduzio) #7

OH NO sorry, I also fell in the same confusion: the credentials have to be encoded in Base64 alone, the whole intention of auth_key_sha256 is just so you don’t write credentials in clear text in readonlyrest.yml.

Basically the header should be -H’Authorization: Basic base64encode(user:pass)’

And you should have the SHA256 hash as a auth_key_sha256 rule value.

To call the rest api with sha256 as algorithm in elastic search
(Vadim) #8

Great!!! This is working now!
It was a little bit confusing to get it work properly and I think it would be helpful to add the note on readonlyrest.documentation in the Authentication section like the following.
Note about SHA256:
The value of username:password must be encoded using SHA256 for auth_key_sha256 in elasticsearch.yml file and using Base64 in the header (in cURL or URL hhtp request).
Example for sales:p455wd
Elasticsearch.yml file: auth_key_sha256: 5608ce1eb…976ea9
Test: curl -X GET -H ‘Authorization: Basic c2FsZXM6cDQ1NXdk’ ‘’

Thank you very much Simone for your help and your amazing readonlyrest plugin. I hope to explore it in more detail, just started to use it.