JWT without Kibana

noghte · July 20, 2018, 3:34am

Is it possible to use ReadonlyREST to secure elasticsearch indices without having Kibana? If yes, what is wrong with my configurations?
The following configuration prevents elasticsearch (version 6.3.1) service to run on an Ubuntu machine:

...
- name: Just certain indices, and read only
      type: allow
      actions: ["indices:data/read/*"]
      indices: ["test-index*"] # index aliases are taken in account!
      jwt_auth:
        name: "jwt_provider_1"
jwt:
    - name: jwt_provider_1
      secret: "thesecret!" #for symmetric encryption
      user_claim: user_id
      header_name: Authorization

elasticsearch.yml:

…
xpack.security.enabled: false
http.type: ssl_netty4

Thanks

sscarduzio · July 20, 2018, 11:39am

sure it is possible, try commenting out the actions rule to see if it works. Maybe your test is not a request that maps to that action.

Anyways, analyse the logs and see the “HIS” field (history) to see which rule blocks the requests.

noghte · July 20, 2018, 3:23pm

By commenting out the jwt_auth section, the restriction works. But, enabling this sections, prevents elasticsearch service to start at all (systemctl elasticsearch service start).
Thanks for the “HIS” field, I’ll see that and reply here.
Anyhow, since I know it works without Kibana I am more confident now! Because the samples on documentation, and most of the issues involves Kibana.

sscarduzio · July 20, 2018, 5:35pm

Cool, thanks for the suggestion about the docs. They are very welcome!

BTW I take the opportunity to remind everyone that our documentation is a collaborative open source project.

askids · July 20, 2018, 5:59pm

@sscarduzio and we will use this opportunity to remind that PRs are pending merge

sscarduzio · July 20, 2018, 8:31pm

LOLL thanks @askids, I totally didn’t see those. All merged thank you!