Cross cluster search using seed nodes


(Rohit Kasat) #1

Hello All,
I have been trying to make ROR work with cross-cluster search [Seed nodes] with no luck so far.
https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-cross-cluster-search.html

searches are going right through my ROR configs

#
# ---------------------------------- ReadOnlyRest plugin ---------------------
#
http.type: ssl_netty4

readonlyrest:
    enable: "true"
    prompt_for_basic_auth: false
    ssl:
       enable: "true"
       keystore_file: "/usr/share/elasticsearch/plugins/readonlyrest/keystore.jks"
       keystore_pass: ""
       key_pass: ""

    response_if_req_forbidden: You dont have access to the seleted index.  
    access_control_rules:

    - name: "just helth actions from consul"
      type: allow
      actions: ["monitor/nodes/stats","cluster:monitor/health","indices:monitor/stats"]
      verbosity: error


    - name: "::KIBANA-SRV::"
      auth_key: "-------"
      verbosity: info

    - name: "::Kibana General::"
      kibana_access: rw
      indices:
      - ".kibana"
      - ".kibana-devnull"
      verbosity: error      
      proxy_auth:
        proxy_auth_config: nginx_proxy
        users: ["*"]

    - name: "PlatformIndices"
      indices:
      - "elk6es2:logstash-system*"
      verbosity: info
      proxy_auth:
        proxy_auth_config: nginx_proxy
        users: ["*"]
      groups_provider_authorization:
        user_groups_provider: RolesProviderService
        cache_ttl_in_sec: 3200
        groups:
        - "helpdesk"

    - name: "ServiceIndices"
      indices:
      - "elk6es2:logstash-service*"
      verbosity: info
      proxy_auth:
        proxy_auth_config: nginx_proxy
        users: ["*"]
      groups_provider_authorization:
        user_groups_provider: RolesProviderService
        cache_ttl_in_sec: 3200
        groups:
        - "platform"
        - "general"

    proxy_auth_configs:
    - name: nginx_proxy
      user_id_header: user

    user_groups_providers:
    - name: RolesProviderService
      groups_endpoint: https://roles/api
      auth_token_name: user
      auth_token_passed_as: QUERY_PARAM
      response_groups_json_path: "$.roles"
      http_method: post
      cache_ttl_in_sec: 60
      default_headers:
        Content-Type: application/x-www-form-urlencoded
        Authorization: Basic 
      default_query_parameters:
        return_user_role: "true"

I checked out your branch “zk_index_filter” which works with search api but doesnt work with _msearch.

Am I missing something in this?


(Simone Scarduzio) #2

What do you mean “going right through”? Need ES logs.
Also, zk_index_filter was merged long ago.


(Rohit Kasat) #3

I dont think zk_index_filter was merged Simone, Please check once more on that. I used your zk_index_filter branch and added one more check to look for _msearch actions. which seems to be working fine,

Did you see my configs above, which basically didnt work at all.


(Simone Scarduzio) #4

OH NO. You are right, this remained in a pending state because I was waiting forever on the requester to test it. Now it’s a mess to merge. FML.


(Simone Scarduzio) #5

@rbkasat any chance you can help on merging this to master? :sweat:
I’m super busy now for field level security which is urgent.


(Rohit Kasat) #6

Will take a stab at it in this weekend.


(Simone Scarduzio) #7

thanks @rbkasat, much appreciated!