Elasticsearch basic auth no block matched issue

qwerty · July 8, 2017, 5:38pm

I trying basic auth on ES 5.1.1 with plugin readonlyrest-1.14.1_es5.1.1.zip but its not authorising any connection other than localhost even after providing the credentials. Please let me know where I am going wrong.

Request:
curl --header “Authorization: Basic somebase64string” -XGET http://xx.xxx.xx.xxx:9200/

Elasticsearch.yml config

readonlyrest:

 enable: true

 response_if_req_forbidden: Access denied!!!


 access_control_rules:



  - name: "Accept all requests from localhost"

    type: allow

    hosts: [localhost,127.0.0.1]



  - name: "::Log user::"

#    auth_key_sha256: 963f4c134808b2762081228d10e13eb1a71c94d05d81ad78c453e01f859a4481

    auth_key: username:password

    type: allow

    actions: ["indices:admin/create","indices:data/write/index","indices:data/write/bulk","indices:data/write/bulk[s]"]


    indices: ["someIndex*"]

ES logs look like this:

[2017-07-07T17:10:51,248][INFO ][o.e.p.r.a.ACL ] no block has matched, forbidding by default: { ID:96e0364aaf624955b895c9457e512621, TYP:MainRequest, USR:username (?), BRS:true, ACT:cluster:monitor/main, OA:49.204.109.174, IDX:<N/A>, MET:GET, PTH:/, CNT:<OMITTED, LENGTH=0>, HDR:Accept,Authorization,content-length,Host,User-Agent, EFF:0, HIS:[Accept all requests from localhost->[hosts->false]], [::Log user::->[indices->true, auth_key->true, actions->false]] }

[2017-07-07T17:10:51,248][INFO ][o.e.p.r.IndexLevelActionFilter] [Iswm5uf] forbidden request: { ID:96e0364aaf624955b895c9457e512621, TYP:MainRequest, USR:username (?), BRS:true, ACT:cluster:monitor/main, OA:49.204.109.174, IDX:<N/A>, MET:GET, PTH:/, CNT:<OMITTED, LENGTH=0>, HDR:Accept,Authorization,content-length,Host,User-Agent, EFF:0, HIS:[Accept all requests from localhost->[hosts->false]], [::Log user::->[indices->true, auth_key->true, actions->false]] } Reason: null (null)

ld57 · July 8, 2017, 7:06pm

Hi,

Your actions in log, does not fit actions you authorized in block rule.

In log you try to do action cluster:* but you did not authorize that in your rules.

First I would recommend you to get the latest version of ReadonlyRest for es 5.1.1

Then, to help faster, could you tell what you are trying to do with user “username” (just explain what you want to do/restrict.

qwerty · July 9, 2017, 10:14am

Hi,
Thanks for your reply.

Actually, i want localhost to access everything in the ES, but anybody outside localhost will require to provide a username and password for doing any action on ES.

ld57 · July 10, 2017, 9:40am

okay I see now

I would not recommend your approach ( I would prefer split indices access
But here your config I revamped to do that you expect.

readonlyrest:
 enable: true
 response_if_req_forbidden: Access denied!!!
 access_control_rules:

  - name: "Accept all requests from localhost"
    type: allow
    hosts: [localhost,127.0.0.1]

  - name: "::Log user::"
#    auth_key_sha256: 963f4c134808b2762081228d10e13eb1a71c94d05d81ad78c453e01f859a4481
    auth_key: username:password
    type: allow
    actions: ["cluster:monitor/main", "indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create","indices:admin/types/exists"]
    indices: ["someIndex*"]

qwerty · July 17, 2017, 10:48am

Thanks for your help. It solved my problem.