Auth is not working on production after installing elasticsearch-http-user-auth

[santhoshdevadiga]

Hi I am able to access elastic search without a credential on production, the same thing I tried on Dev/stage instances there worked fine.

On Dev

Elasticsearch v 5.1.2 Elasticsearch-http-user-auth v5.1.2 java version "1.8.0_45"

curl http://localhost:9200/_cluster/health?pretty Needs Basic Auth

curl -u root:root http://localhost:9200/_cluster/health?pretty Success

On Production

Elasticsearch v 5.1.2 Elasticsearch-http-user-auth v5.1.2 java version "1.8.0_111"

curl http://localhost:9200/_cluster/health?pretty Success Failure : I am able to access without a credential actual it should not.

curl -u root:root http://localhost:9200/_cluster/health?pretty Success

Can you help me to solve this problem? Did I miss any configuration?

[lmangani]

Are you positive the plugin is initialized? Where are you performing the curl request from? Did you check the ES logs for plugin-related output?

[santhoshdevadiga]

From the same server where I installed ES and accessing from different UNIX user on same box.

[lmangani]

Did you whitelist localhost or 127.0.0.1 by any chance?

[santhoshdevadiga]

Ya, I whitelisted localhost and 127.0.0.1.

elasticfence.whitelist: ["127.0.0.1", "localhost"]

[lmangani]

That's why you're receiving no challenges. Try from a different host, or remove the whitelist entry.

[santhoshdevadiga]

Removed from IP ("127.0.0.1", "localhost"]) from elastic search and restarted, still I am able to access without a credential. I am not exposing the elastic search API outside (started as a localhost). For localhost, i want to add auth, as I did on dev/stage instances.

[lmangani]

please check the elasticsearch logs on access and paste the rows related to our plugin please

[santhoshdevadiga]

Ok. This is log

[santhoshdevadiga]

@lmangani , I think the plugin is installed because I am able to create/update the user and give access to the index using auth API but without a credential. Ex : curl "http://localhost:9200/_httpuserauth?mode=adduser&username=test&password=test123" curl "http://localhost:9200/_httpuserauth?mode=list"

[lmangani]

If you completely removed the whitelist block from the config, authentication should be enforced. What you if you using 127.0.0.1 for the query instead? Same results?

[santhoshdevadiga]

Same thing, after using 127.0.0.1.

curl http://127.0.0.1:9200/_cluster/health?pretty

[lmangani]

please provide the elasticfence configuration block (mask any sensitive fields if neeed as this is public)

[santhoshdevadiga]

Same thing I tried in dev/stage instances there working without removing whitelist block.

elasticsearch.yml

cluster.name: APP node.name: node1

network.host: [server_1_ip, local] discovery.zen.ping.unicast.hosts: [server_1_ip, server_2_ip]

elasticfence.disabled: false elasticfence.root.password: root elasticfence.whitelist: ["127.0.0.1", "localhost"]

[lmangani]

You are whitelisting, so the behaviour is correct:

elasticfence.whitelist: ["127.0.0.1", "localhost"]

[santhoshdevadiga]

But I am not able to access ES without a credential on dev/stage instances after adding whitelist configuration.

[santhoshdevadiga]

Attached snapshot.

elasticsearch.yml

[lmangani]

localhost resolution might be the difference, but really the issue is rather on the dev server not requesting it. Either way, you need to disable the whitelist for authentication to be enforced in production if you plan having queries generated from/to localhost/127.0.0.1.

[santhoshdevadiga]

You mean, I should disable whitelist (remove or comment) config on production?

[lmangani]

Correct, you should let your clients authenticate as intended.

[santhoshdevadiga]

ok

[santhoshdevadiga]

Why I am required auth for ES (localhost) because we have multiple instances in the same box and installed ES as well so each instance should not have access to an index of other instances. I tried the same thing in my local and stage instances there worked fine but in production, it is failing.

[santhoshdevadiga]

Attached production Elasticsearch log. Is it use full to identify the issue?

[santhoshdevadiga]

@lmangani, any update on this?

[santhoshdevadiga]

@lmangani, one thing I identified about this, I checked this on all cloud instances (dev/stage/prod) which worked fine I mean without a credential I can't access ES.

curl http://localhost:9200/_cluster/health?pretty Needs Basic Auth

On the physical machine, I able to access ES without a credential.

curl http://localhost:9200/_cluster/health?pretty JSON data

curl http://private_ip:9200/_cluster/health?pretty Needs Basic Auth

Do we need to add any configuration to add auth to localhost using the plugin?

This is the critical issue which we are facing, due to this we are not able to enable the feature on productions.

[lmangani]

Have you removed the whitelist completely?

[santhoshdevadiga]

Ya, I removed whitelist configuration.

cluster.name: APP node.name: node1 elasticfence.disabled: false elasticfence.root.password: root

[santhoshdevadiga]

do we need to update any configuration to make it work on localhost?