Readonlyrest format for jwt authorization in elasticsearch

atangde18 · May 7, 2020, 11:27am

Hi, is this format correct for readonlyrest yml file, I am getting error 401, forbidden operation not allowed, also please suggest a way to access elasticsearch api using jwt token in postman

readonlyrest:
    access_control_rules:
    - name: "::KIBANA-SERVER"
      type: allow
      auth_key: kibana:kibana

    - name: User1 Access -- read only
      indices: ["metricbeat-7.6.0-2020.03.16-000001"]
      jwt_auth:
        name: "user1"
        roles: ["viewer"]
        
    - name: User2 Access -- read only
      indices: ["metricbeat-7.6.0-2020.03.16-000001"]
      jwt_auth:
        name: "user2"
        roles: ["writer"]
        
    jwt: 
    - name: user1
      signature_algo: HMAC 
      signature_key: "A22XIbz4NKBkka0ANWwwiJsTFeyQiFJdklRT70VieAdyk9khk1j9tc1Kg3XTSCHMWXYfb26R4pwkQRvUmdLgYWYbPiEN7VY4hWzUIbDlWZAhlkscG4Bx$"
      user_claim: email
      roles_claim: roles
      header_name: Authorization 

    jwt: 
    - name: user2
      signature_algo: HMAC 
      signature_key: "A22XIbz4NKBkka0ANWwwiJsTFeyQiFJdklRT70VieAdyk9khk1j9tc1Kg3XTSCHMWXYfb26R4pwkQRvUmdLgYWYbPiEN7VY4hWzUIbDlWZAhlkscG4Bx$"
      user_claim: email
      roles_claim: roles
      header_name: Authorization

sscarduzio · May 7, 2020, 3:29pm

can you please use the code formatting tool (the button that looks like this </>) ? It’s very difficult to read your YAML otherwise.

atangde18 · May 8, 2020, 7:22am

I have
{
“email”: “user1”,
“role”: “viewer”,
“exp”: 1616239022
}

this as payload to my json web token,

Is the format for readonlyrest correct for this particular payload?
What should I give in as “secret” in https://jwt.io/ website’s token generator? Is it “signature_key” value mentioned in above yaml or its base64 encoded value?
What can I give as bearer token while requesting api response from elasticsearch? Is it JWT token directly or its base64 encoded value?

sscarduzio · May 8, 2020, 10:00am

Your settings don’t even boot up Elasticsearch, you have twice the “jwt:” section.

Likely root cause: ElasticsearchException[Cannot parse file elasticsearch-7.6.2/config/readonlyrest.yml content. Cause: Duplicated key: 'jwt']

You should remove the whole jwt user2 block as it does not make sense to have it. The configuration is clearly the same as the jwt user1 above it.

The user1 and user2 should not be defined in two distinct jwt connectors. Instead, the usernames should be extracted by ReadonlyREST from the “email” claim in the JWT object as soon as it is decyphered and the signature verified.

So I used the following configuration:

readonlyrest:
  access_control_rules:
  - name: "::KIBANA-SERVER"
    type: allow
    auth_key: kibana:kibana

  - name: "JWT Access -- read only"
    indices: ["metricbeat-7.6.0-2020.03.16-000001"]
    jwt_auth:
      name: "jwt1_connector"
      roles: ["viewer"]        
      
  jwt: 
  - name: "jwt1_connector"
    signature_algo: "HMAC" 
    signature_key: "A22XIbz4NKBkka0ANWwwiJsTFeyQiFJdklRT70VieAdyk9khk1j9tc1Kg3XTSCHMWXYfb26R4pwkQRvUmdLgYWYbPiEN7VY4hWzUIbDlWZAhlkscG4Bx$"
    user_claim: "email"
    roles_claim: "roles"
    header_name: "Authorization"

And the following command worked:

curl -k "https://localhost:9200/_cat/indices" -H'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJlbWFpbCI6InVzZXIxIiwicm9sZXMiOlsidmlld2VyIl19.ZJ_DqDZeIk399Ufk2MlqE2i8OCo9AnyYAsfqAW4gefI'

Here is the link to the JWT I used: JSON Web Tokens - jwt.io

atangde18 · May 8, 2020, 12:52pm

Hi, @sscarduzio , thank you very much for your help, its working for me now…