JWT config is hanging the elasticsearch


(Ravikanth) #1

Hello,

May be I am doing some obviously wrong. I am trying JWT configuration following the documentation and the forum discussions. Below is my configuration.


- name: Valid JWT token with a viewer role
kibana_access: ro
jwt_auth:
name: “jwt_provider_1”
roles: [“viewer”]
indices: [ “.kibana-cfxdls-customer1”, “coke_gdt_*”]
kibana_index: “.kibana-cfxdls-customer1”

jwt:
- name: jwt_provider_1
signature_key: “Dr27FBva4aiZxSC1yfXckOLVsIwGNywZm4_Z1KQ-wyx7y11Hti2o8gx7Zs-9EQDTacOeBoDM4eqVqkXaqdF4QIGAf15sRdvfOkE_em9hzqfJbHn-U1Bctcg06JKl5oy-rwLTPmiWT1-vO4zPkvcdjpzZfNwy1T1TsUSSNGVpueLC15yQ4_sR5Ju4IwqJUe3P3urRp02qpI1RNSYuX7oo_e9Bra_JMYnHUt5oUueXxg3UnGPapH8J93O_DDleAcN5j0ukogFq8C53H_Hy6HigzTng_qyW5StXhZz-t55dEUs97YFVrt0NyCDI1m1wd3bvPG6O7vIzSMsL8L8C6bI36g”
user_claim: customerid
roles_claim: resource_access.client-app.roles
header_name: Authorization


After enabling the debugs, I see that elasticsearch is hanging at the below. Even when I am trying to upload the configuration via the UI screen, it is having the same symptom. No other debug/error is being spit out.

[2019-01-27T13:15:58,962][DEBUG][t.b.r.e.IndexLevelActionFilter] [cfxdls-esclient-elk-04.qa.engr.cloudfabrix.com] Read data from /opt/es-config/readonlyrest.yml
[2019-01-27T13:15:58,987][INFO ][t.b.r.e.IndexLevelActionFilter] [cfxdls-esclient-elk-04.qa.engr.cloudfabrix.com] Settings observer refreshing…
[2019-01-27T13:15:59,128][INFO ][t.b.r.r.SerializationTool] [cfxdls-esclient-elk-04.qa.engr.cloudfabrix.com] no custom audit log serialisers found, proceeding with default.
[2019-01-27T13:15:59,278][INFO ][t.b.r.a.ACL ] [cfxdls-esclient-elk-04.qa.engr.cloudfabrix.com] ADDING BLOCK: { name: ‘::LOGSTASH::’, policy: ALLOW, rules: [auth_key, actions]}
[2019-01-27T13:15:59,278][INFO ][t.b.r.a.ACL ] [cfxdls-esclient-elk-04.qa.engr.cloudfabrix.com] ADDING BLOCK: { name: ‘::KIBANA-SRV::’, policy: ALLOW, rules: [auth_key]}
[2019-01-27T13:15:59,280][INFO ][t.b.r.a.ACL ] [cfxdls-esclient-elk-04.qa.engr.cloudfabrix.com] ADDING BLOCK: { name: ‘CFXDLS Tenancy Template’, policy: ALLOW, rules: [groups, kibana_access, kibana_index]}
[2019-01-27T13:15:59,280][INFO ][t.b.r.a.ACL ] [cfxdls-esclient-elk-04.qa.engr.cloudfabrix.com] ADDING BLOCK: { name: ‘Cloudfabrix’, policy: ALLOW, rules: [groups, kibana_access, kibana_index]}


(Ravikanth) #2

I have tried various combination of keys and nothing seem to be working. Below is the jstack.

“main” #1 prio=5 os_prio=0 tid=0x00007f469400e800 nid=0x5e runnable [0x00007f469ac2d000]
java.lang.Thread.State: RUNNABLE
at java.io.FileInputStream.readBytes(Native Method)
at java.io.FileInputStream.read(FileInputStream.java:255)
at sun.security.provider.NativePRNG$RandomIO.readFully(NativePRNG.java:424)
at sun.security.provider.NativePRNG$RandomIO.implGenerateSeed(NativePRNG.java:441)
- locked <0x00000000a5f27a90> (a java.lang.Object)
at sun.security.provider.NativePRNG$RandomIO.access$500(NativePRNG.java:331)
at sun.security.provider.NativePRNG.engineGenerateSeed(NativePRNG.java:226)
at java.security.SecureRandom.generateSeed(SecureRandom.java:533)
at java.security.SecureRandom.getSeed(SecureRandom.java:520)
at tech.beshu.ror.commons.utils.SecureStringHasher.(SecureStringHasher.java:53)
at tech.beshu.ror.acl.blocks.rules.impl.JwtAuthSyncRule.(JwtAuthSyncRule.java:64)
at tech.beshu.ror.acl.blocks.rules.UserRuleFactory.lambda$new$7(UserRuleFactory.java:97)
at tech.beshu.ror.acl.blocks.rules.UserRuleFactory$$Lambda$1448/1180105925.apply(Unknown Source)
at tech.beshu.ror.acl.blocks.rules.UserRuleFactory.create(UserRuleFactory.java:108)
at tech.beshu.ror.acl.blocks.rules.RulesFactory.create(RulesFactory.java:219)
at tech.beshu.ror.acl.blocks.Block$$Lambda$1480/303354428.apply(Unknown Source)
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
at java.util.Iterator.forEachRemaining(Iterator.java:116)
at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
at tech.beshu.ror.acl.blocks.Block.(Block.java:65)
at tech.beshu.ror.acl.ACL.lambda$new$0(ACL.java:83)
at tech.beshu.ror.acl.ACL$$Lambda$1478/1455019071.apply(Unknown Source)
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
at java.util.Iterator.forEachRemaining(Iterator.java:116)
at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)


(Ravikanth) #3

Below are the plugin versions I am using.

readonlyrest-1.16.33_es6.5.4.zip

readonlyrest_kbn_enterprise-1.16.33-20190124_es6.5.4.zip


(Ravikanth) #4

Please ignore the problem. This seems to be due to JVM problem lacking the entropy.

JVM hang because of lack of entropy


(Ravikanth) #5

just an FYI for all.

Solved this problem by setting the below. In my case the ES was running inside a docker container.

export ES_JAVA_OPTS="-Xms${MIN_HEAP} -Xmx${MAX_HEAP} -Djava.security.egd=file:///dev/urandom"


(Simone Scarduzio) #6

Great analysis @ravjanga!

BTW can you please use the “</>” button in the forum editor to embed the YAML settings?
Otherwise the indentation is all wrong and snippets wont’ be copy-pastable by other users!