LDAP connection, authentication and Index wise authorisation


(Simone Scarduzio) #22

@Akhilesh could you try to create the .kibana index manually and report?


(Akhilesh Tiwari) #23

Hi Simone Scarduzio,

ya I have already created and tested yesterday but its not worked.
Some mappings are not found with that manually created index (.kibana) and I was not able to login in kibana with any users(admin,kibana etc).
After clear the data file in the kibana directory,I was able to login in the kibana.

so i have already tried this.


(Akhilesh Tiwari) #24

Hi Simone Scarduzio,

still we are stuck in same issue “index not found exception”.


(Akhilesh Tiwari) #25

Hi @sscarduzio,

This is our main issue in the log file.
please see below logs and provide us an exact solution on this.
we are getting forbidden Exception.

[2018-06-13T17:51:19,006][DEBUG][i.n.h.s.SslHandler ] [id: 0x314b81d3, L:/172.21.153.176:9200 - R:/172.21.153.176:47196] HANDSHAKEN: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[2018-06-13T17:51:19,009][DEBUG][t.b.r.a.ACL ] checking request:924255705-538512418#137
[2018-06-13T17:51:19,009][INFO ][t.b.r.a.b.r.i.AuthKeySyncRule] Attempting Login as: c-shubhamg rc: { ID:924255705-538512418#137, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamg(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtZzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS: }
[2018-06-13T17:51:19,009][DEBUG][t.b.r.a.b.Block ] e[33m[::admin::] the request matches no rules in this block: { ID:924255705-538512418#137, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamg(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtZzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]] }e[0m
[2018-06-13T17:51:19,009][INFO ][t.b.r.a.b.r.i.AuthKeySyncRule] Attempting Login as: c-shubhamg rc: { ID:924255705-538512418#137, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamg(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtZzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]] }
[2018-06-13T17:51:19,010][DEBUG][t.b.r.a.b.Block ] e[33m[::LOGSTASH::] the request matches no rules in this block: { ID:924255705-538512418#137, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamg(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtZzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]] }e[0m
[2018-06-13T17:51:19,010][INFO ][t.b.r.a.b.r.i.AuthKeySyncRule] Attempting Login as: c-shubhamg rc: { ID:924255705-538512418#137, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamg(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtZzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]] }
[2018-06-13T17:51:19,010][DEBUG][t.b.r.a.b.Block ] e[33m[::KIBANA-SRV::] the request matches no rules in this block: { ID:924255705-538512418#137, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamg(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtZzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]] }e[0m
[2018-06-13T17:51:19,015][DEBUG][t.b.r.a.b.r.i.LdapAuthenticationAsyncRule] Attempting Login as: c-shubhamg rc: { ID:924255705-538512418#137, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamg(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtZzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]] }
[2018-06-13T17:51:19,016][DEBUG][t.b.r.a.d.l.l.AuthenticationLdapClientLoggingDecorator] Trying to authenticate user [c-shubhamg] with LDAP [ldap1]
[2018-06-13T17:51:19,040][DEBUG][t.b.r.a.d.l.u.UnboundidAuthenticationLdapClient] LDAP getting user CN returned error [result code=‘32 (no such object)’ diagnostic message='0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
‘DC=ad,DC=crisil,DC=com’

please reply ASAP,we are waiting for your reply.


(Simone Scarduzio) #26

does this mean your index not found exception is solved?


(Akhilesh Tiwari) #27

Hi Simone Scarduzio,

no,still we are getting both the exception.


(Simone Scarduzio) #28

This means that the LDAP connector is not configured correctly, or the LDAP bind user has no permission to see the user, or the user is not present.


(Simone Scarduzio) #29

I’m afraid your LDAP administrator can help more than I can for sure on this. ROR prints all the sufficient logs.


(Akhilesh Tiwari) #30

Hi Simone Scarduzio,

is .kibana index necessary for working with readonlyrest??


(Simone Scarduzio) #31

the .kibana index is needed for Kibana to work. It’s where it saves index patterns, graphs, dashboards, etc.
Kibana creates it as the first thing when you start it, if not present.

Have you tried to do what I suggested? Remove ROR from both ES and Kibana and initiate a Kibana session, so Kibana creates its .kibana index?


(Akhilesh Tiwari) #33

Hi @sscarduzio,

We are using ES and kibana 6.2.4 version . In this version .kibana index is not getting created. So can you please refer us ES and kibana versions compatible with readonlyrest 6.2.4 plugins. Please suggest versions of ES / kibana which are compatible with readonlyrest 6.2.4.

Thanks,

Akhilesh Tiwari


(Simone Scarduzio) #34

@Akhilesh Just download the plain elasticsearch and Kibana zip files of the same version (6.2.4) from Elastic website (don’t download 6.3.0 which just came out today and we don’t have ROR for it yet).

Unzip them, and touch the settings as few as possible. Let them first work togethe, observe the .kibana index getting created using cURL, and that would be an excellent starting point.

Once this works, we can add things to the mix. I.e. ROR for ES, and basic auth between Kibana and ES.


(Akhilesh Tiwari) #35

Hi Simone Scarduzio,

yup,we have already done it but it was not working. we have downloaded plain elasticsearch and Kibana zip files of the same version (6.2.4) from Elastic website and install,we have alreday cheaked .kibana index using curl query without installation of RoR plugins but we are not getting .kibana index.
we have already discuss with Elastic Team members but not getting Appropriate solution.

can you please help us regarding this,lets work together.


(Akhilesh Tiwari) #36

Hi Simone Scarduzio,

We reinstalled the version 6.2.4 of ELK and Kibana But (.kibana) index is not created and then again we reinstalled the version 6.3.0 of ELK and Kibana. here (.kibana) index has been created.
Also previously we have used 5.3.0, 5.5.2, 6.0.0 these all versions contains .kibana index.

I think some problem in ELK and and Kibana setup 6.2.4.
can you suggest me which version of RoR Compatible ELK setup OR What should I do for success of RoR wth ELK.


(Akhilesh Tiwari) #37

Hi Simone Scarduzio,

can we use ROR _6.2.4 plugins with the ELK and Kibana version 6.0.0?
i am asking this question because 6.0.0 version of ELK and Kibana contains .kibana index after installations.
plesae reply as soon as possible.

 Thanks

Akhilesh Tiwari


(Simone Scarduzio) #38

@Akhilesh, interesting observation. Do you have a link to the ticket you open with Elastic?
Anyway I will test this myself, super weird.

You always need to match the right version of ES, Kibana, and ROR. We need a few days to adapt ROR to Kibana 6.3.0, so please test what’s the newest working version, and I can provide the right Kibana plugin for you to install.