search

lmenezes / cerebro

MIT License
5.52k stars 715 forks source link

Error connecting to OpenSearch server with selective anonymous access permitted #556

Open jgough opened 2 years ago

jgough commented 2 years ago

I don't know if OpenSearch is officially supporte by Cerebro but it seems to be 100% compatible. I am having an issue though when anonymous access is enabled. I suspect the same error below would also be present on Elasticsearch given the similarity.

To reproduce:

  1. Set up an OpenSearch cluster with anonymous access permitted where the anonymous user does not have full permissions
  2. Try to connect via Cerebro:

Result: Cerebro tries to connect anonymously without authentication and returns the error Unexpected response status: [403] This is because the server can be accessed but the anonymous user is not allowed to monitor the health of the cluster - that requires a user with the correct permissions image

OpenSearch itself is returns a 403 response to the request with the message no permissions for [cluster:monitor/health] and User [name=opendistro_security_anonymous, backend_roles=[opendistro_security_anonymous_backendrole], requestedTenant=null]

In this situation I would expect cerebro to present me with a login to allow me to enter credentials for access, since the anonymous access didn't have sufficient permissions.

This seems to be because the code is not expecting a 403 response and will only treat a 401 as the situation to ask for credentials: https://github.com/lmenezes/cerebro/blob/main/public/js/app.js#L606

I've experimented with the source code and it seems if I add case 403: here then it seems to fix this issue and presents me with the typical login screen.

jgough commented 2 years ago

Looks like the 403 response is probably a bug in OpenSearch and it should be returning a 401. I have filed an issue here https://github.com/opensearch-project/security/issues/1825

jonkerw85 commented 2 years ago

@jgough This might not apply to you. But I'm running OpenSearch with an Nginx proxy in front of it. Nginx is configured with basic auth. This works flawlessly.

jgough commented 2 years ago

@wjonkerhulst I believe this is specifically related to the anonymous auth (setting anonymous_auth_enabled: true) so may not actually be a bug in Cerebro. Without anonymous auth enabled it works 100%.

bkimbrough88 commented 2 years ago

I don't know about anonymous auth, but I found this error when I connected cerebro up to my OpenSearch cluster. I can view the nodes, but the overview page simply won't load:

{
  "error": "Failure for [_stats/docs,store?ignore_unavailable=true]"
}

Note I'm currently running OpenSearch 1.3.2 and connected to the cluster using my admin user and password with basic auth.

jgough commented 2 years ago

@bkimbrough88 That issue seems unrelated to this issue which is specifically around the HTTP response code 403 when anonymous_auth_enable is set to true. I have no issues with OpenSearch 1.3.2 and Cerebro when this is not set and can open the Overview page with no problem.

As an aside, try making a curl request to your database and check the user you are using to log in has permission to access e.g. curl -u "username:password" http://myserver/_stats/docs,store?ignore_unavailable=true. If you get an error with a security exception then you may need to check the permissions of the user you are using.