marevol
commented
10 years ago Could you give me steps(ex. curl commands) to reproduce it?
Open tumeteor opened 10 years ago
marevol
commented
10 years ago Could you give me steps(ex. curl commands) to reproduce it?
tumeteor
commented
10 years ago yes, we put this constraint on the auth index:
curl -XPOST 'localhost:9200/security/constraint/' -d "{ \"authenticator\" : \"index\", \"paths\" : [\"/auth\"], \"methods\" : [\"get\", \"post\"], \"roles\" : [\"admin\"] }" but then we got permission denied for any auth access even when we log in as 'admin' role.
rjoberon
commented
10 years ago I wonder what the general procedure is to protect the authentication index? It clearly is not desirable to allow users to access the index, so is the procedure described above the way to go?
Hi, we tried to put a secondary security level on top of this plugin, more specifically, we put the access constraints to the auth and security indexes. So that we can control that no normal user can touch the security part. However, now we got the permission deny for all the writing access. Maybe its the default thing that auth and security indexes are protected from 'user' role and we did the redundant thing that we shouldnt?
Thanks,