No identity metadata found

dscott98 · July 16, 2018, 6:32am

Looking to implement RoR on my production ELK stack, currently testing with Docker…

When logging into Kibana I get an error message stating “Logged in, but no identity metadata could be found”

I’m not seeing any errors in my elasticsearch logs, SSL appears to be properly enabled. If I enter incorrect credentials, it also appears to log me in, and give me the same error message.

I’m using 6.3.0 of elasticsearch, kibana, and logstash. I have tried with both OSS and non-OSS releases, with the same results.

curl attempts appear to be bypassing authentication as well, as incorrect or no credentials still return results.

---- readonlyrest.yml ----

readonlyrest:
  enabled: true
  prompt_for_basic_auth: false
  audit_collector: true

  ssl:
    enable: true
    keystore_file: "keystore.jks"
    keystore_pass: Password1
    key_pass: Password1
    key_alias: site_company_com

    #optional
    response_if_req_forbidden: Sorry, your request is forbidden.

    access_control_rules:

    - name: "::LOGSTASH::"
      auth_key: logstash:logstash
      actions: ["cluster:monitor/main","indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
      indices: ["logstash-*","systemlogs-*"]

    - name: "::KIBANA-SRV::"
      auth_key: kibana:kibana

    - name: "::RO::"
      auth_key: ro:dev
      kibana_access: ro
      indices: [ ".kibana", ".kibana-devnull", "logstash-*"]
      kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]

    - name: "::RW::"
      auth_key: rw:dev
      kibana_access: rw
      indices: [".kibana", ".kibana-devnull", "logstash-*"]
      kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]


    - name: "::ADMIN::"
      auth_key: admin:dev
      # KIBANA ADMIN ACCESS NEEDED TO EDIT SECURITY SETTINGS IN ROR KIBANA APP!
      kibana_access: admin

    - name: "::WEBSITE SEARCH BOX::"
      indices: ["public"]
      actions: ["indices:data/read/*"]

---- elasticsearch logs ----

elasticsearch_1 | OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
elasticsearch_1 | [2018-07-16T06:20:07,458][INFO ][o.e.n.Node ] initializing …
elasticsearch_1 | [2018-07-16T06:20:07,984][INFO ][o.e.e.NodeEnvironment ] [4vy57II] using [1] data paths, mounts [[/data/elasticsearch (osxfs)]], net usable_space [751.3gb], net total_space [931.5gb], types [fuse.osxfs]
elasticsearch_1 | [2018-07-16T06:20:07,984][INFO ][o.e.e.NodeEnvironment ] [4vy57II] heap size [495.3mb], compressed ordinary object pointers [true]
elasticsearch_1 | [2018-07-16T06:20:07,989][INFO ][o.e.n.Node ] [4vy57II] node name derived from node ID [4vy57IIeRC-4_4kqo8-SGw]; set [node.name] to override
elasticsearch_1 | [2018-07-16T06:20:07,990][INFO ][o.e.n.Node ] [4vy57II] version[6.3.0], pid[1], build[oss/tar/424e937/2018-06-11T23:38:03.357887Z], OS[Linux/4.9.93-linuxkit-aufs/amd64], JVM[Oracle Corporation/OpenJDK 64-Bit Server VM/10.0.1/10.0.1+10]
elasticsearch_1 | [2018-07-16T06:20:07,990][INFO ][o.e.n.Node ] [4vy57II] JVM arguments [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.io.tmpdir=/tmp/elasticsearch.tYlrZOsv, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.locale.providers=COMPAT, -Des.cgroups.hierarchy.override=/, -Xmx512m, -Xms512m, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/usr/share/elasticsearch/config, -Des.distribution.flavor=oss, -Des.distribution.type=tar]
elasticsearch_1 | [2018-07-16T06:20:10,165][INFO ][o.e.p.PluginsService ] [4vy57II] loaded module [aggs-matrix-stats]
elasticsearch_1 | [2018-07-16T06:20:10,165][INFO ][o.e.p.PluginsService ] [4vy57II] loaded module [analysis-common]
elasticsearch_1 | [2018-07-16T06:20:10,168][INFO ][o.e.p.PluginsService ] [4vy57II] loaded module [ingest-common]
elasticsearch_1 | [2018-07-16T06:20:10,170][INFO ][o.e.p.PluginsService ] [4vy57II] loaded module [lang-expression]
elasticsearch_1 | [2018-07-16T06:20:10,172][INFO ][o.e.p.PluginsService ] [4vy57II] loaded module [lang-mustache]
elasticsearch_1 | [2018-07-16T06:20:10,172][INFO ][o.e.p.PluginsService ] [4vy57II] loaded module [lang-painless]
elasticsearch_1 | [2018-07-16T06:20:10,174][INFO ][o.e.p.PluginsService ] [4vy57II] loaded module [mapper-extras]
elasticsearch_1 | [2018-07-16T06:20:10,174][INFO ][o.e.p.PluginsService ] [4vy57II] loaded module [parent-join]
elasticsearch_1 | [2018-07-16T06:20:10,174][INFO ][o.e.p.PluginsService ] [4vy57II] loaded module [percolator]
elasticsearch_1 | [2018-07-16T06:20:10,174][INFO ][o.e.p.PluginsService ] [4vy57II] loaded module [rank-eval]
elasticsearch_1 | [2018-07-16T06:20:10,174][INFO ][o.e.p.PluginsService ] [4vy57II] loaded module [reindex]
elasticsearch_1 | [2018-07-16T06:20:10,174][INFO ][o.e.p.PluginsService ] [4vy57II] loaded module [repository-url]
elasticsearch_1 | [2018-07-16T06:20:10,174][INFO ][o.e.p.PluginsService ] [4vy57II] loaded module [transport-netty4]
elasticsearch_1 | [2018-07-16T06:20:10,174][INFO ][o.e.p.PluginsService ] [4vy57II] loaded module [tribe]
elasticsearch_1 | [2018-07-16T06:20:10,182][INFO ][o.e.p.PluginsService ] [4vy57II] loaded plugin [ingest-geoip]
elasticsearch_1 | [2018-07-16T06:20:10,182][INFO ][o.e.p.PluginsService ] [4vy57II] loaded plugin [ingest-user-agent]
elasticsearch_1 | [2018-07-16T06:20:10,185][INFO ][o.e.p.PluginsService ] [4vy57II] loaded plugin [readonlyrest]
elasticsearch_1 | [2018-07-16T06:20:14,103][INFO ][t.b.r.e.IndexLevelActionFilter] [4vy57II] Settings observer refreshing…
elasticsearch_1 | [2018-07-16T06:20:14,118][INFO ][t.b.r.e.IndexLevelActionFilter] [4vy57II] Configuration reloaded - ReadonlyREST disabled
elasticsearch_1 | [2018-07-16T06:20:14,122][INFO ][t.b.r.e.IndexLevelActionFilter] [4vy57II] Readonly REST plugin was loaded…
elasticsearch_1 | [2018-07-16T06:20:14,444][INFO ][t.b.r.e.SSLTransportNetty4] creating SSL transport
elasticsearch_1 | [2018-07-16T06:20:14,447][INFO ][o.e.d.DiscoveryModule ] [4vy57II] using discovery type [single-node]
elasticsearch_1 | [2018-07-16T06:20:15,193][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready…
elasticsearch_1 | [2018-07-16T06:20:15,595][INFO ][o.e.n.Node ] [4vy57II] initialized
elasticsearch_1 | [2018-07-16T06:20:15,596][INFO ][o.e.n.Node ] [4vy57II] starting …
elasticsearch_1 | [2018-07-16T06:20:15,907][INFO ][o.e.t.TransportService ] [4vy57II] publish_address {172.21.0.2:9300}, bound_addresses {0.0.0.0:9300}
elasticsearch_1 | [2018-07-16T06:20:16,264][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready…
elasticsearch_1 | [2018-07-16T06:20:16,340][INFO ][o.e.g.GatewayService ] [4vy57II] recovered [0] indices into cluster_state
elasticsearch_1 | [2018-07-16T06:20:16,357][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: attempting with JKS keystore…
elasticsearch_1 | [2018-07-16T06:20:16,394][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Discovered key from JKS
elasticsearch_1 | [2018-07-16T06:20:16,399][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Discovered cert chain from JKS
elasticsearch_1 | [2018-07-16T06:20:16,567][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Using SSL provider: JDK
elasticsearch_1 | [2018-07-16T06:20:16,831][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Available ciphers: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
elasticsearch_1 | [2018-07-16T06:20:16,832][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Available SSL protocols: TLSv1,TLSv1.1,TLSv1.2
elasticsearch_1 | [2018-07-16T06:20:16,941][INFO ][t.b.r.e.SSLTransportNetty4] [4vy57II] publish_address {172.21.0.2:9200}, bound_addresses {0.0.0.0:9200}
elasticsearch_1 | [2018-07-16T06:20:16,950][INFO ][o.e.n.Node ] [4vy57II] started
elasticsearch_1 | [2018-07-16T06:20:17,270][INFO ][t.b.r.e.SettingsObservableImpl] [CLUSTERWIDE SETTINGS] index settings not found. Will keep on using the local YAML file. Learn more about clusterwide settings at Pro - ReadonlyREST
elasticsearch_1 | [2018-07-16T06:20:39,193][WARN ][o.e.d.a.a.i.t.p.PutIndexTemplateRequest] Deprecated field [template] used, replaced by [index_patterns]
elasticsearch_1 | [2018-07-16T06:20:39,361][WARN ][o.e.d.i.m.MapperService ] [default] mapping is deprecated since it is not useful anymore now that indexes cannot have more than one type
elasticsearch_1 | [2018-07-16T06:20:39,366][INFO ][o.e.c.m.MetaDataIndexTemplateService] [4vy57II] adding template [logstash] for index patterns [logstash-*]

sscarduzio · July 16, 2018, 8:48am

You indented all the ACL stuff under the ssl block, the “access_control_rules” object should be child of “readonlyrest” instead.

Which makes me think that if we don’t detect “readonlyrest.access_control_rules” ROR should crash with a clearer error message.

dscott98 · July 16, 2018, 5:17pm

Thanks Simone. Stupid over-site on my part.

sscarduzio · July 17, 2018, 9:53am

No worries, kinda helped on this side too, with adding the error message.