ES not prompting for Basic Auth


(Tommy Song) #1

I have the OSS of readonlyrest installed in our test ES 5.6.9 cluster with some basic acls, however, when accessing the ES’s rest with a browser, it does not prompt for any authentication.

Here is my readonlyrest.yml

readonlyrest:
  enable: true
  response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
  # prompt_for_basic_auth: true

  ssl:
    keystore_file: 'elasticsearch.jks'
    keystore_pass: 'xxx'
    key_pass: 'xxx'
    key_alias: 'elasticsearch'
    allowed_protocols: [TLSv1.2]
    # allowed_ciphers: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]

  access_control_rules:
    ###########################
    # Admin Actual human users.
    ###########################
    - name: "::ADMIN::"
      auth_key_sha256: xxx
      kibana_access: admin
      verbosity: error
      indices: ["*"]
      kibana_index: ".kibana"
      
    #########################################################
    # These credentials shall be used by the logstash daemon.
    #########################################################    
    - name: "::LOGSTASH::"
      auth_key_sha256: xxx
      actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
      indices: ["metric-*", "kvn-*"]
      
    #####################################################################################
    # These credentials have no limitations, and shall be used only by the Kibana deamon.
    #####################################################################################
    - name: "::KIBANA-SRV::"
      auth_key_sha256: xxx
      kibana_access: admin
      verbosity: error
      
    ######################################################################################
    # These credentials have no limitations, and shall be used only by the Cerebro deamon.
    ######################################################################################
    - name: "::CEREBRO-SRV::"
      auth_key_sha256: xxx
      verbosity: error
      
    - name: "Block 1 - Blocking every network except local and corp"
      hosts: ["127.0.0.1", "10.0.75.0/24"]

    - name: "Block 2 - Limit HTTP methods"
      methods: [GET, POST, PUT, DELETE]

  users:

    - username: testuser
      auth_key: testuser:unsecure
      groups: ["admin"]

Please advice
Tommy


(Simone Scarduzio) #2

Hi @tommynsong,

Please see the Elasticsearch logs, look for a log line containing “ALLOWED” that corresponds to the HTTP request you just sent. If you don’t see it, try to remove all those “verbosity: error”, restart ES and try again.

That line will tell you what ACL block is being matched.


(Tommy Song) #3

So I disabled all the network and http blocks.
Now i can’t authenticate, i wonder what i missed.

I changed the ::ADMIN:: block to below:
- name: “::ADMIN::“
auth_key: admin:elastic
kibana_access: admin
groups: [“admin”]
actions: [“cluster:monitor/", "cluster:admin/”, “indecies:admin/", "indecies:monitor/”, “indecies:data/", "internal:indices/”]
indices: [”*”]

And here is the elasticsearch log:
elasticsearch_1 | [2018-05-30T20:30:18,071][INFO ][t.b.r.a.b.r.i.AuthKeySyncRule] Attempting Login as: admin rc: { ID:1893997326–1636441645#136, TYP:SearchRequest, CGR:N/A, USR:admin(?), BRS:true, KDX:null, ACT:indices:data/read/search, OA:172.18.0.1, DA:172.18.0.2, IDX:, MET:GET, PTH:/_search, CNT:<N/A>, HDR:{Accept=/, accept-encoding=gzip, deflate, Authoriz
ation=Basic YWRtaW46ZWxhc3RpYw==, cache-control=no-cache, Connection=keep-alive, content-length=0, Host=localhost:9200, Postman-Token=0f712738-80ee-49c0-88fb-94c235ec1f66, User-Agent=PostmanRuntime/7.1.5}, HIS: }
elasticsearch_1 | [2018-05-30T20:30:18,072][INFO ][t.b.r.a.b.r.i.AuthKeySha256SyncRule] Attempting Login as: admin rc: { ID:1893997326–1636441645#136, TYP:SearchRequest, CGR:N/A, USR:admin, BRS:true, KDX:null, ACT:indices:data/read/search, OA:172.18.0.1, DA:172.18.0.2, IDX:, MET:GET, PTH:/_search, CNT:<N/A>, HDR:{Accept=/, accept-encoding=gzip, deflate, Autho
rization=Basic YWRtaW46ZWxhc3RpYw==, cache-control=no-cache, Connection=keep-alive, content-length=0, Host=localhost:9200, Postman-Token=0f712738-80ee-49c0-88fb-94c235ec1f66, User-Agent=PostmanRuntime/7.1.5}, HIS: }
elasticsearch_1 | [2018-05-30T20:30:18,072][DEBUG][t.b.r.a.b.Block ] [::ADMIN::] the request matches no rules in this block: { ID:1893997326–1636441645#136, TYP:SearchRequest, CGR:N/A, USR:admin, BRS:true, KDX:null, ACT:indices:data/read/search, OA:172.18.0.1, DA:172.18.0.2, IDX:, MET:GET, PTH:/_search, CNT:<N/A>, HDR:{Accept=/, accept-encoding=gzip,
deflate, Authorization=Basic YWRtaW46ZWxhc3RpYw==, cache-control=no-cache, Connection=keep-alive, content-length=0, Host=localhost:9200, Postman-Token=0f712738-80ee-49c0-88fb-94c235ec1f66, User-Agent=PostmanRuntime/7.1.5}, HIS:[::ADMIN::->[groups->false, auth_key->true]] }
elasticsearch_1 | [2018-05-30T20:30:18,072][INFO ][t.b.r.a.b.r.i.AuthKeySyncRule] Attempting Login as: admin rc: { ID:1893997326–1636441645#136, TYP:SearchRequest, CGR:N/A, USR:admin(?), BRS:true, KDX:null, ACT:indices:data/read/search, OA:172.18.0.1, DA:172.18.0.2, IDX:, MET:GET, PTH:/_search, CNT:<N/A>, HDR:{Accept=/, accept-encoding=gzip, deflate, Authoriz
ation=Basic YWRtaW46ZWxhc3RpYw==, cache-control=no-cache, Connection=keep-alive, content-length=0, Host=localhost:9200, Postman-Token=0f712738-80ee-49c0-88fb-94c235ec1f66, User-Agent=PostmanRuntime/7.1.5}, HIS:[::ADMIN::->[groups->false, auth_key->true]] }
elasticsearch_1 | [2018-05-30T20:30:18,072][DEBUG][t.b.r.a.b.Block ] [::LOGSTASH::] the request matches no rules in this block: { ID:1893997326–1636441645#136, TYP:SearchRequest, CGR:N/A, USR:admin(?), BRS:true, KDX:null, ACT:indices:data/read/search, OA:172.18.0.1, DA:172.18.0.2, IDX:, MET:GET, PTH:/_search, CNT:<N/A>, HDR:{Accept=/, accept-encoding
=gzip, deflate, Authorization=Basic YWRtaW46ZWxhc3RpYw==, cache-control=no-cache, Connection=keep-alive, content-length=0, Host=localhost:9200, Postman-Token=0f712738-80ee-49c0-88fb-94c235ec1f66, User-Agent=PostmanRuntime/7.1.5}, HIS:[::ADMIN::->[groups->false, auth_key->true]], [::LOGSTASH::->[auth_key->false]] }
elasticsearch_1 | [2018-05-30T20:30:18,072][INFO ][t.b.r.a.b.r.i.AuthKeySha256SyncRule] Attempting Login as: admin rc: { ID:1893997326–1636441645#136, TYP:SearchRequest, CGR:N/A, USR:admin(?), BRS:true, KDX:null, ACT:indices:data/read/search, OA:172.18.0.1, DA:172.18.0.2, IDX:, MET:GET, PTH:/_search, CNT:<N/A>, HDR:{Accept=/, accept-encoding=gzip, deflate, Au
thorization=Basic YWRtaW46ZWxhc3RpYw==, cache-control=no-cache, Connection=keep-alive, content-length=0, Host=localhost:9200, Postman-Token=0f712738-80ee-49c0-88fb-94c235ec1f66, User-Agent=PostmanRuntime/7.1.5}, HIS:[::ADMIN::->[groups->false, auth_key->true]], [::LOGSTASH::->[auth_key->false]] }
elasticsearch_1 | [2018-05-30T20:30:18,073][DEBUG][t.b.r.a.b.Block ] [::KIBANA-SRV::] the request matches no rules in this block: { ID:1893997326–1636441645#136, TYP:SearchRequest, CGR:N/A, USR:admin(?), BRS:true, KDX:null, ACT:indices:data/read/search, OA:172.18.0.1, DA:172.18.0.2, IDX:, MET:GET, PTH:/_search, CNT:<N/A>, HDR:{Accept=/, accept-encodi
ng=gzip, deflate, Authorization=Basic YWRtaW46ZWxhc3RpYw==, cache-control=no-cache, Connection=keep-alive, content-length=0, Host=localhost:9200, Postman-Token=0f712738-80ee-49c0-88fb-94c235ec1f66, User-Agent=PostmanRuntime/7.1.5}, HIS:[::ADMIN::->[groups->false, auth_key->true]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key_sha256->false]] }
elasticsearch_1 | [2018-05-30T20:30:18,073][INFO ][t.b.r.a.b.r.i.AuthKeySha256SyncRule] Attempting Login as: admin rc: { ID:1893997326–1636441645#136, TYP:SearchRequest, CGR:N/A, USR:admin(?), BRS:true, KDX:null, ACT:indices:data/read/search, OA:172.18.0.1, DA:172.18.0.2, IDX:, MET:GET, PTH:/_search, CNT:<N/A>, HDR:{Accept=/, accept-encoding=gzip, deflate, Au
thorization=Basic YWRtaW46ZWxhc3RpYw==, cache-control=no-cache, Connection=keep-alive, content-length=0, Host=localhost:9200, Postman-Token=0f712738-80ee-49c0-88fb-94c235ec1f66, User-Agent=PostmanRuntime/7.1.5}, HIS:[::ADMIN::->[groups->false, auth_key->true]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key_sha256->false]] }
elasticsearch_1 | [2018-05-30T20:30:18,073][DEBUG][t.b.r.a.b.Block ] [::CEREBRO-SRV::] the request matches no rules in this block: { ID:1893997326–1636441645#136, TYP:SearchRequest, CGR:N/A, USR:admin(?), BRS:true, KDX:null, ACT:indices:data/read/search, OA:172.18.0.1, DA:172.18.0.2, IDX:, MET:GET, PTH:/_search, CNT:<N/A>, HDR:{Accept=/, accept-encod
ing=gzip, deflate, Authorization=Basic YWRtaW46ZWxhc3RpYw==, cache-control=no-cache, Connection=keep-alive, content-length=0, Host=localhost:9200, Postman-Token=0f712738-80ee-49c0-88fb-94c235ec1f66, User-Agent=PostmanRuntime/7.1.5}, HIS:[::ADMIN::->[groups->false, auth_key->true]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key_sha256->false]], [::
CEREBRO-SRV::->[auth_key_sha256->false]] }
elasticsearch_1 | [2018-05-30T20:30:18,074][DEBUG][r.suppressed ] path: /_search, params: {}
elasticsearch_1 | tech.beshu.ror.es.IndexLevelActionFilter$1$1: Forbidden by ReadonlyREST ES plugin
elasticsearch_1 | at tech.beshu.ror.es.IndexLevelActionFilter$1.onForbidden(IndexLevelActionFilter.java:175) ~[?:?]
elasticsearch_1 | at tech.beshu.ror.acl.ACL.lambda$check$3(ACL.java:194) ~[?:?]
elasticsearch_1 | at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) ~[?:1.8.0_161]
elasticsearch_1 | at java.util.concurrent.CompletableFuture.uniApplyStage(CompletableFuture.java:614) ~[?:1.8.0_161]
elasticsearch_1 | at java.util.concurrent.CompletableFuture.thenApply(CompletableFuture.java:1983) ~[?:1.8.0_161]
elasticsearch_1 | at tech.beshu.ror.acl.ACL.check(ACL.java:189) ~[?:?]
elasticsearch_1 | at tech.beshu.ror.es.IndexLevelActionFilter.handleRequest(IndexLevelActionFilter.java:170) ~[?:?]
elasticsearch_1 | at tech.beshu.ror.es.IndexLevelActionFilter.lambda$apply$2(IndexLevelActionFilter.java:142) ~[?:?]
elasticsearch_1 | at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_161]
elasticsearch_1 | at tech.beshu.ror.es.IndexLevelActionFilter.apply(IndexLevelActionFilter.java:138) ~[?:?]
elasticsearch_1 | at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:168) ~[elasticsearch-5.6.9.jar:5.6.9]
elasticsearch_1 | at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:142) ~[elasticsearch-5.6.9.jar:5.6.9]
elasticsearch_1 | at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:84) ~[elasticsearch-5.6.9.jar:5.6.9]
elasticsearch_1 | at org.elasticsearch.client.node.NodeClient.executeLocally(NodeClient.java:83) ~[elasticsearch-5.6.9.jar:5.6.9]
elasticsearch_1 | at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:72) ~[elasticsearch-5.6.9.jar:5.6.9]
elasticsearch_1 | at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:408) ~[elasticsearch-5.6.9.jar:5.6.9]
elasticsearch_1 | at org.elasticsearch.client.support.AbstractClient.search(AbstractClient.java:535) ~[elasticsearch-5.6.9.jar:5.6.9]
elasticsearch_1 | at org.elasticsearch.rest.action.search.RestSearchAction.lambda$prepareRequest$1(RestSearchAction.java:78) ~[elasticsearch-5.6.9.jar:5.6.9]
elasticsearch_1 | at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:80) ~[elasticsearch-5.6.9.jar:5.6.9]
elasticsearch_1 | at tech.beshu.ror.es.ReadonlyRestPlugin.lambda$null$3(ReadonlyRestPlugin.java:146) ~[?:?]
elasticsearch_1 | at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:262) [elasticsearch-5.6.9.jar:5.6.9]
elasticsearch_1 | at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:200) [elasticsearch-5.6.9.jar:5.6.9]
elasticsearch_1 | at org.elasticsearch.http.netty4.Netty4HttpServerTransport.dispatchRequest(Netty4HttpServerTransport.java:505) [transport-netty4-client-5.6.9.jar:5.6.9]
elasticsearch_1 | at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:80) [transport-netty4-client-5.6.9.jar:5.6.9]
elasticsearch_1 | at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at org.elasticsearch.http.netty4.pipelining.HttpPipeliningHandler.channelRead(HttpPipeliningHandler.java:68) [transport-netty4-client-5.6.9.jar:5.6.9]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111) [netty-codec-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310) [netty-codec-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:284) [netty-codec-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1273) [netty-handler-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) [netty-handler-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) [netty-codec-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) [netty-codec-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) [netty-codec-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.13.Final.jar:4.1.13.Final]
elasticsearch_1 | at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]
elasticsearch_1 | [2018-05-30T20:30:18,090][INFO ][t.b.r.a.ACL ] FORBIDDEN by default req={ ID:1893997326–1636441645#136, TYP:SearchRequest, CGR:N/A, USR:admin(?), BRS:true, KDX:null, ACT:indices:data/read/search, OA:172.18.0.1, DA:172.18.0.2, IDX:, MET:GET, PTH:/_search, CNT:<N/A>, HDR:{Accept=/, accept-encoding=gzip, deflate, Authorization=Basi
c YWRtaW46ZWxhc3RpYw==, cache-control=no-cache, Connection=keep-alive, content-length=0, Host=localhost:9200, Postman-Token=0f712738-80ee-49c0-88fb-94c235ec1f66, User-Agent=PostmanRuntime/7.1.5}, HIS:[::ADMIN::->[groups->false, auth_key->true]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key_sha256->false]], [::CEREBRO-SRV::->[auth_key_sha256->fals
e]] }


(Simone Scarduzio) #4

When you use the groups rule, the auth_key* rule should appear down where you define “users:”, not inside the ACL block.
So either remove the groups rule or the auth_key rule.


(Tommy Song) #5

Can we use both local and LDAP for user/group management?
I added the following blocks but can not login with my AD credential.
The “ES_ADMINS” is a group exist in AD

access_control_rules:
- name: "::LDAP-ADMIN::"
  ldap_auth:
    name: "ad01"
    groups: ["ES_ADMINS"]
    cache_ttl_in_sec: 180

ldaps:
- name: ad01
  host: "${LDAP_HOST}"
  port: ${LDAP_PORT}
  bind_dn: "${LDAP_BIND_DN}"
  bind_password: "${LDAP_BIND_PASSWORD}"
  ssl_trust_all_certs: true
  user_id_attribute: "${USER_ID_ATTRIBUTE}"
  search_user_base_DN: "${LDAP_SEARCH_USER_BASE_DN}"
  search_groups_base_DN: "${LDAP_SEARCH_GROUPS_BASE_DN}"
  group_search_filter: "${GROUP_SEARCH_FILTER}"

(Simone Scarduzio) #6

Yes of course, it’s actually recommended to have a failsafe admin account as a local user when using external authentication systems like LDAP. Just in case the LDAP server becomes unavailable.

In order to debug the LDAP connector configuration, just set Elasticsearch in debug mode. You will see good logs about what ROR and the LDAP server are chatting about and where it goes wrong.