Well I just found an interesting thing - I noticed a bunch of auth rules in the log output that shouldn’t still be there, early on stuff like a test account and such. Using the “readonlyrest_kbn” app on the Kibana GUI I see exactly what I expect - the current contents of the /etc/elasticsearch/bbdevqa/readonlyrest.yml file (I had recently clicked “Load Default” and “Save” to reload the contents of the YAML file)
However, if I extracted the JSON-encoded contents of the .readonlyrest index:
curl -sk https://localhost:9200/.readonlyrest/_search | jq '.hits.hits[0]._source.settings'
What I got is similar but not the same. In fact, several old accounts are listed in the output I extracted from the .readonlyrest index. Stuff that had been configured and was then removed was still in the index, such as this:
- name: "readonly test"
auth_key: ro:pass
kibana_access: ro
kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management", "monitoring", "apm"]
...
That account hasn’t been part of the YAML file for a while.
I was told that I could update the config in the index with the following command:
curl -ks -X POST https://localhost:9200/_readonlyrest/admin/config -H Content-Type: application/json -d {JSON-encoded config file}
which I have done, but all those old entries are still in there.
I think I now understand why the password auth isn’t working for the admin account, as this is what I extracted from the .readonlyrest index:
...
access_control_rules:
- name: "local admin"
type: allow
auth_key: "admin:derp"
kibana_access: admin
...
That password does not match what I’ve subsequently set in the readonlyrest.yml file.
So, now I’m going to delete the .readonlyrest index completely and see if that helps solve the problem.
Is there another way to actually update the index config and have it only remember what it gets from the YAML config?