Elasticsearch readonlyrest-plugin taking a very long time to load

anon39196365 · February 4, 2019, 11:32am

I have an issue with elasticsearch taking a very long time to load the readonlyrest-plugin.

My setup
OS: centos-release-7-6.1810.2.el7.centos.x86_64
Elasticsearch version: 6.5.4
ROR version: readonlyrest-1.16.33_es6.5.4

Config Elasticsearch
The only line I added to elasticsearch.yml is:

xpack.security.enabled: false

Working ROR Configuration
This config works fine:

readonlyrest:
    access_control_rules:
    - name: "::KIBANA-SRV::"
      auth_key: kibana:kibana

I have verified this is working by running the following and getting a 200 response.

curl -vvv -u kibana:kibana "http://localhost:9200/_cat/indices"

And running the following gives 401 as expected:

curl -vvv "http://localhost:9200/_cat/indices"

ROR Configuration which causes issue

readonlyrest:
    access_control_rules:
    - name: "::KIBANA-SRV::"
      auth_key: kibana:kibana

    - name: adminuser
      kibana_access: admin
      jwt_auth:
        name: "webseal"
        roles: ["kibana_admin"]

    jwt:
    - name: webseal
      signature_algo: RSA
      signature_key: "your_signature_min_256_chars"
      user_claim: sub
      roles_claim: group
      header_name: jwt

When I started writing this post I thought elasticsearch wasn’t starting, but it turns out it just uses extremely long to load the ROR-plugin. It takes 24 minutes to add the jwt-block in the config. You can see this in the elasticsearch log. Adding first block att 11:08 and the next one at 11:32. Anyone know why this is happening? Thanks.

[2019-02-04T11:08:00,444][INFO ][o.e.p.PluginsService     ] [NpgnpOt] loaded module [x-pack-watcher]
[2019-02-04T11:08:00,444][INFO ][o.e.p.PluginsService     ] [NpgnpOt] loaded plugin [readonlyrest]
[2019-02-04T11:08:04,943][INFO ][o.e.x.m.j.p.l.CppLogMessageHandler] [NpgnpOt] [controller/5934] [Main.cc@109] controller (64 bit): Version 6.5.4 (Build b616085ef32393) Copyright (c) 2018 Elasticsearch BV
[2019-02-04T11:08:05,416][INFO ][t.b.r.e.IndexLevelActionFilter] [NpgnpOt] Settings observer refreshing...
[2019-02-04T11:08:05,589][INFO ][t.b.r.a.ACL              ] [NpgnpOt] ADDING BLOCK:     { name: '::KIBANA-SRV::', policy: ALLOW, rules: [auth_key]}
[2019-02-04T11:32:14,003][INFO ][t.b.r.a.ACL              ] [NpgnpOt] ADDING BLOCK:     { name: 'adminuser', policy: ALLOW, rules: [kibana_access, jwt_auth]}
[2019-02-04T11:32:14,005][INFO ][t.b.r.e.IndexLevelActionFilter] [NpgnpOt] Configuration reloaded - ReadonlyREST enabled
[2019-02-04T11:32:14,005][INFO ][t.b.r.e.IndexLevelActionFilter] [NpgnpOt] Readonly REST plugin was loaded...
[2019-02-04T11:32:14,203][DEBUG][o.e.a.ActionModule       ] [NpgnpOt] Using REST wrapper from plugin tech.beshu.ror.es.ReadonlyRestPlugin
[2019-02-04T11:32:14,452][INFO ][o.e.d.DiscoveryModule    ] [NpgnpOt] using discovery type [zen] and host providers [settings]
[2019-02-04T11:32:15,017][INFO ][t.b.r.c.s.SettingsPoller ] [NpgnpOt] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2019-02-04T11:32:15,149][INFO ][o.e.n.Node               ] [NpgnpOt] initialized
[2019-02-04T11:32:15,149][INFO ][o.e.n.Node               ] [NpgnpOt] starting ...
[2019-02-04T11:32:15,323][INFO ][o.e.t.TransportService   ] [NpgnpOt] publish_address {127.0.0.1:9300}, bound_addresses {[::1]:9300}, {127.0.0.1:9300}
[2019-02-04T11:32:16,019][DEBUG][o.e.a.a.c.h.TransportClusterHealthAction] [NpgnpOt] no known master node, scheduling a retry
[2019-02-04T11:32:18,399][INFO ][o.e.c.s.MasterService    ] [NpgnpOt] zen-disco-elected-as-master ([0] nodes joined), reason: new_master {NpgnpOt}{NpgnpOthT0uY9LfTc4IWeQ}{gRrLsmpmQfCfx_7niN31Ew}{127.0.0.1}{$
[2019-02-04T11:32:18,404][INFO ][o.e.c.s.ClusterApplierService] [NpgnpOt] new_master {NpgnpOt}{NpgnpOthT0uY9LfTc4IWeQ}{gRrLsmpmQfCfx_7niN31Ew}{127.0.0.1}{127.0.0.1:9300}{ml.machine_memory=8201478144, xpack.$
[2019-02-04T11:32:18,423][INFO ][t.b.r.c.s.SettingsPoller ] [NpgnpOt] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2019-02-04T11:32:18,436][INFO ][o.e.h.n.Netty4HttpServerTransport] [NpgnpOt] publish_address {127.0.0.1:9200}, bound_addresses {[::1]:9200}, {127.0.0.1:9200}
[2019-02-04T11:32:18,436][INFO ][o.e.n.Node               ] [NpgnpOt] started
[2019-02-04T11:32:19,031][INFO ][o.e.l.LicenseService     ] [NpgnpOt] license [0648a842-df13-4c99-8153-522cea30358a] mode [basic] - valid
[2019-02-04T11:32:19,042][INFO ][o.e.g.GatewayService     ] [NpgnpOt] recovered [4] indices into cluster_state
[2019-02-04T11:32:19,425][INFO ][t.b.r.c.s.SettingsPoller ] [NpgnpOt] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2019-02-04T11:32:19,492][INFO ][o.e.c.r.a.AllocationService] [NpgnpOt] Cluster health status changed from [RED] to [GREEN] (reason: [shards started [[.kibana_1][0], [kibana_sample_data_ecommerce][0], [kiba$
[2019-02-04T11:32:20,429][INFO ][t.b.r.e.SettingsObservableImpl] [NpgnpOt] [CLUSTERWIDE SETTINGS] index settings not found. Will keep on using the local YAML file. Learn more about clusterwide settings at h$
[2019-02-04T12:23:15,656][INFO ][t.b.r.a.ACL              ] [NpgnpOt] ^[[36mALLOWED by { name: '::KIBANA-SRV::', policy: ALLOW, rules: [auth_key]} req={ ID:116243600-247446465#1658, TYP:ClusterStateRequest,$
[2019-02-04T12:24:33,796][INFO ][t.b.r.a.ACL              ] [NpgnpOt] ^[[35mFORBIDDEN by default req={ ID:196642771-1551202143#1706, TYP:ClusterStateRequest, CGR:N/A, USR:[no basic auth header], BRS:true, K$

anon39196365 · February 4, 2019, 12:53pm

It seems this only happens after restarting the elasticsearch service by running

sudo systemctl stop elasticsearch.service
sudo systemctl start elasticsearch.service

So my current workaround is just to reboot the server instead of just the service.

sscarduzio · February 4, 2019, 1:12pm

Hi @anon39196365,

Have you seen this?

github.com/sscarduzio/elasticsearch-readonlyrest-plugin

JWT auth configuration in 6.2.4 hangs Elasticsearch

opened 09:35PM - 05 Jan 19 UTC

closed 02:12PM - 29 Jan 19 UTC

dominic-lear

Hi, im trying to set up JWT auth with elasticsearch with the below details but w…hen starting elasticsearch it hangs at `Settings observer refreshing`. I have this config working on another computer but that might be with slightly different versions or ROR/java. Can you provide any insight into what the issue may be? --- Java version ``` java version "1.8.0_191" Java(TM) SE Runtime Environment (build 1.8.0_191-b12) Java HotSpot(TM) 64-Bit Server VM (build 25.191-b12, mixed mode) ``` Elasticsearch version: 6.2.4 Readonlyrest version: https://readonlyrest-data.s3.amazonaws.com/build/1.16.32/readonlyrest-1.16.32_es6.2.4.zip Readonlyrest config ``` readonlyrest: access_control_rules: - name: "BLock 1 - Allow" type: allow hosts: ["127.0.0.1", "192.168.10.1", "192.168.10.190"] jwt_auth: name: "jwt_provider_1" roles: ["user"] - name: "Block 2" type: forbid jwt: - name: jwt_provider_1 signature_algo: HMAC # can be NONE, RSA, HMAC (default), and EC signature_key: "my-key" user_claim: user roles_claim: roles # JSON-path style header_name: Authorization ssl: keystore_file: "keystore.jks" keystore_pass: readonlyrest key_pass: readonlyrest ``` When starting Elasticsearch it hangs at ``` 2019-01-05T21:29:59,570][INFO ][o.e.n.Node ] [rate-search-local-1] initializing ... [2019-01-05T21:29:59,693][INFO ][o.e.e.NodeEnvironment ] [rate-search-local-1] using [1] data paths, mounts [[/ (/dev/mapper/vagrant--vg-root)]], net usable_space [51.1gb], net total_space [61.7gb], types [ext4] [2019-01-05T21:29:59,704][INFO ][o.e.e.NodeEnvironment ] [rate-search-local-1] heap size [247.6mb], compressed ordinary object pointers [true] [2019-01-05T21:29:59,724][INFO ][o.e.n.Node ] [rate-search-local-1] node name [rate-search-local-1], node ID [PDJznGXUTuSjmqdLDso3Yg] [2019-01-05T21:29:59,726][INFO ][o.e.n.Node ] [rate-search-local-1] version[6.2.4], pid[5601], build[ccec39f/2018-04-12T20:37:28.497551Z], OS[Linux/4.15.0-32-generic/amd64], JVM[Oracle Corporation/Java HotSpot(TM) 64-Bit Server VM/1.8.0_191/25.191-b12] [2019-01-05T21:29:59,728][INFO ][o.e.n.Node ] [rate-search-local-1] JVM arguments [-Xms256m, -Xmx256m, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+DisableExplicitGC, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -Djdk.io.permissionsUseCanonicalPath=true, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Dlog4j.skipJansi=true, -XX:+HeapDumpOnOutOfMemoryError, -Des.enforce.bootstrap.checks=true, -Des.path.home=/home/vagrant/elasticsearch, -Des.path.conf=/home/vagrant/elasticsearch/config] [2019-01-05T21:30:04,429][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded module [aggs-matrix-stats] [2019-01-05T21:30:04,430][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded module [analysis-common] [2019-01-05T21:30:04,431][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded module [ingest-common] [2019-01-05T21:30:04,433][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded module [lang-expression] [2019-01-05T21:30:04,434][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded module [lang-mustache] [2019-01-05T21:30:04,435][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded module [lang-painless] [2019-01-05T21:30:04,437][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded module [mapper-extras] [2019-01-05T21:30:04,437][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded module [parent-join] [2019-01-05T21:30:04,438][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded module [percolator] [2019-01-05T21:30:04,439][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded module [rank-eval] [2019-01-05T21:30:04,440][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded module [reindex] [2019-01-05T21:30:04,441][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded module [repository-url] [2019-01-05T21:30:04,441][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded module [transport-netty4] [2019-01-05T21:30:04,441][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded module [tribe] [2019-01-05T21:30:04,442][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded plugin [readonlyrest] [2019-01-05T21:30:04,447][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded plugin [x-pack-core] [2019-01-05T21:30:04,448][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded plugin [x-pack-deprecation] [2019-01-05T21:30:04,450][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded plugin [x-pack-graph] [2019-01-05T21:30:04,450][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded plugin [x-pack-logstash] [2019-01-05T21:30:04,450][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded plugin [x-pack-ml] [2019-01-05T21:30:04,451][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded plugin [x-pack-monitoring] [2019-01-05T21:30:04,451][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded plugin [x-pack-security] [2019-01-05T21:30:04,452][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded plugin [x-pack-upgrade] [2019-01-05T21:30:04,453][INFO ][o.e.p.PluginsService ] [rate-search-local-1] loaded plugin [x-pack-watcher] [2019-01-05T21:30:11,111][INFO ][t.b.r.e.IndexLevelActionFilter] [rate-search-local-1] Settings observer refreshing... ``` it never gets past `Settings observer refreshing` if i remove the lines below, elasticsearch does start correctly. ``` jwt_auth: name: "jwt_provider_1" roles: ["user"] ```

anon39196365 · February 4, 2019, 1:38pm

Thanks for the quick reply. It now takes about a minute to start which is acceptable.

anon39196365 · February 7, 2019, 12:48pm

@sscarduzio
I now see that when adding more ACL blocks with jwt_auth it takes one minute per block. This means that for each role we create we add one minute startup time for elasticsearch which is a bit inconvinient-.

Do you know if this issue will be fixed or will it always take one minute per block?

sscarduzio · February 7, 2019, 1:25pm

I just fixed this in master.

sscarduzio · February 7, 2019, 4:32pm

Now it does not generate a new random seed for every time we use an encrypted in-memory cache (it’s where we keep the credentials hashes for external authentication connectors).

It should generate the seed only once now.

To make it additionally faster in Docker, you can use /dev/urandom as source of randomness.

 -Djava.security.egd=file:/dev/./urandom

To make it even faster By the way are you aware of Haveged? You can run it as a daemon in another container, just to provide a faster /dev/urandom.