search

ICIJ / datashare

A self-hosted search engine for documents.
https://datashare.icij.org
GNU Affero General Public License v3.0
586 stars 52 forks source link

bug: Elasticsearch authentication is not in effect #1282

Closed a3sroot closed 8 months ago

a3sroot commented 9 months ago

Datashare Versions with problems: 13.9.0 Old version: 13.8.1 (There is no problem.) Elasticsearch authentication is not in effect,

config 

      --mode SERVER
      --dataDir /home/datashare/Datashare    
      --busType REDIS
      --batchQueueType REDIS
      --dataSourceUrl jdbc:postgresql://postgresql/datashare?user=datashare\&password=password 
      --defaultProject secret-project
      --elasticsearchAddress http://elastic:xxxxx@10.xxxxxx:9200
      --messageBusAddress redis://redis:6379
      --queueType REDIS
      --redisAddress redis://redis:6379  
      --rootHost http://xxxxxx
      --sessionStoreType REDIS
      --sessionTtlSeconds 43200
      --tcpListenPort 8080
      --authFilter org.icij.datashare.session.BasicAuthAdaptorFilter
      --authUsersProvider org.icij.datashare.session.UsersInDb

log 2023-12-15 [main] INFO ElasticsearchConfiguration - using credentials from url (user=elastic)

Caused by: org.elasticsearch.client.ResponseException: method [POST], host [http://10.xxxxxx:9200], URI [/secret-project/_search?size=0&preference=tree-view-paths], status line [HTTP/1.1 401 Unauthorized]
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/secret-project/_search?size=0&preference=tree-view-paths]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/secret-project/_search?size=0&preference=tree-view-paths]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}
        at org.elasticsearch.client.RestClient.convertResponse(RestClient.java:347)
        at org.elasticsearch.client.RestClient.performRequest(RestClient.java:313)
        at org.elasticsearch.client.RestClient.performRequest(RestClient.java:288)
        at org.icij.datashare.text.indexing.elasticsearch.ElasticsearchIndexer.executeRaw(ElasticsearchIndexer.java:172)
        at org.icij.datashare.web.IndexResource.esPost(IndexResource.java:83)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.base/java.lang.reflect.Method.invoke(Unknown Source)
        at net.codestory.http.routes.ReflectionRoute.invoke(ReflectionRoute.java:83)
        at net.codestory.http.routes.ReflectionRoute.lambda$body$0(ReflectionRoute.java:45)
        ... 26 common frames omitted

@mvanzalu

bamthomas commented 9 months ago

see #826

It should work with a properly configured ES server see https://stackoverflow.com/questions/64598209/access-control-in-elastic-missing-authentication-credentials-for-rest-request

You can test authentication first (with curl or other http client), then use the url like you did above.

a3sroot commented 9 months ago

see #826

It should work with a properly configured ES server see https://stackoverflow.com/questions/64598209/access-control-in-elastic-missing-authentication-credentials-for-rest-request

You can test authentication first (with curl or other http client), then use the url like you did above.

image

yes,That's how I configured it, and it was fine in the previous version.

mvanzalu commented 9 months ago

This probably happening because we migrated Elasticsearch Java Client from 7.10 to 7.17, nevertheless I can't found any changes related to the authentication (and our tests aren't breaking). For now what I can suggest you is to disable xpack.security in your elasticsearch configuration

a3sroot commented 9 months ago

This probably happening because we migrated Elasticsearch Java Client from 7.10 to 7.17, nevertheless I can't found any changes related to the authentication (and our tests aren't breaking). For now what I can suggest you is to disable xpack.security in your elasticsearch configuration

:< I don't want to be without a password. Can we split the account password from the URL? This would also make it easier for us to configure the es cluster

I thought it was strange too, but the fact is that after the upgrade. The account password didn't take effect and I also tried using tcpdump to get traffic to confirm this.

mvanzalu commented 9 months ago

Do you have this error right away when you launch DS ?

a3sroot commented 9 months ago

Do you have this error right away when you launch DS ?

Not that I know of, but the issue occurs when searching for data.

a3sroot commented 8 months ago

@mvanzalu pls,Help me see what's going on.

mvanzalu commented 8 months ago

I may found the root cause, working on it.

mvanzalu commented 8 months ago

@a3sroot we released a fix, it should be fine now