LDAP configuration issue


(Arun Kumar) #1

Hi,

I had installed readonlyrest plugin successfully and test with basic authorization . it is working fine.

Further when configured readonlyrest.yml for LDAP users and restart elastic search server is throwing exception. Below is readonlyrest.yml settings :
readonlyrest:
enable: true
response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin

access_control_rules:

- name: Accept requests to index1 from users with valid LDAP credentials, belonging to LDAP group team1
  ldap_authentication: "ldap1"  
  ldap_authorization:
    name: "ldap1"                                       # ldap name from 'ldaps' section
    groups: ["mathematicians"]                                # group within 'ou=Groups,dc=example,dc=com'
  indices: ["music"]

ldaps:

- name: "ldap1"
  host: "ldap.forumsys.com"
  port: 389                                                 # default 389
  ssl_enabled: false                                        # default true
  ssl_trust_all_certs: true                                 # default false
  bind_dn: "cn=read-only-admin,dc=example,dc=com"                     # skip for anonymous bind
  bind_password: "password"                                 # skip for anonymous bind
  search_user_base_DN: "dc=example,dc=com"
  user_id_attribute: "uid"                                  # default "uid"
  search_groups_base_DN: "ou=mathematicians,dc=example,dc=co"
  unique_member_attribute: "uniqueMember"                   # default "uniqueMember"
  connection_pool_size: 10                                  # default 30
  connection_timeout_in_sec: 10                             # default 1
  request_timeout_in_sec: 10                                # default 1
  cache_ttl_in_sec: 60                                      # default 0 - cache disabled

and below is log of elastic search

[2019-05-14T11:44:34,816][INFO ][o.e.e.NodeEnvironment ] [Gateway] using [1] data paths, mounts [[OS (C:)]], net usable_space [308.6gb], net total_space [474.8gb], types [NTFS]
[2019-05-14T11:44:34,823][INFO ][o.e.e.NodeEnvironment ] [Gateway] heap size [1.9gb], compressed ordinary object pointers [true]
[2019-05-14T11:44:34,924][INFO ][o.e.n.Node ] [Gateway] node name [Gateway], node ID [mw8jm0NGRUqXiCSH6A6dNQ]
[2019-05-14T11:44:34,925][INFO ][o.e.n.Node ] [Gateway] version[7.0.0], pid[2872], build[unknown/unknown/b7e28a7/2019-04-05T22:55:32.697037Z], OS[Windows 10/10.0/amd64], JVM[Oracle Corporation/Java HotSpot™ 64-Bit Server VM/1.8.0_131/25.131-b11]
[2019-05-14T11:44:34,926][INFO ][o.e.n.Node ] [Gateway] JVM home [C:\Program Files\Java\jdk1.8.0_131\jre]
[2019-05-14T11:44:34,926][INFO ][o.e.n.Node ] [Gateway] JVM arguments [-XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.io.tmpdir=C:\WINDOWS\TEMP\elasticsearch, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -XX:+PrintGCDetails, -XX:+PrintGCDateStamps, -XX:+PrintTenuringDistribution, -XX:+PrintGCApplicationStoppedTime, -Xloggc:logs/gc.log, -XX:+UseGCLogFileRotation, -XX:NumberOfGCLogFiles=32, -XX:GCLogFileSize=64m, -Xmx2048m, -Xms2048m, -Dio.netty.allocator.type=pooled, -Delasticsearch, -Des.path.home=C:\Program Files\Elastic\Elasticsearch\7.0.0, -Des.path.conf=C:\ProgramData\Elastic\Elasticsearch\config]
[2019-05-14T11:44:38,449][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [aggs-matrix-stats]
[2019-05-14T11:44:38,450][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [analysis-common]
[2019-05-14T11:44:38,450][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [ingest-common]
[2019-05-14T11:44:38,450][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [ingest-geoip]
[2019-05-14T11:44:38,451][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [ingest-user-agent]
[2019-05-14T11:44:38,451][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [lang-expression]
[2019-05-14T11:44:38,452][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [lang-mustache]
[2019-05-14T11:44:38,452][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [lang-painless]
[2019-05-14T11:44:38,452][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [mapper-extras]
[2019-05-14T11:44:38,452][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [parent-join]
[2019-05-14T11:44:38,453][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [percolator]
[2019-05-14T11:44:38,453][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [rank-eval]
[2019-05-14T11:44:38,453][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [reindex]
[2019-05-14T11:44:38,453][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [repository-url]
[2019-05-14T11:44:38,454][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [transport-netty4]
[2019-05-14T11:44:38,454][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [x-pack-ccr]
[2019-05-14T11:44:38,455][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [x-pack-core]
[2019-05-14T11:44:38,455][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [x-pack-deprecation]
[2019-05-14T11:44:38,455][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [x-pack-graph]
[2019-05-14T11:44:38,456][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [x-pack-ilm]
[2019-05-14T11:44:38,456][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [x-pack-logstash]
[2019-05-14T11:44:38,456][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [x-pack-ml]
[2019-05-14T11:44:38,456][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [x-pack-monitoring]
[2019-05-14T11:44:38,457][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [x-pack-rollup]
[2019-05-14T11:44:38,457][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [x-pack-security]
[2019-05-14T11:44:38,457][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [x-pack-sql]
[2019-05-14T11:44:38,458][INFO ][o.e.p.PluginsService ] [Gateway] loaded module [x-pack-watcher]
[2019-05-14T11:44:38,458][INFO ][o.e.p.PluginsService ] [Gateway] loaded plugin [readonlyrest]
[2019-05-14T11:44:43,340][INFO ][o.e.x.m.p.l.CppLogMessageHandler] [Gateway] [controller/21820] [[email protected]] controller (64 bit): Version 7.0.0 (Build cdaa022645f38d) Copyright © 2019 Elasticsearch BV
[2019-05-14T11:44:43,611][INFO ][t.b.r.e.IndexLevelActionFilter] [Gateway] Settings observer refreshing…
[2019-05-14T11:45:11,275][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [Gateway] uncaught exception in thread [main]
java.security.PrivilegedActionException: null
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
at tech.beshu.ror.es.ReadonlyRestPlugin.createComponents(ReadonlyRestPlugin.java:109) ~[?:?]
at org.elasticsearch.node.Node.lambda$new$9(Node.java:438) ~[elasticsearch-7.0.0.jar:7.0.0]
at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:267) ~[?:1.8.0_131]
at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1374) ~[?:1.8.0_131]
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) ~[?:1.8.0_131]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) ~[?:1.8.0_131]
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_131]
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_131]
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) ~[?:1.8.0_131]
at org.elasticsearch.node.Node.(Node.java:441) ~[elasticsearch-7.0.0.jar:7.0.0]
at org.elasticsearch.node.Node.(Node.java:251) ~[elasticsearch-7.0.0.jar:7.0.0]
at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:211) ~[elasticsearch-7.0.0.jar:7.0.0]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:211) ~[elasticsearch-7.0.0.jar:7.0.0]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:325) ~[elasticsearch-7.0.0.jar:7.0.0]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-7.0.0.jar:7.0.0]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-7.0.0.jar:7.0.0]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-7.0.0.jar:7.0.0]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-7.0.0.jar:7.0.0]
at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-7.0.0.jar:7.0.0]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115) ~[elasticsearch-7.0.0.jar:7.0.0]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-7.0.0.jar:7.0.0]
Caused by: java.security.PrivilegedActionException
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
at tech.beshu.ror.es.IndexLevelActionFilter.lambda$new$1(IndexLevelActionFilter.java:131) ~[?:?]
at java.util.Observable.notifyObservers(Observable.java:159) ~[?:1.8.0_131]
at java.util.Observable.notifyObservers(Observable.java:115) ~[?:1.8.0_131]
at tech.beshu.ror.settings.SettingsObservable.forceRefresh(SettingsObservable.java:88) ~[?:?]
at tech.beshu.ror.es.IndexLevelActionFilter.(IndexLevelActionFilter.java:148) ~[?:?]
at tech.beshu.ror.es.ReadonlyRestPlugin.lambda$createComponents$0(ReadonlyRestPlugin.java:112) ~[?:?]
… 22 more
Caused by: java.util.concurrent.TimeoutException: Task.runSyncUnsafe(10 seconds)
at monix.eval.internal.TaskRunSyncUnsafe$.blockForResult(TaskRunSyncUnsafe.scala:163) ~[?:?]
at monix.eval.internal.TaskRunSyncUnsafe$.apply(TaskRunSyncUnsafe.scala:102) ~[?:?]
at monix.eval.Task.runSyncUnsafe(Task.scala:1043) ~[?:?]
at tech.beshu.ror.es.IndexLevelActionFilter.lambda$null$0(IndexLevelActionFilter.java:134) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
at tech.beshu.ror.es.IndexLevelActionFilter.lambda$new$1(IndexLevelActionFilter.java:131) ~[?:?]
at java.util.Observable.notifyObservers(Observable.java:159) ~[?:1.8.0_131]
at java.util.Observable.notifyObservers(Observable.java:115) ~[?:1.8.0_131]
at tech.beshu.ror.settings.SettingsObservable.forceRefresh(SettingsObservable.java:88) ~[?:?]
at tech.beshu.ror.es.IndexLevelActionFilter.(IndexLevelActionFilter.java:148) ~[?:?]
at tech.beshu.ror.es.ReadonlyRestPlugin.lambda$createComponents$0(ReadonlyRestPlugin.java:112) ~[?:?]
… 22 more

Please help me . your suggestion would be highly appreciated.


(Mateusz Kołodziejczyk) #2

Hi @arun.kumar1. Could you let us know, what ROR version are you using, please?


(Arun Kumar) #3

Hi,

I have installed readonlyrest-1.17.6_es7.0.0.zip and elastic serach version is 7.0.0.

Thank you.

Regards,
Arun Kumar


(Mateusz Kołodziejczyk) #4

@arun.kumar1 thanks, one more question. Did you configure ROR using readonlyrest.yml file or using Kibana plugin?


(Mateusz Kołodziejczyk) #5

@arun.kumar1 I think I know what is the problem. We could improve our code a little, but could you make small change to confirm I’m right:

connection_timeout_in_sec: 10

to

connection_timeout_in_sec: 1

and check again. I suppose, there is a problem with connection to your LDAP, but we have configured too small timeout (at ROR core startup), so you’ve got java.util.concurrent.TimeoutException instead of info about LDAP connection failure.