search

petalmd / armor

Apache License 2.0
15 stars 8 forks source link

ElasticsearchException[Security configuration cannot be loaded for unknown reasons #21

Open vkhazin opened 7 years ago

vkhazin commented 7 years ago

curl -v http://app.user:***@localhost:9200/_search?pretty=true

*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9200 (#0)
* Server auth using Basic with user 'app.user'
> GET /_search?pretty=true HTTP/1.1
> Authorization: Basic YXBwLnVzZXI6Um9nZXJzMTIz
> User-Agent: curl/7.40.0
> Host: localhost:9200
> Accept: */*
> 
< HTTP/1.1 500 Internal Server Error
< Content-Type: application/json; charset=UTF-8
< Content-Length: 480
< 
{
  "error" : {
    "root_cause" : [ {
      "type" : "runtime_exception",
      "reason" : "ElasticsearchException[Security configuration cannot be loaded for unknown reasons]"
    } ],
    "type" : "runtime_exception",
    "reason" : "ElasticsearchException[Security configuration cannot be loaded for unknown reasons]",
    "caused_by" : {
      "type" : "exception",
      "reason" : "Security configuration cannot be loaded for unknown reasons"
    }
  },
  "status" : 500
}

elasticsearch.yml configurations

# Armor
armor.key_path: "/data/elasticsearch/armor"
armor.authentication.authentication_backend.impl: com.petalmd.armor.authentication.backend.simple.SettingsBasedAuthenticationBackend
armor.authentication.http_authenticator.impl: com.petalmd.armor.authentication.http.basic.HTTPBasicAuthenticator
armor.authentication.authorizer.impl: com.petalmd.armor.authorization.simple.SettingsBasedAuthorizator

# Users
armor.authentication.settingsdb.digest: SHA256
armor.authentication.settingsdb.user.app.user: 94aa520b351f5df1abcd3195bf9f06888475e143a4ef20922c4cabe445e66719

# Roles
armor.authentication.authorization.settingsdb.roles.app.user: ["admin"]

# Permissions
armor.restactionfilter.names: ["admin"]
armor.actionrequestfilter.admin.allowed_actions: ["*"]

There is no localhost:9200/ac index present at the time of testing, adding the default settings did not seem to have any impact:

curl -XPUT 'http://localhost:9200/armor/ac/ac' -d '{
    "acl": [
    {
        "__Comment__": "By default no filters are executed and no filters a by-passed. In such a case an exception is thrown and access will be denied.",
        "filters_bypass": [],
        "filters_execute": []
     },
     {
           "__Comment__": "For role *admin* all filters are bypassed (so none will be executed). This means unrestricted access.",
           "roles": [
               "admin"
           ],
           "filters_bypass": ["*"],
           "filters_execute": []
     }
     ]
}'

Root level request seems to succeed:

curl -v http://app.user:***@localhost:9200/?pretty=true
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9200 (#0)
* Server auth using Basic with user 'app.user'
> GET /?pretty=true HTTP/1.1
> Authorization: Basic YXBwVXNlcjpSb2dlcnMxMjM=
> User-Agent: curl/7.40.0
> Host: localhost:9200
> Accept: */*
> 
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=UTF-8
< Content-Length: 366
< 
{
  "name" : "audit-log-dev-elasticsearch-host03",
  "cluster_name" : "audit-logs-dev-elasticsearch-cluster",
  "version" : {
    "number" : "2.3.3",
    "build_hash" : "218bdf10790eef486ff2c41a3df5cfa32dadcfde",
    "build_timestamp" : "2016-05-17T15:40:04Z",
    "build_snapshot" : false,
    "lucene_version" : "5.5.0"
  },
  "tagline" : "You Know, for Search"
}
* Connection #0 to host localhost left intact
vkhazin commented 7 years ago

Debug log:

[2016-09-08 20:40:47,199][ERROR][com.petalmd.armor.filter.ArmorActionFilter] Error while apply() due to ElasticsearchException[Security configuration cannot be loaded for unknown reasons] for action indices:data/read/search
ElasticsearchException[Security configuration cannot be loaded for unknown reasons]
    at com.petalmd.armor.service.ArmorConfigService.getSecurityConfiguration(ArmorConfigService.java:72)
    at com.petalmd.armor.filter.ArmorActionFilter.apply0(ArmorActionFilter.java:186)
    at com.petalmd.armor.filter.ArmorActionFilter.apply(ArmorActionFilter.java:90)
    at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
    at com.petalmd.armor.filter.FLSActionFilter.applySecure(FLSActionFilter.java:96)
    at com.petalmd.armor.filter.AbstractActionFilter.apply(AbstractActionFilter.java:118)
    at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
    at com.petalmd.armor.filter.DLSActionFilter.applySecure(DLSActionFilter.java:95)
    at com.petalmd.armor.filter.AbstractActionFilter.apply(AbstractActionFilter.java:118)
    at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
    at com.petalmd.armor.filter.RequestActionFilter.applySecure(RequestActionFilter.java:72)
    at com.petalmd.armor.filter.AbstractActionFilter.apply(AbstractActionFilter.java:118)
    at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
    at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)
    at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:85)
    at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:58)
    at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)
    at org.elasticsearch.client.FilterClient.doExecute(FilterClient.java:52)
    at org.elasticsearch.rest.BaseRestHandler$HeadersAndContextCopyClient.doExecute(BaseRestHandler.java:83)
    at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)
    at org.elasticsearch.client.support.AbstractClient.search(AbstractClient.java:582)
    at org.elasticsearch.rest.action.search.RestSearchAction.handleRequest(RestSearchAction.java:85)
    at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:54)
    at org.elasticsearch.rest.RestController.executeHandler(RestController.java:205)
    at org.elasticsearch.rest.RestController$RestHandlerFilter.process(RestController.java:279)
    at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:260)
    at com.petalmd.armor.rest.RestActionFilter.processSecure(RestActionFilter.java:58)
    at com.petalmd.armor.rest.AbstractACRestFilter.process(AbstractACRestFilter.java:138)
    at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:263)
    at com.petalmd.armor.rest.DefaultRestFilter.processSecure(DefaultRestFilter.java:38)
    at com.petalmd.armor.rest.AbstractACRestFilter.process(AbstractACRestFilter.java:199)
    at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:263)
    at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:176)
    at org.elasticsearch.http.HttpServer.internalDispatchRequest(HttpServer.java:128)
    at org.elasticsearch.http.HttpServer$Dispatcher.dispatchRequest(HttpServer.java:86)
    at org.elasticsearch.http.netty.NettyHttpServerTransport.dispatchRequest(NettyHttpServerTransport.java:449)
    at org.elasticsearch.http.netty.HttpRequestHandler.messageReceived(HttpRequestHandler.java:61)
    at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
    at org.elasticsearch.http.netty.pipelining.HttpPipeliningHandler.messageReceived(HttpPipeliningHandler.java:60)
    at org.jboss.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
    at org.jboss.netty.handler.codec.http.HttpChunkAggregator.messageReceived(HttpChunkAggregator.java:145)
    at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
    at org.jboss.netty.handler.codec.http.HttpContentDecoder.messageReceived(HttpContentDecoder.java:108)
    at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
    at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
    at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:459)
    at org.jboss.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:536)
    at org.jboss.netty.handler.codec.replay.ReplayingDecoder.messageReceived(ReplayingDecoder.java:435)
    at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
    at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:75)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
    at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
    at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
    at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
    at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
    at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
    at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
    at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)

[2016-09-08 20:40:47,206][WARN ][rest.suppressed          ] /_search Params: {pretty=true}
java.lang.RuntimeException: ElasticsearchException[Security configuration cannot be loaded for unknown reasons]
    at com.petalmd.armor.filter.ArmorActionFilter.apply(ArmorActionFilter.java:98)
    at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
    at com.petalmd.armor.filter.FLSActionFilter.applySecure(FLSActionFilter.java:96)
    at com.petalmd.armor.filter.AbstractActionFilter.apply(AbstractActionFilter.java:118)
    at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
    at com.petalmd.armor.filter.DLSActionFilter.applySecure(DLSActionFilter.java:95)
    at com.petalmd.armor.filter.AbstractActionFilter.apply(AbstractActionFilter.java:118)
    at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
    at com.petalmd.armor.filter.RequestActionFilter.applySecure(RequestActionFilter.java:72)
    at com.petalmd.armor.filter.AbstractActionFilter.apply(AbstractActionFilter.java:118)
    at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
    at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)
    at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:85)
    at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:58)
    at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)
    at org.elasticsearch.client.FilterClient.doExecute(FilterClient.java:52)
    at org.elasticsearch.rest.BaseRestHandler$HeadersAndContextCopyClient.doExecute(BaseRestHandler.java:83)
    at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)
    at org.elasticsearch.client.support.AbstractClient.search(AbstractClient.java:582)
    at org.elasticsearch.rest.action.search.RestSearchAction.handleRequest(RestSearchAction.java:85)
    at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:54)
    at org.elasticsearch.rest.RestController.executeHandler(RestController.java:205)
    at org.elasticsearch.rest.RestController$RestHandlerFilter.process(RestController.java:279)
    at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:260)
    at com.petalmd.armor.rest.RestActionFilter.processSecure(RestActionFilter.java:58)
    at com.petalmd.armor.rest.AbstractACRestFilter.process(AbstractACRestFilter.java:138)
    at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:263)
    at com.petalmd.armor.rest.DefaultRestFilter.processSecure(DefaultRestFilter.java:38)
    at com.petalmd.armor.rest.AbstractACRestFilter.process(AbstractACRestFilter.java:199)
    at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:263)
    at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:176)
    at org.elasticsearch.http.HttpServer.internalDispatchRequest(HttpServer.java:128)
    at org.elasticsearch.http.HttpServer$Dispatcher.dispatchRequest(HttpServer.java:86)
    at org.elasticsearch.http.netty.NettyHttpServerTransport.dispatchRequest(NettyHttpServerTransport.java:449)
    at org.elasticsearch.http.netty.HttpRequestHandler.messageReceived(HttpRequestHandler.java:61)
    at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
    at org.elasticsearch.http.netty.pipelining.HttpPipeliningHandler.messageReceived(HttpPipeliningHandler.java:60)
    at org.jboss.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
    at org.jboss.netty.handler.codec.http.HttpChunkAggregator.messageReceived(HttpChunkAggregator.java:145)
    at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
    at org.jboss.netty.handler.codec.http.HttpContentDecoder.messageReceived(HttpContentDecoder.java:108)
    at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
    at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
    at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:459)
    at org.jboss.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:536)
    at org.jboss.netty.handler.codec.replay.ReplayingDecoder.messageReceived(ReplayingDecoder.java:435)
    at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
    at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:75)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
    at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
    at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
    at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
    at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
    at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
    at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
    at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)
Caused by: ElasticsearchException[Security configuration cannot be loaded for unknown reasons]
    at com.petalmd.armor.service.ArmorConfigService.getSecurityConfiguration(ArmorConfigService.java:72)
    at com.petalmd.armor.filter.ArmorActionFilter.apply0(ArmorActionFilter.java:186)
    at com.petalmd.armor.filter.ArmorActionFilter.apply(ArmorActionFilter.java:90)
    ... 71 more
vkhazin commented 7 years ago

Populating /ac/ac data translates to another error:

*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9200 (#0)
* Server auth using Basic with user 'app.user'
> GET /_search?pretty=true HTTP/1.1
> Authorization: Basic YXBwLnVzZXI6Um9nZXJzMTIz
> User-Agent: curl/7.40.0
> Host: localhost:9200
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Content-Type: application/json; charset=UTF-8
< Content-Length: 388
< 
{
  "error" : {
    "root_cause" : [ {
      "type" : "forbidden_exception",
      "reason" : "Attempt from null to _all indices for indices:data/read/search and User [name=app.user, roles=[admin]]"
    } ],
    "type" : "forbidden_exception",
    "reason" : "Attempt from null to _all indices for indices:data/read/search and User [name=app.user, roles=[admin]]"
  },
  "status" : 403
}
* Connection #0 to host localhost left intact
jehuty0shift commented 7 years ago

"_all" access (that you try to address by issiueing only a _search request) is forbidden for any user (even admin in your case), you will have to specify a proper indice to make it work. For your configuration errors, they come indeed from the fact that you didn't populate /armor/ac/ac before

vkhazin commented 7 years ago

Something is odd, here is my /armor/ac/ac config:

{
    "acl": [
      {
          "__Comment__": "By default all filters are executed.",
          "filters_bypass": [],
          "filters_execute": [*]
       },
       {
             "__Comment__": "For role *admin* all filters are bypassed (so none will be executed). This means unrestricted access.",
             "roles": ["admins"],
             "filters_bypass": ["*"],
             "filters_execute": []
       }
     ]
}

Here is elasticsearch.yml (armor portion):

# Armor
armor.key_path: "/data/elasticsearch/armor"
armor.authentication.authentication_backend.impl: com.petalmd.armor.authentication.backend.simple.SettingsBasedAuthenticationBackend
armor.authentication.http_authenticator.impl: com.petalmd.armor.authentication.http.basic.HTTPBasicAuthenticator
armor.authentication.authorizer.impl: com.petalmd.armor.authorization.simple.SettingsBasedAuthorizator

# Users
armor.authentication.settingsdb.digest: SHA256
armor.authentication.settingsdb.user.app-user: <deleted>
armor.authentication.settingsdb.user.kibana-user: <deleted>

# Roles
armor.authentication.authorization.settingsdb.roles.app-user: ["admins"]
armor.authentication.authorization.settingsdb.roles.kibana-user: ["kibana-users"]

# Permissions
armor.restactionfilter.names: ["admins", "kibana-users"]
armor.actionrequestfilter.admins.allowed_actions: ["*"]
armor.actionrequestfilter.kibana-users.allowed_actions: ["indices:data/read/*"]

Here is my request and response as admin:

curl app-user:<deleted>@localhost:9200/audit-log-2016-08/audit-events/1?pretty=true

{
  "_index" : "audit-log-2016-08",
  "_type" : "audit-events",
  "_id" : "1",
  "_version" : 1,
  "found" : true,
  "_source" : {
    "dummy" : 1
  }
}

And here is my request and response as kibana-user

curl kibana-user:<deleted>@localhost:9200/audit-log-2016-08/audit-events/1?pretty=true

{
  "error" : {
    "root_cause" : [ {
      "type" : "forbidden_exception",
      "reason" : "Forbidden action RestGetAction . Allowed actions: []"
    } ],
    "type" : "forbidden_exception",
    "reason" : "Forbidden action RestGetAction . Allowed actions: []"
  },
  "status" : 403
}

I have tried following armor/ac/ac configuration as well with the same result:

{
    "acl": [
      {
          "__Comment__": "By default no filters are executed and no filters a by-passed. In such a case an exception is thrown and access will be denied.",
          "filters_bypass": [],
          "filters_execute": [*]
       },
       {
             "__Comment__": "For role *admin* all filters are bypassed (so none will be executed). This means unrestricted access.",
             "roles": ["admins"],
             "filters_bypass": ["*"],
             "filters_execute": []
       },
       {
             "__Comment__": "For role kibana-users all filters are executed.",
             "roles": ["kibana-users"],
             "indices": ["audit-log-2016-08"],
             "filters_bypass": [],
             "filters_execute": ["*"]
       }
     ]
}

What am I missing in the configurations?

jehuty0shift commented 7 years ago

Hello @vkhazin , Your configuration is malformed (didn't check the documentation but maybe it's misleading)

You declare two restactionfilter but instead configure two requestactionfilter. They are not equivalent. Restaction filter allow someone to block a request that is made from Rest and Request Action Filter blocks both a Rest Request and Transport Request. That the one you want to use if you use it. Here is the configuration you want : 

armor.actionrequestfilter.names: ["admins", "kibana-users"]
armor.actionrequestfilter.admins.allowed_actions: ["*"]
armor.actionrequestfilter.kibana-users.allowed_actions: ["indices:data/read/*"]
vkhazin commented 7 years ago

Hey @jehuty0shift,

Thank you for your comments! Indeed now I am able to execute:

curl kibana-user:<deleted>@localhost:9200/audit-log-2016-08/audit-events/1?pretty=true

with the same results as for 'admin':

{
  "took" : 6,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "failed" : 0
  },
  "hits" : {
    "total" : 1,
    "max_score" : 1.0,
    "hits" : [ {
      "_index" : "audit-log-2016-08",
      "_type" : "audit-events",
      "_id" : "1",
      "_score" : 1.0,
      "_source" : {
        "dummy" : 1
      }
    } ]
  }
}
jmaitrehenry commented 7 years ago

I have an issue for upgrading the documentation #3. If I understand @vkhazin your problem is now solved? Can I close this issue ?

Thanks!