Readonlyrest and cerebro

sdba2 · October 17, 2018, 12:02pm

with es 6.1.1 and ror 1.16.27 i’m trying to run cerebro 0.7.2

after entering http://server1:9200 i expect to get login fields (in new window user + password) and instead i get
“unexpected response status: [403]”
and i can find in the es logs “USR: [no basic auth header]”

(i also have old cerebro version (0.6.5) which has an “authenticate” option builtin at the main window. when i’m using that version to login to http://server1:9200 + user + password everything works fine. each user can see its own indices so i guess the readonlyrest configuration is ok)

maybe in case of missing user/pw the return error was 401 instead of 403 the login windows will be shown?

ld57 · October 18, 2018, 11:05am

Hi,

Cerebro is not able to transfer credential to Readonlyrest, (or whatever)
I also use cerebro, and that I recommend to you :

use cerebro for admin purpose right only
configure cerebro to use local authentication (not ldap , it does not work as expected)
create a block rule in RoR dedicated to admin activities in elasticsearch , with local credential (or ldap, RoR handle that)
configure cerebro to add know elasticsearch host, and indicate credential of the previous ligne.

this is in application.conf file ( for cerebro)
here an example of block

auth = {
  # Example of LDAP authentication
#  type: ldap
#    settings: {
#      url = "ldap://lxxxxxxx:389"
#      base-dn = "OU=xxxxx,OU=xxxxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxxxx"
#      method  = "simple"
#      user-domain = "xxx.xxx.xxx"
#    }
  # Example of simple username/password authentication

  type: basic
    settings: {
      username = "cerebro"
      password = "password"
    }
}

# A list of known hosts
hosts = [
  #{
  #  host = "http://some-authenticated-host:9200",
  #  auth = {
  #    username = "username"
  #    password = "secret-password"
  #  }
  #},
  {
#    host = "https://elasticurl:9200",
    host = "https://elasticurl:9200",
	auth = {
      username = "credential_of_your_RoR_block"
      password = "the_zoli_password"
    }
  }
]

sdba2 · October 21, 2018, 4:49am

thanks.

but if i will configure the file like you did, only one user (credential_of_your_RoR_block) will be able to use cerebro and that user will see all indices.

what i need is that different users will use the cerebero (and of course each user should see his own indices).
this is why i need cerebro to show the authentication window.

ld57 · October 21, 2018, 9:18am

Hi,

I understand your needs, but cerebro developper did not implemented a way to do this.

You can ask to lemenes to work on this, on his project.

Remember to do not use LDAP in cerebro for now.

Regards

Ld

sscarduzio · October 21, 2018, 3:40pm

tested Cerebro, I added to cerebro’s conf/application.conf:


# For accepting self signed SSL certificates
play.ws.ssl.loose.acceptAnyCertificate = true

hosts = [
  {
    host = "https://localhost:9200"
    name = "Secured Cluster Localhost"
  }
]

And in ES I experimentally added this extra block to my ACL in readonlyrest.yml:

  - name: 'cerebro'
    indices: '.k*'
    auth_key: 'c:c'

Started up ES and Cerebro, went to Cerebro web ui, and it just asked me for credentials. At this point I wrote “c” and “c” and I could only see my “.kibana” index.

This is sufficient to demonstrate that your use case where everyone connects to the same cerebro and given their credentials they will just see their indices is feasible. It’s just a matter of opening up some more actions for each uses, so cerebro can work.