Hi @sscarduzio,
We have installed elasticsearch and kibana 6.2.4 and plugins for both. Now .kibana index has created and we are not getting any issue related to index. Now we are very close to success. Please provide your support.
We are getting two issues now
1. [Technology] the request matches no rules in this block: { ID:1293931784-1725560941#157, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.123, DA:172.21.153.123, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=example:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [Technology->[groups->false]]
2. [2018-06-18T13:08:11,397][DEBUG][t.b.r.a.d.l.u.UnboundidAuthenticationLdapClient] LDAP getting user CN returned no entries
[2018-06-18T13:08:11,397][DEBUG][t.b.r.a.d.l.l.AuthenticationLdapClientLoggingDecorator] User [c-shubhamg] not authenticated by LDAP [ldap1]
[2018-06-18T13:08:11,397][DEBUG][t.b.r.a.b.r.i.LdapAuthenticationAsyncRule] Attempting Login as: c-shubhamg rc: { ID:1686207621-1575972278#678, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamg(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.123, DA:172.21.153.123, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtZzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=example:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]] }
I will give you my configration.readonlyrest.yml
readonlyrest:
ssl:
enable: true
keystore_file: "/opt/Readonlyresttest/elasticsearch-6.2.4/config/keystore.jks"
keystore_pass: readonlyrest
key_pass: readonlyrest
key_alias: elk01 #This is needed only when the keystore has multiple entries
audit_collector: true
access_control_rules:
- name: "::admin::"
auth_key: admin:admin
- name: "::LOGSTASH::"
auth_key: logstash:logstash
actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
indices: ["logstash-*"]
- name: "::KIBANA-SRV::"
auth_key: kibana:kibana
verbosity: error
- name: "Technology"
kibana_access: admin
groups: ["Technology"]
indices: [".kibana","logstash-*"]
users:
- username: c-shubhamg
groups: ["Technology"]
ldap_authentication:
name: ldap1
- username: c-ajitb
groups: ["Technology"]
ldap_authentication:
name: ldap1
ldaps:
- name: ldap1
host: "ad.example.com"
port: 389 # default 389
ssl_enabled: false # default true
ssl_trust_all_certs: true
bind_dn: "CN=c-shubhamg,OU=Technology,OU=Corporate Technology,OU=Corporate Group,DC=ad,DC=example,DC=com"
bind_password: "pass@1234"
search_user_base_DN: "dc=ad,dc=example,dc=com"
search_groups_base_DN: "dc=ad,dc=example,dc=com"
user_id_attribute: "uid"
unique_member_attribute: "uniqueMember"
connection_pool_size: 10
connection_timeout_in_sec: 10
request_timeout_in_sec: 10
cache_ttl_in_sec: 60
elasticsearch.yml
bootstrap.system_call_filter: false
cluster.name: elasticsearch-cluster
node.name: node-1
network.host: example
http.type: ssl_netty4
kibana.yml
elasticsearch.username: “kibana”
elasticsearch.password: “kibana”
elasticsearch.url: “https://example:9200”
elasticsearch.ssl.verificationMode: “none”
Please note that we have changed server names as “example” for security reasons.
Hi,
Need your help. Waiting for your reply.
OK @ajit,
Now really the only thing remaining here is to configure the LDAP connector correctly. This is the part I can help you the less with, as LDAP servers can be configured in thousands ways, and personally I only used openLDAP, rather than Microsoft Active Directory.
Please note that many other customers already successfully managed to do connect ROR to AD. I vividly recommend to search this forum for examples.
The first I came across is this: LDAP Configuration for Active Directory
Hi @sscarduzio,
We are able to authenticate LDAP users by ldap server. Please find below logs.
[2018-06-18T16:06:21,328][INFO ][t.b.r.a.b.r.i.AuthKeySyncRule] Attempting Login as: c-shubhamG rc: { ID:197972708-2122244818#1128, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS: }
[2018-06-18T16:06:21,328][DEBUG][t.b.r.a.b.Block ] ^[[33m[::admin::] the request matches no rules in this block: { ID:197972708-2122244818#1128, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]] }^[[0m
[2018-06-18T16:06:21,328][INFO ][t.b.r.a.b.r.i.AuthKeySyncRule] Attempting Login as: c-shubhamG rc: { ID:197972708-2122244818#1128, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]] }
[2018-06-18T16:06:21,329][DEBUG][t.b.r.a.b.Block ] ^[[33m[::LOGSTASH::] the request matches no rules in this block: { ID:197972708-2122244818#1128, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]] }^[[0m
[2018-06-18T16:06:21,329][INFO ][t.b.r.a.b.r.i.AuthKeySyncRule] Attempting Login as: c-shubhamG rc: { ID:197972708-2122244818#1128, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]] }
[2018-06-18T16:06:21,329][DEBUG][t.b.r.a.b.Block ] ^[[33m[::KIBANA-SRV::] the request matches no rules in this block: { ID:197972708-2122244818#1128, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]] }^[[0m
[2018-06-18T16:06:21,329][DEBUG][t.b.r.a.b.r.i.LdapAuthenticationAsyncRule] Attempting Login as: c-shubhamG rc: { ID:197972708-2122244818#1128, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG(?), BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]] }
[2018-06-18T16:06:21,329][DEBUG][t.b.r.a.d.l.l.AuthenticationLdapClientLoggingDecorator] Trying to authenticate user [c-shubhamG] with LDAP [ldap1]
[2018-06-18T16:06:21,342][DEBUG][t.b.r.a.d.l.l.AuthenticationLdapClientLoggingDecorator] User [c-shubhamG] authenticated by LDAP [ldap1]
[2018-06-18T16:06:21,342][DEBUG][t.b.r.a.b.r.i.LdapAuthenticationAsyncRule] Attempting Login as: c-shubhamG rc: { ID:197972708-2122244818#1128, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG, BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]] }
[2018-06-18T16:06:21,342][DEBUG][t.b.r.a.d.l.l.AuthenticationLdapClientLoggingDecorator] Trying to authenticate user [c-shubhamG] with LDAP [ldap1]
[2018-06-18T16:06:21,342][DEBUG][t.b.r.a.d.l.l.AuthenticationLdapClientLoggingDecorator] User [c-shubhamG] authenticated by LDAP [ldap1]
[2018-06-18T16:06:21,342][DEBUG][t.b.r.a.b.r.i.LdapAuthenticationAsyncRule] Attempting Login as: c-shubhamG rc: { ID:197972708-2122244818#1128, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG, BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]] }
[2018-06-18T16:06:21,342][DEBUG][t.b.r.a.d.l.l.AuthenticationLdapClientLoggingDecorator] Trying to authenticate user [c-shubhamG] with LDAP [ldap1]
[2018-06-18T16:06:21,342][DEBUG][t.b.r.a.d.l.l.AuthenticationLdapClientLoggingDecorator] User [c-shubhamG] authenticated by LDAP [ldap1]
[2018-06-18T16:06:21,342][DEBUG][t.b.r.a.b.Block ] ^[[33m[Corporate Group] the request matches no rules in this block: { ID:197972708-2122244818#1128, TYP:NodesInfoRequest, CGR:N/A, USR:c-shubhamG, BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:172.21.153.176, DA:172.21.153.176, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Basic Yy1zaHViaGFtRzpNYXlAMjAxOA==, Connection=close, content-length=0, Host=mumchelk01:9200}, HIS:[::admin::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [Corporate Group->[groups->false]] }^[[0m
[2018-06-18T16:06:21,342][DEBUG][r.suppressed ] path: /_nodes/_local, params: {nodeId=_local}
tech.beshu.ror.es.IndexLevelActionFilter$1$1: forbidden
at tech.beshu.ror.es.IndexLevelActionFilter$1.onForbidden(IndexLevelActionFilter.java:165) ~[?:?]
at tech.beshu.ror.acl.ACL.lambda$check$4(ACL.java:203) ~[?:?]
at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) ~[?:1.8.0_111]
at java.util.concurrent.CompletableFuture.uniApplyStage(CompletableFuture.java:614) ~[?:1.8.0_111]
at java.util.concurrent.CompletableFuture.thenApply(CompletableFuture.java:1983) ~[?:1.8.0_111]
at tech.beshu.ror.acl.ACL.check(ACL.java:198) ~[?:?]
Now Please provide proper solution.Hi @sscarduzio,
In above logs c-shubhamg user is authenticated by LDAP [ldap1]. But we are getting exception the request matches no rules in this block. Now, Where is the actual issue. Please reply on this thread. as soon as possible.
@ajit, the logs talk about a block of rules called “Corporate Group” which is not in the readonlyrest.yml you provided. Maybe you have been editing the YAML from the web GUI in Kibana? Keep in mind if you edit in the web GUI, changes are not reflected into the file.
Hi @sscarduzio
Finally we got success.
we are able to login with our LDAP.
Now our main focus on index authorisation.
Simone,Thanks for your support
1 Like
