I setup ROR with a very simple rule which allows all access given the request provides the correct username and password. Here’s the content of my readonlyrest.yml
:
readonlyrest:
enable: true
response_if_req_forbidden: Access Denied!
access_control_rules:
- name: "Any user"
type: allow
auth_key_sha256: XXX
Yet, when interacting with my ES instance via HttpClient, the first API call always logs a FORBIDDEN
, followed by an ALLOWED
:
[2019-04-11T13:36:35,336][INFO ][t.b.r.a.ACL ] [HOST] FORBIDDEN by default req={ ID:1011327530-494823135#1493, TYP:FlushRequest, CGR:N/A, USR:[no basic auth header], BRS:true, KDX:null, ACT:indices:admin/flush, OA:<OA_IP>, DA:<DA_IP>, IDX:test, MET:POST, PTH:/test/_flush?ignore_unavailable=true, CNT:<N/A>, HDR:{Connection=Keep-Alive, User-Agent=Apache-HttpClient/4.5.2 (Java/1.8.0_191), Host=[HOST], Accept-Encoding=gzip,deflate, Content-Length=0}, HIS:[Any user->[auth_key_sha256->false]] }
[2019-04-11T13:36:35,419][INFO ][t.b.r.a.ACL ] [HOST] ALLOWED by { name: 'Any user', policy: ALLOW, rules: [auth_key_sha256]} req={ ID:1991090207-403404939#1494, TYP:FlushRequest, CGR:N/A, USR:elastic, BRS:true, KDX:null, ACT:indices:admin/flush, OA:<OA_IP>, DA:<DA_IP>, IDX:test, MET:POST, PTH:/test/_flush?ignore_unavailable=true, CNT:<N/A>, HDR:{Authorization=<OMITTED>, Connection=Keep-Alive, User-Agent=Apache-HttpClient/4.5.2 (Java/1.8.0_191), Host=[HOST], Accept-Encoding=gzip,deflate, Content-Length=0}, HIS:[Any user->[auth_key_sha256->true]] }
When I try via curl -u ....
it does not log the FORBIDDEN line, only through HttpClient (Java). I verified that the request carries the UsernamePasswordCredentials, but I have no idea why the first time a FORBIDDEN is logged.
Is my rule defined correctly? Is there a special way to configure the HttpClient? This is how I currently do it:
final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(credentials));
httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider);
BTW, I’m using ES and ROR version 6.5.4