Authorization failed on ES-7.8.0 with ROR-1.20.0

dzyubanv · July 27, 2020, 7:48pm

Mateusz,
Can you please share the elasticsearch.yml content which you tested along with ror-1.21.0-pre5 on single-node es-7.8.0 cluster in DEV mode (127.0.0.1:9210) ?
Thanks in advance

coutoPL · July 27, 2020, 8:02pm

@dzyubanv here it is:

node.name: n1_it
readonlyrest.force_load_from_file: true

dzyubanv · July 27, 2020, 8:13pm

I setup and deployed another ES-7.8.0 in DEV mode (single node cluster) and started it with default es yml in which all lines are commented out - it started ok. Then I shut it down, deployed ror-1.20.0, configured ror yml as you did.
Now, before restarting ES should I add to es yml just these 2 lines and start es ?

coutoPL · July 28, 2020, 5:56am

yes, this is correct

dzyubanv · July 28, 2020, 9:28pm

Hi Mateusz,

[1]I got my multinode cluster ES-7.8.0 & ROR-1.20.0 up and running as it should (2 hosts, 4 nodes, ROR setup and configured on one master dedicated node)

[2]Here is what I did to make it function as expected

in elasticsearch.yml
#disable xpack security
xpack.security.enabled: false
readonlyrest.force_load_from_file: true
#otherwise node with deployed and enabled ROR started and worked OK but there is the ERROR in log
#[ERROR][t.b.r.e.s.Es.Index.JsonContentService] node_name Cannot get source of document [.readonlyrest ID=1]
#java.lang.IllegalStateException: NodeClient has not been initialized

Any guess what does this [.readonlyrest ID=1] mean ?

in regards to readonlyrest.yml

-encrypt pair user:password in Base64 and use encrypted value as <ACCESS_TOKEN> in the header of url request, like -H ‘Authorization: Basic <ACCESS_TOKEN>’
-encrypt password in SHA256 and use encrypted value in readonlyrest.yml
-encrypt password only in SHA256 (not pair user_name:password as I did for old ES-5.6.3)
-SHA256 encrypted value should contain lowercase letters, otherwise ROR will Not work properly with capitals
-in readonlyrest.yml use the following format
username: <user_name>
auth_key_sha256: <user_name>:<ACCESS_TOKEN>

[3]All these things were not obvious and required me switching between single-node cluster in DEV mode and multi-node cluster in PROD mode with trial and error

[4]There are No ERRORs in the ES log now, but I’m still experiencing the following WARNING/UnsatisfiedLinkError when starting node with deployed and enabled ROR (b.t.w.I’m using java 1.8.0_65, not bundled java with the ES-7.8.0 package):

[WARN][o.e.b.Natives ] node_name unable to load JNA native support library, native methods will be disabled.
java.lang.UnsatisfiedLinkError: /tmp/jna/–146…tmp: /lib64/libc.so.6: version GLIBC_2.7 not found (required by /tmp/jna/–1462778291/jna473135465896030289.tmp)
at java.lang.ClassLoader$NativeLibrary.load(NativeMethod) ~[?1.8.0_65]
at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1938) ~[?1.8.0_65]

Any guess why this java.lang.UnsatisfiedLinkError comes up here and how it might be fixed ?

Thanks a lot for your help and support

coutoPL · July 29, 2020, 4:22pm

ROR tries to load configuration from index at startup. ATM when there is no such index, there is a fallback to readonlyrest.yml file. So this is expected

coutoPL · July 29, 2020, 6:34pm

github.com/elastic/elasticsearch

elasticsearch fails to start when tmp directory defined

opened 01:41PM - 17 May 16 UTC

closed 10:57AM - 21 Nov 16 UTC

bubo77

feedback_needed :Delivery/Packaging Team:Delivery

**Elasticsearch version**: 2.3.2 **JVM version**: java version "1.8.0_45" Java…(TM) SE Runtime Environment (build 1.8.0_45-b14) Java HotSpot(TM) 64-Bit Server VM (build 25.45-b02, mixed mode) **OS version**: Centos 7 SELinux enabled **Description of the problem including expected versus actual behavior**: We have hardened Centos 7 where /tmp is not writeable We have elasticsearch homedir in custom location and we link that custom location into /var/lib/elasticsearch. We define tmp dir path in /etc/sysconfig/elasticserach as # Additional Java OPTS ES_JAVA_OPTS="-Djna.tmpdir=/var/lib/elasticsearch/tmp" (we also tried without "" and with java.io.tmpdir=) **Steps to reproduce**: 1. change tmpdir path in sysconfig 2. restart application **Provide logs (if relevant)**: `[2016-05-17 12:31:30,875][WARN ][bootstrap ] unable to load JNA native support library, native methods will be disabled. java.lang.UnsatisfiedLinkError: /tmp/jna--1985354563/jna306419785920339930.tmp: /tmp/jna--1985354563/jna306419785920339930.tmp: failed to map segment from shared object: Operation not permitted at java.lang.ClassLoader$NativeLibrary.load(Native Method) at java.lang.ClassLoader.loadLibrary0(Unknown Source) at java.lang.ClassLoader.loadLibrary(Unknown Source) at java.lang.Runtime.load0(Unknown Source) at java.lang.System.load(Unknown Source) at com.sun.jna.Native.loadNativeDispatchLibraryFromClasspath(Native.java:761) at com.sun.jna.Native.loadNativeDispatchLibrary(Native.java:736) at com.sun.jna.Native.<clinit>(Native.java:131) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Unknown Source) at org.elasticsearch.bootstrap.Natives.<clinit>(Natives.java:45) at org.elasticsearch.bootstrap.Bootstrap.initializeNatives(Bootstrap.java:89) at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:144) at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270) at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)` [elasticsearch_dump.txt](https://github.com/elastic/elasticsearch/files/268267/elasticsearch_dump.txt)

dzyubanv · July 29, 2020, 10:20pm

Thanks a lot Mateusz, I’ll follow up

askids · July 31, 2020, 12:27pm

To remove any kind of ambiguity, have you tried with most basic config - change to auth_key instead of auth_key_sha256 and then open the URL http://host:port/_cat/indices?v in Chrome and type in id/pwd once you get the prompt. Does that work for you?

dzyubanv · July 31, 2020, 1:45pm

Thanks Askids for the attention and feedback.
As I said, finally I got my multi-node ES cluster with ROR works good as it should and I’d like to address one issue mentioned above. Repeating it again here:
[4]There are No ERRORs in the ES log now, but I’m still experiencing the following WARNING/UnsatisfiedLinkError when starting node with deployed and enabled ROR (b.t.w.I’m using java 1.8.0_65, not bundled java with the ES-7.8.0 package):

[WARN][o.e.b.Natives ] node_name unable to load JNA native support library, native methods will be disabled.
java.lang.UnsatisfiedLinkError: /tmp/jna/–146…tmp: /lib64/libc.so.6: version GLIBC_2.7 not found (required by /tmp/jna/–1462778291/jna473135465896030289.tmp)
at java.lang.ClassLoader$NativeLibrary.load(NativeMethod) ~[?1.8.0_65]
at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1938) ~[?1.8.0_65]
…

Node with deployed and enabled ROR starts and functions good as expected.

sscarduzio · August 2, 2020, 10:54am

This is probably be due to the very old linux version you are using. RHEL 5.11 right?

dzyubanv · August 2, 2020, 7:21pm

Thanks a lot for the feedback Simone,
I agree with you, this java.lang.UnsatisfiedLinkError might be related to old RHEL 5.11, I’ll try to test this on the higher version of RHEL.

I’d like to confirm with you one thing yet, this ROR-1.20.0 might be deployed and enabled either on (1)master eligible & and data node (master:true, data:true) or nodes only, (2)or master eligible only (master:true, data:false) node or nodes, (3)or data only (master:false, data:true) node or nodes, no need to deploy ROR-1.20.0 on each and every node of the cluster, correct ?
Thanks in advance

sscarduzio · August 5, 2020, 2:05pm

OK the rule is:

if you use internode SSL, you need ROR in every node

if you use fields rule, you should install ROR in nodes with Elasticsearch HTTP API enabled (port 9200), and in all nodes that contain data.

If you don’t use internode SSL, or fields rule, it’s fine to just install ROR just in the nodes in which you plan to enable Elasticsearch HTTP API (port 9200).

dzyubanv · August 5, 2020, 2:28pm

Thank you so much for the confirmation and great support Simone and your team!