Beginning install - not successful


(mdnuts) #1

Hello,
I tried to install the ES plugin on ES 6.7.0 in the manner specified.

  1. Obtain the build (6.7.0)
  2. install the plugin - installs successfully, selected yes for permissions.
  3. created readonlyrest.yml in the same location as elasticsearch.yml
  • made sure all permissions were at elasticsearch.
  1. have this in the readonlyrest.yml file
    readonlyrest:
    access_control_rules:

     - name: "Require HTTP Basic Auth"
       type: allow
       auth_key: user:password 
    
  2. put xpack.security.enabled: false in the bottom of the elasticearch.yml file

  3. Started ES

  4. I see plugin loaded then as ES continues to load i’ll start to see errors similar to:
    FORBIDDEN by default req=... (it seems to start to list about anything from cluster:monitor to metricbeat, etc.)

  5. Little later in the log i’ll see ES recovered 10 indices followed by [CLUSTERWIDE SETTINGS] cluster not ready…

  • then cluster health goes from red to yellow, shards get started and the FORBIDDEN keeps populating.
  1. I go on to test like it says with curl - and I do not get the status code of 401.

(Simone Scarduzio) #2

Well I guess the clients need to be configured to pass credentials, right? I mean it’s expected if you add basic auth.

What curl command? What’s the expected result? what’s the actual result?


(mdnuts) #3

Ok, i reinstalled the plugin again on ES. configured U/P with protocol of HTTP on ES, Logstash and Kibana. everything started and authenticated just fine.

then i configured the beats (File, metric & heart) and all toss errors of no basic auth.
For example on heartbeat, ES Docs say.
output.elasticsearch:
hosts: [“myEShost:9200”]
username: “filebeat_internal”
password: “YOUR_PASSWORD”

I’ve got the ES U:P set correctly in each of the three beats (on the same system). At this point I have not done any ACL’s yet and Logstash (uses same U:P) is working good. I have just the very basic YAML setting described in the docs which is (of course my U:P is different than the docs and identical between ES, Logstash, Kibana, and the beats).

readonlyrest:
    access_control_rules:

    - name: "Require HTTP Basic Auth"
      type: allow
      auth_key: user:password 

any ideas?


(Simone Scarduzio) #4

I understood that you have credentials correctly set up in all your log shipping agents (beats, logstash, etc), but you keep on seeing no basic auth logs in ROR.

Correct?
If correct:

  1. If they are not sending the basic authorization header, there must be a problem with the agents. They really should send that header. Maybe point them to another web server or debug proxy server if you don’t trust the ROR logs.
    Maybe they just need a restart?

  2. Please confirm curl works? i.e.
    curl -vvv ‘http://es_host:9200/_cat/indices’ # <— should result in FORBIDDEN in ROR logs + 401 error
    curl -vvv -u user:password ‘http://es_host:9200/_cat/indices’ # <— should result in ALLOWED in ROR logs + 200 status code, and you should see the list of indices.


(mdnuts) #5
  1. I’ve restarted a number of times, before trying to put in authentication the agent reported okay. I was wondering if it was because i have the agent sending to ES and enable the kibana dashboards - but the beat documentation seems to indicate that it would use ES’s authentication if dashboards are loaded - I tried to put it in there anyway and it didn’t seem to make a difference.
    –i might just try to reinstall one of the beats and see what it does.

2.a) I get {“error”:{“root_cause”:[{"reason:“forbidden”}],“reason”:“forbidden”},“status”:401}
2.b) I get 200 status code and a list of all the indices - including the 3 different beats. All show green.


(mdnuts) #6

So, odd.

After playing around with it, it seems data is getting through okay. I can see file logs and system metrics but I still get the FORBIDDEN messages. If I stop all beats, the FORBIDDEN messages go away - I start any one of the beats and the messages return.

i’m not going to spend anymore time on it for right now - working on SSL next.


(Simone Scarduzio) #7

please can you make the suggested curl experiment?


(mdnuts) #8

Yeah, with curl.

2.a) I get {“error”:{“root_cause”:[{"reason:“forbidden”}],“reason”:“forbidden”},“status”:401}
2.b) I get 200 status code and a list of all the indices - including the 3 different beats. All show green.