I’ve created ‘curator_user’ in readonlyrest.yml file, like this:
- name: 'Curator User'
auth_key: "myuser:mysecret"
actions: ["indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/*"]
When Curator runs, I get an Unauthorized error. I started investigating and I can’t even access that index from curl:
$ curl -u myuser:mysecret -XGET https://elastic.ecosystem-dev.k8s.us-east-1.dg-commercial-dev-01.satcloud.us/filebeat-2019.03.01
{“error”:{“root_cause”:[{“reason”:“forbidden”}],“reason”:“forbidden”},“status”:403}
DELETE action, of course, is not allowed either… Why?
–P.S.
Here is the entire config:
readonlyrest.yml: |-
readonlyrest:
# IMPORTANT FOR LOGIN/LOGOUT TO WORK
prompt_for_basic_auth: false
audit_collector: true
access_control_rules:
- name: 'Localhost'
hosts: [127.0.0.1]
- name: 'Probes'
type: allow
actions: ['cluster:monitor/*']
-
ldap_authentication: everyone
ldap_authorization: {name: everyone, groups: [SG-App-Kibana-Ecosystem]}
name: Admins
kibana_access: admin
- name: 'Kibana Admin'
auth_key: "{{ .Values.secrets.kibana.userid }}:{{ .Values.secrets.kibana.password }}"
- name: 'Lander Account'
auth_key: "{{ .Values.secrets.lander.userid }}:{{ .Values.secrets.lander.password }}"
kibana_access: ro
- name: 'Logstash User'
auth_key: "{{ .Values.secrets.logstash.userid }}:{{ .Values.secrets.logstash.password }}"
actions: ["cluster:monitor/main","indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
- name: 'Rover User'
actions: ['cluster:monitor/main', 'indices:data/read/*']
auth_key: "{{ .Values.secrets.rover.userid }}:{{ .Values.secrets.rover.password }}"
- name: 'Curator User'
auth_key: "{{ .Values.secrets.curator.userid }}:{{ .Values.secrets.curator.password }}"
actions: ["indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/*"]
- name: Local Auth for admin 2
type: allow
groups: ["Admins"]
- name: Local Auth for admin
type: allow
kibana_access: admin
groups: ["Admins"]
users:
- username: es_admin
auth_key: "{{ .Values.secrets.es_admin.userid }}:{{ .Values.secrets.es_admin.password }}"
groups: ["Admins"]
ldaps:
- name: everyone
host: "{{ .Values.ldaps.host }}"
port: "{{ .Values.ldaps.port }}"
ssl_enabled: false
ssl_trust_all_certs: true
bind_dn: "{{ .Values.ldaps.bind_dn }}"
bind_password: "{{ .Values.secrets.ldap.bind_password }}"
search_user_base_DN: "{{ .Values.ldaps.search_user_base_DN }}"
user_id_attribute: "{{ .Values.ldaps.user_id_attribute }}"
search_groups_base_DN: "{{ .Values.ldaps.search_groups_base_DN }}"
unique_member_attribute: "{{ .Values.ldaps.unique_member_attribute }}"