Forbidden by default when trying to use JWT

TimurG · May 2, 2018, 11:02am

Hi.I am trying to implement JWT Auth with Readonlyrest.
My conf is :

readonlyrest:

    audit_collector: true

    access_control_rules:
    - name: "::PUBLIC SEARCHBOX::"
      hosts: ["0.0.0.0"]
      type: allow
      kibana_access: rw
      groups: ["default"]


    - name: "JWT Auth"
      type: allow
      groups: ["test"]
      kibana_access: admin
      jwt_auth:
        name: "JWT_Login"
    jwt:
    - name: JWT_Login
      signature_algo: HS256
      signature_key: "justtesting"
      user_claim: username
      header_name: Authorization



    users:

    - username: kibana
      auth_key: kibana:kibana
      groups: ["default"]

    - username: test
      auth_key: test:test
      groups: ["test"]

the error i am getting is :
FORBIDDEN by default req={ ID:1295785472-2023744454#41, TYP:NodesInfoRequest, CGR:N/A, USR:test, BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, DA:0.0.0.0, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0IiwidXNlcm5hbWUiOiJ0ZXN0IiwiaWF0IjoxNTI5MjkxNzk0fQ.M-hqKN6LShXA45TzgIyw8Kq7tpoS-A1JB_stwO23inc, Connection=close, Authorization=<OMITTED>, content-length=0, Host=localhost:9200}, HIS:[::PUBLIC SEARCHBOX::->[groups->false]], [JWT Auth->[groups->false, jwt_auth->true]] }

The token is :
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0IiwidXNlcm5hbWUiOiJ0ZXN0IiwiaWF0IjoxNTI5MjkxNzk0fQ.M-hqKN6LShXA45TzgIyw8Kq7tpoS-A1JB_stwO23inc

I have followed the docs and I am just trying to do a basic implementation to see if works.
I cannot understand what i am doing wrong.
Thank you very much for your assistance

sscarduzio · May 2, 2018, 11:16am

Remove this, as you are already authenticating the user via JWT token.

TimurG · May 2, 2018, 11:47am

Hi.It worked now! Thank you very much.

TimurG · May 3, 2018, 11:46am

Hi.Another question.Is there a way to authenticate to elasticsearch itself with JWT instead of kibana ?

I could possibly achieve it with the external HTTP authentication ,to authenticate with JWT in kibana and after that to receive 200 ok and proceed.Is there any other way?
Thank you very much.

sscarduzio · May 3, 2018, 12:10pm

ES is able to check the digest of your JWT token in the Authorization header, as you experimented above. No Kibana involved in this flow.

I think it could work, as external authentication will forward the Authorization header. In this case, no need for the JWT settings block in ROR of course, as the authentication is external.

TimurG · May 3, 2018, 12:45pm

Thank you very much!