Hello,

May be I am doing some obviously wrong. I am trying JWT configuration following the documentation and the forum discussions. Below is my configuration.

- name: Valid JWT token with a viewer role
kibana_access: ro
jwt_auth:
name: “jwt_provider_1”
roles: [“viewer”]
indices: [ “.kibana-cfxdls-customer1”, “coke_gdt_*”]
kibana_index: “.kibana-cfxdls-customer1”

jwt:
- name: jwt_provider_1
signature_key: “Dr27FBva4aiZxSC1yfXckOLVsIwGNywZm4_Z1KQ-wyx7y11Hti2o8gx7Zs-9EQDTacOeBoDM4eqVqkXaqdF4QIGAf15sRdvfOkE_em9hzqfJbHn-U1Bctcg06JKl5oy-rwLTPmiWT1-vO4zPkvcdjpzZfNwy1T1TsUSSNGVpueLC15yQ4_sR5Ju4IwqJUe3P3urRp02qpI1RNSYuX7oo_e9Bra_JMYnHUt5oUueXxg3UnGPapH8J93O_DDleAcN5j0ukogFq8C53H_Hy6HigzTng_qyW5StXhZz-t55dEUs97YFVrt0NyCDI1m1wd3bvPG6O7vIzSMsL8L8C6bI36g”
user_claim: customerid
roles_claim: resource_access.client-app.roles
header_name: Authorization

After enabling the debugs, I see that elasticsearch is hanging at the below. Even when I am trying to upload the configuration via the UI screen, it is having the same symptom. No other debug/error is being spit out.

[2019-01-27T13:15:58,962][DEBUG][t.b.r.e.IndexLevelActionFilter] [cfxdls-esclient-elk-04.qa.engr.cloudfabrix.com] Read data from /opt/es-config/readonlyrest.yml
[2019-01-27T13:15:58,987][INFO ][t.b.r.e.IndexLevelActionFilter] [cfxdls-esclient-elk-04.qa.engr.cloudfabrix.com] Settings observer refreshing…
[2019-01-27T13:15:59,128][INFO ][t.b.r.r.SerializationTool] [cfxdls-esclient-elk-04.qa.engr.cloudfabrix.com] no custom audit log serialisers found, proceeding with default.
[2019-01-27T13:15:59,278][INFO ][t.b.r.a.ACL ] [cfxdls-esclient-elk-04.qa.engr.cloudfabrix.com] ADDING BLOCK: { name: ‘::LOGSTASH::’, policy: ALLOW, rules: [auth_key, actions]}
[2019-01-27T13:15:59,278][INFO ][t.b.r.a.ACL ] [cfxdls-esclient-elk-04.qa.engr.cloudfabrix.com] ADDING BLOCK: { name: ‘::KIBANA-SRV::’, policy: ALLOW, rules: [auth_key]}
[2019-01-27T13:15:59,280][INFO ][t.b.r.a.ACL ] [cfxdls-esclient-elk-04.qa.engr.cloudfabrix.com] ADDING BLOCK: { name: ‘CFXDLS Tenancy Template’, policy: ALLOW, rules: [groups, kibana_access, kibana_index]}
[2019-01-27T13:15:59,280][INFO ][t.b.r.a.ACL ] [cfxdls-esclient-elk-04.qa.engr.cloudfabrix.com] ADDING BLOCK: { name: ‘Cloudfabrix’, policy: ALLOW, rules: [groups, kibana_access, kibana_index]}

I have tried various combination of keys and nothing seem to be working. Below is the jstack.

“main” #1 prio=5 os_prio=0 tid=0x00007f469400e800 nid=0x5e runnable [0x00007f469ac2d000]
java.lang.Thread.State: RUNNABLE
at java.io.FileInputStream.readBytes(Native Method)
at java.io.FileInputStream.read(FileInputStream.java:255)
at sun.security.provider.NativePRNG$RandomIO.readFully(NativePRNG.java:424)
at sun.security.provider.NativePRNG$RandomIO.implGenerateSeed(NativePRNG.java:441)
- locked <0x00000000a5f27a90> (a java.lang.Object)
at sun.security.provider.NativePRNG$RandomIO.access$500(NativePRNG.java:331)
at sun.security.provider.NativePRNG.engineGenerateSeed(NativePRNG.java:226)
at java.security.SecureRandom.generateSeed(SecureRandom.java:533)
at java.security.SecureRandom.getSeed(SecureRandom.java:520)
at tech.beshu.ror.commons.utils.SecureStringHasher.(SecureStringHasher.java:53)
at tech.beshu.ror.acl.blocks.rules.impl.JwtAuthSyncRule.(JwtAuthSyncRule.java:64)
at tech.beshu.ror.acl.blocks.rules.UserRuleFactory.lambda$new$7(UserRuleFactory.java:97)
at tech.beshu.ror.acl.blocks.rules.UserRuleFactory$$Lambda$1448/1180105925.apply(Unknown Source)
at tech.beshu.ror.acl.blocks.rules.UserRuleFactory.create(UserRuleFactory.java:108)
at tech.beshu.ror.acl.blocks.rules.RulesFactory.create(RulesFactory.java:219)
at tech.beshu.ror.acl.blocks.Block$$Lambda$1480/303354428.apply(Unknown Source)
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
at java.util.Iterator.forEachRemaining(Iterator.java:116)
at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
at tech.beshu.ror.acl.blocks.Block.(Block.java:65)
at tech.beshu.ror.acl.ACL.lambda$new$0(ACL.java:83)
at tech.beshu.ror.acl.ACL$$Lambda$1478/1455019071.apply(Unknown Source)
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
at java.util.Iterator.forEachRemaining(Iterator.java:116)
at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)

Below are the plugin versions I am using.

readonlyrest-1.16.33_es6.5.4.zip

readonlyrest_kbn_enterprise-1.16.33-20190124_es6.5.4.zip

Please ignore the problem. This seems to be due to JVM problem lacking the entropy.

JVM hang because of lack of entropy

just an FYI for all.

Solved this problem by setting the below. In my case the ES was running inside a docker container.

export ES_JAVA_OPTS="-Xms${MIN_HEAP} -Xmx${MAX_HEAP} -Djava.security.egd=file:///dev/urandom"

Great analysis @ravjanga!

BTW can you please use the “</>” button in the forum editor to embed the YAML settings?
Otherwise the indentation is all wrong and snippets wont’ be copy-pastable by other users!