Hello,
I configured an API key in readonlyrest.yml using auth_key_sha256 with no username (i.e. I want to authenticate by sending a plain secret in the Authorization: header). Although the rule is present and placed before other rules, requests are still rejected with FORBIDDEN by ReadonlyREST / OPERATION_NOT_ALLOWED. The documentation is not clear about the exact request format and an end-to-end example (generate key, hash it, insert the hash into config, and the correct curl) would be very helpful.
What I expect:
Authenticate by sending a plain API key in the Authorization: header (no Basic Auth, no sha256 prefix), be allowed for the indices/actions configured in the rule.
What actually happens:
Requests return HTTP 403 with the ReadonlyREST error:
{“error”:{“root_cause”:[{“type”:“forbidden_response”,“reason”:“Forbidden by ReadonlyREST”,“due_to”:“OPERATION_NOT_ALLOWED”}], … },“status”:403}
This indicates the key is recognized but the operation is denied — however I have actions: ["*"] and the rule is placed before other deny rules.
Environment / notes:
-
Elasticsearch + ReadonlyREST plugin.
-
I verified admin Basic Auth still works.
-
I placed the API key rule before the admin block to force evaluation first.
readonlyrest:
access_control_rules:
- name: "API_ELABORATOR"
type: allow
auth_key_sha256: "<SHA256_HASH>" # <-- SHA256 of the plain key, no username
indices: ["filebeat-*"]
actions: ["*"]
# other rules...
- name: "Admin"
type: allow
auth_key: "elastic:admin_password"
indices: ["*"]
actions: ["*"]
# 1) generate a secure random plain API key
KEY=$(openssl rand -hex 32)
echo "PLAIN_KEY=$KEY"
# 2) compute SHA256 hash to place in readonlyrest.yml
HASH=$(echo -n "$KEY" | sha256sum | awk '{print $1}')
echo "SHA256_HASH=$HASH"
i’ve tested with curl:
curl -H "Authorization: originalKey" \
-X GET "https://localhost:9200/_cat/indices/filebeat-*?v" -k