Cerebro access to Cluster with RoR

yecanneken · August 20, 2018, 4:11pm

Hi - bit of a novice!

I’ve configured ReadOnlyREST on my cluster with ROR Pro on Kibana and have access for users/admin/etc fine for my cluster. I now need to ensure that monitoring and injest apps work. I’ve added access to the cluster for my subet with the following block:

name: “Allow my subnet”
hosts: [“192.168.1.0/24”]
actions: allow

But this is not enough for Cerebro sitting on 192.168.1.140 to access my cluster for monitoring and to make CURL requests. What am I doing wrong here? I’m going to have the same problem with my [homebrew] application that ingests data into my indices as well I assume… but want to beat the Cerebro problem first.

Cheers in advance for any guidance.

sscarduzio · August 21, 2018, 8:38am

You can analise the ES log lines where it says “FORBIDDEN” when you use cerebro, look at “OA” field, to see if the requests are coming from another IP than what you expect.

Also, I hardly recommend using the hosts rule, in favour of setting up SSL and just passing some credentials i.e. auth_key (and eventually auth_key_sha256)

You can configure cerebro to use credentials to connect to ES:

github.com

lmenezes/cerebro/blob/main/conf/application.conf#L68


      
                // AD example => memberOf=CN=mygroup,ou=ouofthegroup,DC=domain,DC=com
                // OpenLDAP example => CN=mygroup
                group = ${?LDAP_GROUP}
              }
          
          
    # Basic auth
              username = ${?BASIC_AUTH_USER}
              password = ${?BASIC_AUTH_PWD}
            }
          }
          
          
# A list of known hosts
          hosts = [
            #{
            #  host = "http://localhost:9200"
            #  name = "Localhost cluster"
            #  headers-whitelist = [ "x-proxy-user", "x-proxy-roles", "X-Forwarded-For" ]
            #}
            # Example of host with authentication
            #{
            #  host = "http://some-authenticated-host:9200"

ld57 · August 21, 2018, 9:25am

In addition,

you should configure dedicated user authentication in cerebro itself, then register your ES url with credentials.
and those credentials should be admin of your es node/cluster.

Block rule :

    - name: ELKG admin BULK
      auth_key_sha1: 464645ed4e6d46e4d
      type: allow
      actions: ["cluster:*", "indices:*", "internal:*"] 
      verbosity: info

and in application.conf of cerebro

# Authentication
auth = {
  # Example of LDAP authentication
#  type: ldap
#    settings: {
#      url = "ldap://ldapserver:389"  #or 636
#      base-dn = "OU=xx,DC=yyy"
#      method  = "simple"
#      user-domain = "dom.local"
#    }
  # Example of simple username/password authentication

  type: basic
    settings: {
      username = "Adm_cerebro"
      password = "pizzahut_guess_so:)"
    }
}

at least it is that i did

yecanneken · August 21, 2018, 10:10am

Hi both - thanks that solves it.

I had the Cerebro config but had missed [“cluster:*”] in the block rule.

Silly error - really appreciate the help.

napsta · August 28, 2018, 9:32pm

That configuration didn’t work for me since I was using SSL. I was receiving some promise already completed errors. I instead commented that out and added this at the bottom of the application.conf for Cerebro:

play.ws.ssl {
trustManager = {
stores = [
{ type = “JKS”, path = “C:\ProgramData\cerebro-0.8.1\conf\mykeystoreunlocked.jks”, password = “secretpassforkey” }
]
}
loose = {
acceptAnyCertificate = true // if your cert common name does not match to ngninx_server_name
}
}

This will then allow Cerebro to ask for credentials to the elasticsearch node that you could setup in ROR.

ld57 · August 29, 2018, 7:06pm

yep it works too.

on my side I prefered to use stunnel to hide everything behind it.