First request always FORBIDDEN

shaie · April 11, 2019, 11:49am

I setup ROR with a very simple rule which allows all access given the request provides the correct username and password. Here’s the content of my readonlyrest.yml:

readonlyrest:
  enable: true
  response_if_req_forbidden: Access Denied!

  access_control_rules:

   - name: "Any user"
     type: allow
     auth_key_sha256: XXX

Yet, when interacting with my ES instance via HttpClient, the first API call always logs a FORBIDDEN, followed by an ALLOWED:

[2019-04-11T13:36:35,336][INFO ][t.b.r.a.ACL              ] [HOST] FORBIDDEN by default req={ ID:1011327530-494823135#1493, TYP:FlushRequest, CGR:N/A, USR:[no basic auth header], BRS:true, KDX:null, ACT:indices:admin/flush, OA:<OA_IP>, DA:<DA_IP>, IDX:test, MET:POST, PTH:/test/_flush?ignore_unavailable=true, CNT:<N/A>, HDR:{Connection=Keep-Alive, User-Agent=Apache-HttpClient/4.5.2 (Java/1.8.0_191), Host=[HOST], Accept-Encoding=gzip,deflate, Content-Length=0}, HIS:[Any user->[auth_key_sha256->false]] }
[2019-04-11T13:36:35,419][INFO ][t.b.r.a.ACL              ] [HOST] ALLOWED by { name: 'Any user', policy: ALLOW, rules: [auth_key_sha256]} req={ ID:1991090207-403404939#1494, TYP:FlushRequest, CGR:N/A, USR:elastic, BRS:true, KDX:null, ACT:indices:admin/flush, OA:<OA_IP>, DA:<DA_IP>, IDX:test, MET:POST, PTH:/test/_flush?ignore_unavailable=true, CNT:<N/A>, HDR:{Authorization=<OMITTED>, Connection=Keep-Alive, User-Agent=Apache-HttpClient/4.5.2 (Java/1.8.0_191), Host=[HOST], Accept-Encoding=gzip,deflate, Content-Length=0}, HIS:[Any user->[auth_key_sha256->true]] }

When I try via curl -u .... it does not log the FORBIDDEN line, only through HttpClient (Java). I verified that the request carries the UsernamePasswordCredentials, but I have no idea why the first time a FORBIDDEN is logged.

Is my rule defined correctly? Is there a special way to configure the HttpClient? This is how I currently do it:

final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(credentials));
httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider);

BTW, I’m using ES and ROR version 6.5.4

sscarduzio · April 11, 2019, 3:53pm

Hello @shaie, the logs say no authorization header was present in the HTTP request. Please review your curl command i.e. curl -u user:pass (notice you have username, but also a column and the password).

sscarduzio · April 11, 2019, 7:43pm

Google for Preemptive Basic Authentication

i.e. https://www.baeldung.com/httpclient-4-basic-authentication

shaie · April 14, 2019, 12:00pm

Thank you very much, I moved to use Elastic’s RestHighLevelClient and the behavior does not reproduce with it.