JWT auth in free version

Hello,

Im wondering if there is option to use JWT in free version ?

Problem is, i have reverse proxy which is forwarding jwt token in some header, but im stuck on the login screen and i dont have any forbidden logs in log, so i cannot check what is wrong with my configuration.

I used the config form the documentations, i only changed the header to JWT-TOKEN user and role claims, but if my proxy will make request with that, im stuck on login screen without any log message

Can someone help ?

Try putting the JWT token in the query parameter

http://kibana-ip:5601/login?jwt=XXXXXXX

Hmm, i tried, and Im recieveing unauthorized, but right now i have logs, but there is no useful information about the logs, also i did restart the elasticsearch and i have this error now:

Ror is being stuck at loading, with this logs:

Elasticsearch log:

[2020-08-26T07:56:47,439][WARN ][stderr ] [alibaba-ire-all-01] SLF4J: Failed to load class “org.slf4j.impl.StaticLoggerBinder”.
[2020-08-26T07:56:47,440][WARN ][stderr ] [alibaba-ire-all-01] SLF4J: Defaulting to no-operation (NOP) logger implementation
[2020-08-26T07:56:47,440][WARN ][stderr ] [alibaba-ire-all-01] SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.

RoR log:

[2020-08-26T07:56:27,477][INFO ][tech.beshu.ror.utils.SSLCertParser$] [alibaba-ire-all-01] ROR SSL: Available SSL protocols: TLSv1.2,TLSv1.1,TLSv1
[2020-08-26T07:56:27,983][INFO ][tech.beshu.ror.es.ssl.SSLNetty4InternodeServerTransport] [alibaba-ire-all-01] >> internode SSL channel initializing
[2020-08-26T07:56:27,983][INFO ][tech.beshu.ror.es.ssl.SSLNetty4InternodeServerTransport] [alibaba-ire-all-01] >> internode SSL channel initializing
[2020-08-26T07:56:27,983][INFO ][tech.beshu.ror.es.ssl.SSLNetty4InternodeServerTransport] [alibaba-ire-all-01] >> internode SSL channel initializing
[2020-08-26T07:56:27,984][INFO ][tech.beshu.ror.es.ssl.SSLNetty4InternodeServerTransport] [alibaba-ire-all-01] >> internode SSL channel initializing
[2020-08-26T07:56:27,984][INFO ][tech.beshu.ror.utils.SSLCertParser$] [alibaba-ire-all-01] Using custom truststore: 'truststore.jks'
[2020-08-26T07:56:27,984][INFO ][tech.beshu.ror.utils.SSLCertParser$] [alibaba-ire-all-01] Using custom truststore: 'truststore.jks'
[2020-08-26T07:56:27,985][INFO ][tech.beshu.ror.es.ssl.SSLNetty4InternodeServerTransport] [alibaba-ire-all-01] >> internode SSL channel initializing
[2020-08-26T07:56:27,985][INFO ][tech.beshu.ror.utils.SSLCertParser$] [alibaba-ire-all-01] Using custom truststore: 'truststore.jks'
[2020-08-26T07:56:27,986][INFO ][tech.beshu.ror.es.ssl.SSLNetty4InternodeServerTransport] [alibaba-ire-all-01] >> internode SSL channel initializing
[2020-08-26T07:56:27,987][INFO ][tech.beshu.ror.utils.SSLCertParser$] [alibaba-ire-all-01] Using custom truststore: 'truststore.jks'
[2020-08-26T07:56:27,984][INFO ][tech.beshu.ror.utils.SSLCertParser$] [alibaba-ire-all-01] Using custom truststore: 'truststore.jks'
[2020-08-26T07:56:27,993][INFO ][tech.beshu.ror.utils.SSLCertParser$] [alibaba-ire-all-01] Using custom truststore: 'truststore.jks'
[2020-08-26T07:56:28,196][INFO ][tech.beshu.ror.utils.SSLCertParser$] [alibaba-ire-all-01] ROR SSL: attempting with JKS keystore..
[2020-08-26T07:56:28,197][INFO ][tech.beshu.ror.utils.SSLCertParser$] [alibaba-ire-all-01] ROR SSL: ssl.key_alias not configured, took first alias in keystore: alibaba
[2020-08-26T07:56:28,199][INFO ][tech.beshu.ror.utils.SSLCertParser$] [alibaba-ire-all-01] ROR SSL: Discovered key from JKS
[2020-08-26T07:56:28,203][INFO ][tech.beshu.ror.utils.SSLCertParser$] [alibaba-ire-all-01] ROR SSL: Discovered cert chain from JKS
[2020-08-26T07:56:28,215][INFO ][tech.beshu.ror.es.ssl.SSLNetty4HttpServerTransport] [alibaba-ire-all-01] ROR SSL HTTP: Using SSL provider: JDK
[2020-08-26T07:56:28,455][INFO ][tech.beshu.ror.utils.SSLCertParser$] [alibaba-ire-all-01] ROR SSL: Available ciphers: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
[2020-08-26T07:56:28,455][INFO ][tech.beshu.ror.utils.SSLCertParser$] [alibaba-ire-all-01] ROR SSL: Available SSL protocols: TLSv1.2,TLSv1.1,TLSv1
[2020-08-26T07:56:47,314][INFO ][tech.beshu.ror.boot.Ror  ] [alibaba-ire-all-01] Loading ReadonlyREST settings from index failed: cannot find index
[2020-08-26T07:56:47,314][INFO ][tech.beshu.ror.boot.Ror  ] [alibaba-ire-all-01] Loading ReadonlyREST settings from file: /usr/share/elasticsearch/config/readonlyrest.yml

ES response:

{"error":{"root_cause":[{"reason":"Waiting for ReadonlyREST start"}],"reason":"Waiting for ReadonlyREST start","status":503}}

I did changes in readonlyrest.yml i changed the custom jwt header to Authorization, and now my es is being stuck forever, without any info.

Update:

I removed all the things related to JWT and the servers is back running from the stucked state, any idea what can happend to the RoR when i configured JWT ?

my jwt settings:

- name: JWT TEST
      type: allow
      headers: ["X-Auth-Key:${API_KEY}"]
      jwt_auth:
        name: "jwt_provider"
        roles: ['jwt-logs']
      indices: ["logs*",".monitoring*", ".kibana*"]
      actions: ["indices:data/read/*", "cluster:monitor/state", "indices:admin/get", "indices:admin/mappings/fields/get", "indices:admin/mappings/get", "indices:admin/aliases/get", "indices:admin/template/get"]
 
 
  jwt:
  - name: jwt_provider
    signature_algo: HMAC
    signature_key: "${PROXY_TOKEN}"
    user_claim: username
    roles_claim: groups
    header_name: Authorization

I’m using 7.7.1 elastic with 1.20 ror

Hey @Sinedko, why the “name” and “type” are not aligned do you have an indenting issue?

This one is a problem though. ReadonlyREST is waiting for the cluster to become green. Is your cluster green at the time you send the HTTP request to Kibana with the jwt?

This is just error with copy and paste to your forum, yml is fine, there will be different error if not.

what java version do you use?

im using the official docker image from elastic docker.elastic.co/elasticsearch/elastisearch:7.7.1

And im inspected they are using the

openjdk 14.0.1 2020-04-14
OpenJDK Runtime Environment AdoptOpenJDK (build 14.0.1+7)
OpenJDK 64-Bit Server VM AdoptOpenJDK (build 14.0.1+7, mixed mode, sharing)

Strange thing is if i comment out the access block that is connected to the jwt auth, everything is working well. But if i let it uncommented then the endless loading is present.

Any ideas ?

I just realized you sent another question, i have the yellow status of the cluster, because I’m using only one single node right now, this can be the issue ?

But RoR starts normally during yellow status without jwt

Cluster is in green state now, but the access block for jwt is still bugged, my elastic is still endless loading, so the yellow state is not related

@coutoPL do you think this is related to the new JVM issue?

I’ve just tested:

{"type": "server", "timestamp": "2020-08-27T15:09:14,203Z", "level": "INFO", "component": "o.e.n.Node", "cluster.name": "docker-cluster", "node.name": "720985957be6", "message": "version[7.7.1], pid[6], build[default/docker/ad56dce891c901a492bb1ee393f12dfff473a423/2020-05-28T16:30:01.040088Z], OS[Linux/4.19.76-linuxkit/amd64], JVM[AdoptOpenJDK/OpenJDK 64-Bit Server VM/14.0.1/14.0.1+7]" }
{"type": "server", "timestamp": "2020-08-27T15:09:20,797Z", "level": "INFO", "component": "t.b.r.b.LogPluginBuildInfoMessage$", "cluster.name": "docker-cluster", "node.name": "720985957be6", "message": "Starting ReadonlyREST plugin v1.22.1 on ES v7.7.1" }

Using:

docker run -d -p 9202:9200 -e "discovery.type=single-node" docker.elastic.co/elasticsearch/elasticsearch:7.7.1

and config like the one above. Everything started fine.

Maybe you are able to prepare docker image, so I can easily reproduce your issue. I’m not able to do it.

Okay, here is the whole docker file, im just adding volumes and user with certain ID for our environment

FROM docker.elastic.co/elasticsearch/elasticsearch:7.7.1
 
# Adding tech user & directories
USER root
RUN userdel elasticsearch && \
    groupadd -r techali -g 10000 && \
    useradd -s /bin/bash -m -d /usr/share/elasticsearch -u 1000 -r -g techali techali > /dev/null 2>&1 && \
    ln -s /usr/share/elasticsearch /opt/elasticsearch && \
    mkdir -p /var/log/insightsre/ && \
    mkdir -p /var/log/insightsre/elasticsearch && \
    mkdir -p /opt/elasticsearch/config/default && \
    mv /opt/elasticsearch/config/jvm.options /opt/elasticsearch/config/default/jvm.options && \
    mv /opt/elasticsearch/config/elasticsearch.yml /opt/elasticsearch/config/default/elasticsearch.yml && \
    mv /opt/elasticsearch/config/log4j2.properties /opt/elasticsearch/config/default/log4j2.properties && \
    chown techali:techali -R /usr/share/elasticsearch/ /opt/elasticsearch/ /var/log/insightsre/
 
# Install readonlyrest plugin
USER techali
ENV PATH="/usr/share/elasticsearch/jdk/bin:${PATH}"
COPY --chown=techali:techali ./plugins/readonlyrest-1.20.0_es7.7.1.zip /tmp
RUN elasticsearch-plugin install file:///tmp/readonlyrest-1.20.0_es7.7.1.zip -b && rm /tmp/readonlyrest-1.20.0_es7.7.1.zip
 
# Copy configurations
COPY --chown=techali:techali ./config/jvm.options /opt/elasticsearch/config/jvm.options
COPY --chown=techali:techali ./config/elasticsearch.yml /opt/elasticsearch/config/elasticsearch.yml
COPY --chown=techali:techali ./config/readonlyrest.yml /opt/elasticsearch/config/readonlyrest.yml
COPY --chown=techali:techali ./config/log4j2.properties /opt/elasticsearch/config/log4j2.properties
 
# Prepare needful volumes
VOLUME /opt/elasticsearch/config/keystore.jks
VOLUME /opt/elasticsearch/config/truststore.jks
VOLUME /opt/elasticsearch/data
VOLUME /var/log/insightsre/elasticsearch
 
# Start elasticsearch
CMD ["/bin/bash", "-c", "elasticsearch 2>&1 >> /dev/null"]

what about form like this one: https://github.com/beshu-tech/rorproxy_example?

I’d like to call:

  • docker build
  • docker run

and see results. The above doesn’t help me much

docker build --rm . -t elasticsearch:7.7.1
 
docker run -d --restart unless-stopped -p 9200:9200 -p 9300:9300 \
    --env-file /opt/elasticsearch/env \
    --ulimit nofile=65536:65536 --ulimit memlock=-1:-1 \
    -v /opt/elasticsearch/certs/keystore.jks:/opt/elasticsearch/config/keystore.jks:ro \
    -v /opt/elasticsearch/certs/truststore.jks:/opt/elasticsearch/config/truststore.jks:ro \
    -v /opt/insightsre/elasticsearch:/opt/elasticsearch/data \
    -v /var/log/insightsre/elasticsearch:/var/log/insightsre/elasticsearch \
    --name elasticsearch \
    elasticsearch:7.7.1

env file is containing all the password needed to configure block and certificates, there are volume for logs, for data and also im using volumes to connect certificates.

all good, but IMO the critical part are files:

  • jvm.options
  • elasticsearch.yml
  • readonlyrest.yml
  • log4j2.properties

As I said before - it works for me, so for sure the problem is configuration or starting options.

ror.zip (8.9 KB)

Ok, i uploaded every config for elasticsearch, you can check, there is also issue with _cat/indices with the same cofiguration already reported on https://forum.readonlyrest.com/t/cat-indices-not-working-again/1627/10, but this is related to the same cluster and same configuration.

Hopefully we can resolve both.

User alibaba is only see the alibaba indices in the _cat/index, but in monitoring he can see every index, but if i use index pattern on lets say logs indices, then he can browse the documents normally, its seems that only _cat/indices is not working correctly.

Its first time i have two bugs in one configuration

Any updates ? Our development is blocked by this bug.

Hi @Sinedko at the moment our engineers are all busy working on roadmap and ROR Enterprise customers’ support cases. We only provide support to Free and PRO users on a best effort basis.