Error 401 get repositories

Hi,

I try to secure my elastic cluster with readonlyrest. I encountered an issu for listing repositories.

I declare full access for localhost :

readonlyrest:
access_control_rules:
- name: “Allow requests from localhost only”
hosts: [127.0.0.1]
actions: [“cluster:*”]

But with a curl i get 401 :

curl -v -k https://127.0.0.1:9443/_cat/repositories/

GET /_cat/repositories/ HTTP/1.1
Host: 127.0.0.1:9443
User-Agent: curl/7.58.0
Accept: /

< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Basic
< content-type: application/json; charset=UTF-8
< content-length: 153

{“error”:{“root_cause”:[{“reason”:“forbidden”,“due_to”:[“OPERATION_NOT_ALLOWED”]}],“reason”:“forbidden”,“due_to”:[“OPERATION_NOT_ALLOWED”],“status”:401}}root@dvpmudb00b00002:/opt/elasticsearch#

whereas in logs it is allowed :
[2021-03-08T11:18:57,912][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [xxx-dev-1] ESC[36mALLOWED by { name: ‘Allow requests from localhost only’, policy: ALLOW, rules: [hosts,actions] req={ ID:659004169-547410566#4287, TYP:GetRepositoriesRequest, CGR:N/A, USR:[no info about user], BRS:true, KDX:null, ACT:cluster:admin/repository/get, OA:127.0.0.1/32, XFF:null, DA:127.0.0.1/32, IDX:<N/A>, MET:GET, PTH:/_cat/repositories/, CNT:<N/A>, HDR:Accept=/, Host=127.0.0.1:9443, User-Agent=curl/7.58.0, content-length=0, HIS:[Allow requests from localhost only-> RULES:[hosts->true, actions->true]] }

is there a mistake in my configuration ?

The version used are :
Elasticsearch 7.7.1 oss
ReadOnlyRest 1.27.1

Any advice would be much appreciated
Thanks

@coutoPL any idea how can this happen?

Probably a bug. We haven’t had test for _cat/repositories API yet. I guess ROR assumed that sth is wrong at the last stage of request modification and blocked the request even it was allowed by ACL. Will try to reproduce the case and let you know.

@Orag I found it hard to reproduce the issue, so please check two things for me:

  1. Please find log starting with “Starting ReadonlyREST plugin”, to make sure you are checking the latest version
  2. Call curl with header marker eg. curl -v -k -H "marker: ROR_test" https://127.0.0.1:9443/_cat/repositories/ and check the ALLOWED log if the header is available in HDR section

I found an issue, my plugin version was yet 1.19.
So i upgraded to 1.27 and the bug is fixed :slight_smile:

Oh man! That should be the first thing :stuck_out_tongue_winking_eye: