ECK + ROR | Wildcard support error

shweta_c · May 7, 2024, 7:14pm

Hi,

We are currently using ECK version 8.11.0 with ROR version 1.53.0. While the cluster is up and running without any general access issues, while trying to integrate with the ES Synonyms API - <ES_HOSTNAME>/_synonyms/my-synonyms-set, we encountered the following error(bridged for readability) -

{
    "shard": 0,
    "index": "index_name_1",
    "status": "INTERNAL_SERVER_ERROR",
    "reason": {
        "type": "failed_node_exception",
        "reason": "Failed node [4VxlaN3VSxeu_X_3-TrfBQ]",
        "node_id": "4VxlaN3VSxeu_X_3-TrfBQ",
        "caused_by": {
            "type": "illegal_argument_exception",
            "reason": "the action indices:admin/reload_analyzers[n] does not support wildcards; the provided index expression(s) [*] are not allowed"
        }
    }
}

A similar error - pertaining to wildcard usage - is seen while trying to use the following API - <ES_HOSTNAME>/_all/_stats

{
    "shard": 0,
    "index": "catalog_product_v1_svc_it_data",
    "status": "INTERNAL_SERVER_ERROR",
    "reason": {
        "type": "failed_node_exception",
        "reason": "Failed node [vP726KBQQAqSd2QxYKnsWA]",
        "node_id": "vP726KBQQAqSd2QxYKnsWA",
        "caused_by": {
            "type": "illegal_argument_exception",
            "reason": "the action indices:monitor/stats[n] does not support wildcards; the provided index expression(s) [*] are not allowed"
        }
    }
}

Our current readonlyrest config looks like this -

readonlyrest.yml: |
      readonlyrest:
        enable: true
        prompt_for_basic_auth: false
        response_if_req_forbidden: Forbidden!
        access_control_rules:
          - name: "::HEALTH::"
            type: allow
            verbosity: error
            actions: ['cluster:monitor/*','indices:monitor/*']
          - name: "::READ::"
            type: allow
            verbosity: error
            actions: ['indices:data/read/*']
          - name: "::SYNONYMS-MANAGEMENT::"
            type: allow
            verbosity: error
            actions: ['cluster:admin/synonyms/*','cluster:admin/synonym_rules/*']
          - name: "::BASIC_AUTH::"
            type: allow
            verbosity: error
            auth_key_sha256: AUTH_KEY_TO_BE_REPLACED_AT_RUN_TIME
          - name: "::PROBE::"
            verbosity: error
            auth_key: "elastic-internal-probe:${INTERNAL_PROBE_PASS}"
          - name: "::ELASTIC-INTERNAL::"
            verbosity: error
            auth_key: "elastic-internal:${INTERNAL_USR_PASS}"

Has something changed with how we define access control rules while integrating ROR with ECK?

Please note that the aforementioned usage of the stats API works fine with an older version of ES(7.16.3) with ROR(1.38.0).

Thank you.

coutoPL · May 8, 2024, 3:06pm

Hi @shweta_c ,
It seems that we fixed it in the latest release. Please try ROR 1.57.2.

Let us know if it helps

shweta_c · May 8, 2024, 5:35pm

Thanks a lot, @coutoPL , upgrading the plugin version helped address all wildcard related errors we were seeing. Again, thank you!