Hi @sscarduzio,
thank you for prompt answer. Now I understand what means in ES logs
[2017-07-27T15:34:22,115][DEBUG][o.e.p.r.e.IndexLevelActionFilter] Sending login prompt header...
[2017-07-27T15:34:22,136][DEBUG][o.e.p.r.e.IndexLevelActionFilter] Sending login prompt header...
[2017-07-27T15:34:24,651][DEBUG][o.e.p.r.e.IndexLevelActionFilter] Sending login prompt header...
[2017-07-27T15:34:27,157][DEBUG][o.e.p.r.e.IndexLevelActionFilter] Sending login prompt header...
[2017-07-27T15:34:29,665][DEBUG][o.e.p.r.e.IndexLevelActionFilter] Sending login prompt header...
[2017-07-27T15:34:32,170][DEBUG][o.e.p.r.e.IndexLevelActionFilter] Sending login prompt header...
[2017-07-27T15:34:34,677][DEBUG][o.e.p.r.e.IndexLevelActionFilter] Sending login prompt header...
but despite this information my broswer is not providing me any form for credentials. I tried Chrome/Firefox and I’m only getting:
elasticsearch.yml:
readonlyrest:
response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
access_control_rules:
- name: "::KIBANA-SRV::"
auth_key: kibana:kibana
verbosity: error # don't log successful request
- name: "::RW DEVELOPER::"
auth_key: rw:dev
kibana_access: rw
indices: [".kibana", "test-index"]
- name: "::RO DEVELOPER::"
auth_key: ro:dev
kibana_access: ro
indices: [".kibana", "test-index"]
From access.log for last configuration snippet:
[2017-07-27T15:57:44,725][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ADDING BLOCK #::KIBANA-SRV::: { name: '::KIBANA-SRV::', policy: ALLOW}
[2017-07-27T15:57:44,730][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ADDING BLOCK #::RW DEVELOPER::: { name: '::RW DEVELOPER::', policy: ALLOW}
[2017-07-27T15:57:44,730][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ADDING BLOCK #::RO DEVELOPER::: { name: '::RO DEVELOPER::', policy: ALLOW}
[2017-07-27T15:57:50,055][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1277933222-1228468339#45, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::RW DEVELOPER::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]] }
[2017-07-27T15:57:50,082][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:395863061-1533855167#46, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::RW DEVELOPER::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]] }
[2017-07-27T15:57:52,600][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:153869043-857795423#47, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]] }
[2017-07-27T15:57:55,108][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1246488878-1151800961#48, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::RW DEVELOPER::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]] }
[2017-07-27T15:57:57,619][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1543619361-1549440546#49, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]] }
[2017-07-27T15:58:00,124][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:444662998-1594971073#50, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::RO DEVELOPER::->[auth_key->false]], [::RW DEVELOPER::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]] }
[2017-07-27T15:58:02,631][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:202899784-1232816243#51, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[::RW DEVELOPER::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::RO DEVELOPER::->[auth_key->false]] }
and I’m getting same Kibana error for:
readonlyrest:
access_control_rules:
- name: Accept all requests from localhost
hosts: [127.0.0.1]
indices: ['test-index']
kibana_access: ro
From access.log for last configuration snippet:
[2017-07-27T15:54:00,523][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1894387269-584635291#152, TYP:MultiGetRequest, USR:[no basic auth header], BRS:false, ACT:indices:data/read/mget, OA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/_mget, CNT:{"docs":[{"_index":".kibana","_type":"config","_id":"5.5.0"}]}, HDR:{Connection=keep-alive, Content-Length=62, content-type=application/json, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->false, hosts->true]] }
[2017-07-27T15:54:03,030][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ALLOWED by '{ block=Accept all requests from localhost, match=true }' req={ ID:1620757851-1186387428#153, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->true, hosts->true]] }
[2017-07-27T15:54:03,033][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ALLOWED by '{ block=Accept all requests from localhost, match=true }' req={ ID:1226123047-1772978278#154, TYP:NodesInfoRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, IDX:<N/A>, MET:GET, PTH:/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->true, hosts->true]] }
[2017-07-27T15:54:03,037][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ALLOWED by '{ block=Accept all requests from localhost, match=true }' req={ ID:97632477-865543465#156, TYP:NodesInfoRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, IDX:<N/A>, MET:GET, PTH:/_nodes/_local?filter_path=nodes.*.settings.tribe, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->true, hosts->true]] }
[2017-07-27T15:54:03,043][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1444136519-912261053#158, TYP:MultiGetRequest, USR:[no basic auth header], BRS:false, ACT:indices:data/read/mget, OA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/_mget, CNT:{"docs":[{"_index":".kibana","_type":"config","_id":"5.5.0"}]}, HDR:{Connection=keep-alive, Content-Length=62, content-type=application/json, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->false, hosts->true]] }
[2017-07-27T15:54:05,548][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ALLOWED by '{ block=Accept all requests from localhost, match=true }' req={ ID:1443450914-1565898006#159, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->true, hosts->true]] }
[2017-07-27T15:54:05,552][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ALLOWED by '{ block=Accept all requests from localhost, match=true }' req={ ID:1351360711-409335151#160, TYP:NodesInfoRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, IDX:<N/A>, MET:GET, PTH:/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->true, hosts->true]] }
[2017-07-27T15:54:05,562][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] ALLOWED by '{ block=Accept all requests from localhost, match=true }' req={ ID:248106802-1377562046#162, TYP:NodesInfoRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, IDX:<N/A>, MET:GET, PTH:/_nodes/_local?filter_path=nodes.*.settings.tribe, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->true, hosts->true]] }
[2017-07-27T15:54:05,569][INFO ][org.elasticsearch.plugin.readonlyrest.acl.ACL] FORBIDDEN by default req={ ID:1163130799-1961389530#164, TYP:MultiGetRequest, USR:[no basic auth header], BRS:false, ACT:indices:data/read/mget, OA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/_mget, CNT:{"docs":[{"_index":".kibana","_type":"config","_id":"5.5.0"}]}, HDR:{Connection=keep-alive, Content-Length=62, content-type=application/json, Host=localhost:9200}, HIS:[Accept all requests from localhost->[kibana_access->true, indices->false, hosts->true]] }
Thanks for review