I’m running elasticsearch-5.6.3 and readonlyrest-1.16.13.-pre1_es5.6.3.zip on RHEL.
I successfully tested Basic Auth (Base64) using users and groups in elasticsearch.yml and running cURL on server shell (where the es is running).
Unfortunately the same scenario is not working for me when using SHA256.
Here is the ror settings in my es yml file:
readonlyrest:
enable: true
response_if_req_forbidden: "Access denied!!!"
access_control_rules:
- name: "Accepts requests from user in group team2 on index movies"
type : allow
groups: ("team2") #square brackets are here
actions: ("cluster:monitor/main", "indices:data/read/*")
indices: ("movies")
users:
- username: tstusr3
auth_key_sha256: ***
groups: ("team2")
FORBIDDEN by default ...
USR: no basic auth header...
BRS:true
IDX:movies
HDR:Accept, Authorization, content-length, Host, User-Agent,
HIS: Accept requests from users in group team2 on index movies-(groups-false)
The value *** in the auth_key_sha256 has been generated by hashing the value tstusr3:tstpwd3 which actually is something like f74k…63nm.
I couldn’t figure out what is missing here.
Any advise or help will be appreciated.
Thanks in advance.
Thank you very much Simon for quick response.
I used the Format curl -HGET -H ‘Authorization Basic ***’ too when I tested Base64 successfully and then swiched to sha256. When I added the Basic to header with sha256 Im getting the response:
Error: status 400
Root cause:
Type: illegal_argument_exception
Reaso : cannot extract user name from base auth header
Basically the header should be -H’Authorization: Basic sha256(user:pass)’
Also, the hash you are looking for (according to your username and password in the example) should be:
e88b3472d9ebbf9be84863647a0491025b03b89070cd48893176cdb553791f3a
(1)I always used -XGET (not HGET), sorry for misstyping in my original post, using smartphone to communicate for some reason
(2)I’ve used exactly the same hashed value as you provided e88b34…91f3a
I’m running the followong
curl -XGET -H ‘Authorization: Basic e88b34…91f3a’ '11.222.33.44:9200/movies/movie/1?pretty’
And getting the response
Error:status 400
Type:illegal argument exception
Reason: cannot extract user name from base augh header
OH NO sorry, I also fell in the same confusion: the credentials have to be encoded in Base64 alone, the whole intention of auth_key_sha256 is just so you don’t write credentials in clear text in readonlyrest.yml.
Basically the header should be -H’Authorization: Basic base64encode(user:pass)’
And you should have the SHA256 hash as a auth_key_sha256 rule value.
Great!!! This is working now!
It was a little bit confusing to get it work properly and I think it would be helpful to add the note on readonlyrest.documentation in the Authentication section like the following.
Note about SHA256:
The value of username:password must be encoded using SHA256 for auth_key_sha256 in elasticsearch.yml file and using Base64 in the header (in cURL or URL hhtp request).
Example for sales:p455wd
Elasticsearch.yml file: auth_key_sha256: 5608ce1eb…976ea9
Test: curl -X GET -H ‘Authorization: Basic c2FsZXM6cDQ1NXdk’ ‘xx.xxx.xx.xx:9200/index_name/type_name/id?/pretty’
Thank you very much Simone for your help and your amazing readonlyrest plugin. I hope to explore it in more detail, just started to use it.
This post helped me solving my issue with sha256. Thanks for this! Also, were you able to Integrate ldap with Elastic Search using readonlyrest plugin?