I am trying to send data from metricbeat to elasticsearch ( both on 7.10.2 ) and we are using ROR for authentication via ldap for kibana.
I am seeing error as below in the elasticsearch logs , i have already added a block to allow indices from metricbeat however it seems to pickup logstash as the user , which seems odd to me.
Errors at metricbeat
metricbeat test output
elasticsearch: http://x.x.x.x:9200…
parse url… OK
connection…
parse host… OK
dns lookup… OK
addresses: x.x.x.x
dial up… OK
TLS… WARN secure connection disabled
talk to server… ERROR 401 Unauthorized: {“error”:{“root_cause”:[{“reason”:“Sorry, Forbidden Request by Elasticsearch. Please contact Infra team.”,“due_to”:[“OPERATION_NOT_ALLOWED”]}],“reason”:“Sorry, Forbidden Request by Elasticsearch. Please contact Infra team.”,“due_to”:[“OPERATION_NOT_ALLOWED”],“status”:401}}
Readonly rest plugin at ELS config
readonlyrest:
enable: true
prompt_for_basic_auth: true
response_if_req_forbidden: Sorry, Forbidden Request by Elasticsearch. Please contact Infra team.
HIS:[::KIBANA-SRV::-> RULES:[auth_key->false]], [::BD::-> RULES:[auth_key->false]], [Accept requests from users with valid LDAP credentials for Infra-> RULES:[ldap_authentication->false]], [Accept requests from users with valid LDAP credentials for NW team-> RULES:[ldap_authentication->false]],
It can be used to figure out what rule in the given block failed to match. Eg.
block “::KIBANA-SRV::” - the first failed rule: “auth_key”
block “::BD::” - the first failed rule: “auth_key”
block “Accept requests from users with valid LDAP credentials for Infra” - the first failed rule: “ldap_authentication”
etc
The config you’ve shown us contains only one block “::METRICBEAT::”. As you can see the FORBIDDEN log doesn’t contain it, so it means, you’ve shown us:
the wrong config
the wrong log
BTW: when you’re struggling to solve a problem with LDAP connector, it’s a good idea to enable debug logs
I enabled the debug as suggested. For some reason i am getting a different error now
[2021-12-02T00:18:24,337][ERROR][t.b.r.e.IndexLevelActionFilter] [xxx] [1816468947-993770274#42114] Cannot handle the / request because ReadonlyREST failed to start
[2021-12-02T00:18:24,338][DEBUG][r.suppressed ] [xxx] path: /, params: {}
tech.beshu.ror.es.handler.response.ForbiddenResponse: forbidden
at tech.beshu.ror.es.handler.response.ForbiddenResponse$.createRorStartingFailureResponse(ForbiddenResponse.scala:69) ~[readonlyrest-1.36.0_es7.10.2.jar:?]
at tech.beshu.ror.es.IndexLevelActionFilter.proceedByRorEngine(IndexLevelActionFilter.scala:129) [readonlyrest-1.36.0_es7.10.2.jar:?]
at tech.beshu.ror.es.IndexLevelActionFilter.$anonfun$apply$1(IndexLevelActionFilter.scala:107) [readonlyrest-1.36.0_es7.10.2.jar:?]
at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23) [scala-library-2.12.10.jar:?]
at tech.beshu.ror.utils.AccessControllerHelper$$anon$1.run(AccessControllerHelper.scala:25) [core-1.36.0.jar:?]
at java.security.AccessController.doPrivileged(AccessController.java:312) [?:?]
at tech.beshu.ror.utils.AccessControllerHelper$.doPrivileged(AccessControllerHelper.scala:24) [core-1.36.0.jar:?]
at tech.beshu.ror.es.IndexLevelActionFilter.apply(IndexLevelActionFilter.scala:93) [readonlyrest-1.36.0_es7.10.2.jar:?]
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:177) [elasticsearch-7.10.2.jar:7.10.2]
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:155) [elasticsearch-7.10.2.jar:7.10.2]
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:83) [elasticsearch-7.10.2.jar:7.10.2]
at org.elasticsearch.client.node.NodeClient.executeLocally(NodeClient.java:86) [elasticsearch-7.10.2.jar:7.10.2]
at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:75) [elasticsearch-7.10.2.jar:7.10.2]
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:412) [elasticsearch-7.10.2.jar:7.10.2]
at org.elasticsearch.rest.action.RestMainAction.lambda$prepareRequest$0(RestMainAction.java:57) [elasticsearch-7.10.2.jar:7.10.2]
at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:115) [elasticsearch-7.10.2.jar:7.10.2]
at tech.beshu.ror.es.ReadonlyRestPlugin.$anonfun$getRestHandlerWrapper$2(ReadonlyRestPlugin.scala:239) [readonlyrest-1.36.0_es7.10.2.jar:?]
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:258) [elasticsearch-7.10.2.jar:7.10.2]
:
I have tried upgrading the ROR from 129 to 1.36 (no luck), Any suggestion if more debugging can be enabled or any further steps