Invalid action name [cluster:ror/audit_event/put]

Kuckkuck · August 10, 2022, 8:44am

Hi,

any idea, why I get an invalid action name [cluster:ror/audit_event/put], there is no action name like this in the config and I have tried to enable audit events, but nothing happened.

I am using the free version of readonlyrest 1.35.0_es7.10.2.

Thanks a lot and regards,

Olaf

sscarduzio · August 10, 2022, 9:03am

Interesting, do you mind sharing the logs and your readonlyrest YAML?

Kuckkuck · August 10, 2022, 9:14am

Thanks a lot

[2022-08-10T08:36:07,568][WARN ][o.e.t.TransportService   ] [es-client-697dff555d-b64g9]invalid action name [cluster:ror/config/refreshsettings] must start with one of: [cluster:admin, indices:data/read, indices:monitor, indices:data/write, internal:, indices:internal, cluster:monitor, cluster:internal, indices:admin]
[2022-08-10T08:36:07,624][WARN ][o.e.t.TransportService   ] [es-client-697dff555d-b64g9]invalid action name [cluster:ror/user_metadata/get] must start with one of: [cluster:admin, indices:data/read, indices:monitor, indices:data/write, internal:, indices:internal, cluster:monitor, cluster:internal, indices:admin]
[2022-08-10T08:36:07,658][WARN ][o.e.t.TransportService   ] [es-client-697dff555d-b64g9]invalid action name [cluster:ror/config/manage] must start with one of: [cluster:admin, indices:data/read, indices:monitor, indices:data/write, internal:, indices:internal, cluster:monitor, cluster:internal, indices:admin]
[2022-08-10T08:36:07,659][WARN ][o.e.t.TransportService   ] [es-client-697dff555d-b64g9]invalid action name [cluster:ror/config/manage[n]] must start with one of: [cluster:admin, indices:data/read, indices:monitor, indices:data/write, internal:, indices:internal, cluster:monitor, cluster:internal, indices:admin]
[2022-08-10T08:36:07,708][WARN ][o.e.t.TransportService   ] [es-client-697dff555d-b64g9]invalid action name [cluster:ror/audit_event/put] must start with one of: [cluster:admin, indices:data/read, indices:monitor, indices:data/write, internal:, indices:internal, cluster:monitor, cluster:internal, indices:admin]

There a no more logs, except this.

my readonlyrest config for the client nodes for example is here:

github.com

sapcc/helm-charts/blob/master/system/elk/vendor/es-client/templates/_readonlyrest.yml.tpl

# rbac for elasticsearch
readonlyrest:
    enable: true
    response_if_req_forbidden: <h1>Forbidden</h1>
    audit:
      collector: {{.Values.audit}}

    access_control_rules:

      # access for logstash to write to the logstash indexes
      - name: data
        actions: ["indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create","cluster:monitor/*"]
        indices: ["logstash-*", "netflow-*", "systemd-*", "syslog-*", ".kibana*", "kubernikus-*", "scaleout-*", "virtual-*", "bigiplogs-*", "alerts-*", "deployments-*","nsxt-*"]
        auth_key: {{.Values.global.elk_elasticsearch_data_user}}:{{.Values.global.elk_elasticsearch_data_password}}
        verbosity: error

      # access for logstash to write to the audit indexes
      - name: audit
        actions: ["indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create","cluster:monitor/*"]
        indices: ["audit-*"]

This file has been truncated. show original

This is set:

audit:
  collector: true

Regards,

Olaf

coutoPL · August 10, 2022, 6:53pm

ES warns that our internal action names don’t follow their naming criteria. I understand it can be misleading.

We have a Jira for it. We have to analyze the consequences of the actions’ name changes or figure out how to do it in a backward compatible way.

At the moment you can ignore it.

Kuckkuck · August 12, 2022, 8:47am

but if I enable audit collector and no new index is created, no error and I connect with the jaeger user and no entry at all, looks like I am doing something wrong. Why is there no index created for the audit entries?

Regards,

Olaf

sscarduzio · August 12, 2022, 8:53pm

Maybe you don’t have permissions to see those indices? Try to force the name of the indices with

readonlyrest:
  audit:
    collector: true
    index_template: "'some-prefix-you-have-permissions-for'-yyyy-MM"

coutoPL · June 30, 2023, 8:00am

this is fixed in ROR 1.49.1