Cerebro access to Cluster with RoR


Hi - bit of a novice!

I’ve configured ReadOnlyREST on my cluster with ROR Pro on Kibana and have access for users/admin/etc fine for my cluster. I now need to ensure that monitoring and injest apps work. I’ve added access to the cluster for my subet with the following block:

name: “Allow my subnet”
hosts: [“”]
actions: allow

But this is not enough for Cerebro sitting on to access my cluster for monitoring and to make CURL requests. What am I doing wrong here? I’m going to have the same problem with my [homebrew] application that ingests data into my indices as well I assume… but want to beat the Cerebro problem first.

Cheers in advance for any guidance.

(Simone Scarduzio) #2

You can analise the ES log lines where it says “FORBIDDEN” when you use cerebro, look at “OA” field, to see if the requests are coming from another IP than what you expect.

Also, I hardly recommend using the hosts rule, in favour of setting up SSL and just passing some credentials i.e. auth_key (and eventually auth_key_sha256)

You can configure cerebro to use credentials to connect to ES:

(Ld57) #3

In addition,

you should configure dedicated user authentication in cerebro itself, then register your ES url with credentials.
and those credentials should be admin of your es node/cluster.

Block rule :

    - name: ELKG admin BULK
      auth_key_sha1: 464645ed4e6d46e4d
      type: allow
      actions: ["cluster:*", "indices:*", "internal:*"] 
      verbosity: info

and in application.conf of cerebro

# Authentication
auth = {
  # Example of LDAP authentication
#  type: ldap
#    settings: {
#      url = "ldap://ldapserver:389"  #or 636
#      base-dn = "OU=xx,DC=yyy"
#      method  = "simple"
#      user-domain = "dom.local"
#    }
  # Example of simple username/password authentication

  type: basic
    settings: {
      username = "Adm_cerebro"
      password = "pizzahut_guess_so:)"

at least it is that i did


Hi both - thanks that solves it.

I had the Cerebro config but had missed [“cluster:*”] in the block rule.

Silly error - really appreciate the help.

(Nic) #5

That configuration didn’t work for me since I was using SSL. I was receiving some promise already completed errors. I instead commented that out and added this at the bottom of the application.conf for Cerebro:

play.ws.ssl {
trustManager = {
stores = [
{ type = “JKS”, path = “C:\ProgramData\cerebro-0.8.1\conf\mykeystoreunlocked.jks”, password = “secretpassforkey” }
loose = {
acceptAnyCertificate = true // if your cert common name does not match to ngninx_server_name

This will then allow Cerebro to ask for credentials to the elasticsearch node that you could setup in ROR.

(Ld57) #6

yep it works too.

on my side I prefered to use stunnel to hide everything behind it.