Open vkhazin opened 7 years ago
Debug log:
[2016-09-08 20:40:47,199][ERROR][com.petalmd.armor.filter.ArmorActionFilter] Error while apply() due to ElasticsearchException[Security configuration cannot be loaded for unknown reasons] for action indices:data/read/search
ElasticsearchException[Security configuration cannot be loaded for unknown reasons]
at com.petalmd.armor.service.ArmorConfigService.getSecurityConfiguration(ArmorConfigService.java:72)
at com.petalmd.armor.filter.ArmorActionFilter.apply0(ArmorActionFilter.java:186)
at com.petalmd.armor.filter.ArmorActionFilter.apply(ArmorActionFilter.java:90)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
at com.petalmd.armor.filter.FLSActionFilter.applySecure(FLSActionFilter.java:96)
at com.petalmd.armor.filter.AbstractActionFilter.apply(AbstractActionFilter.java:118)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
at com.petalmd.armor.filter.DLSActionFilter.applySecure(DLSActionFilter.java:95)
at com.petalmd.armor.filter.AbstractActionFilter.apply(AbstractActionFilter.java:118)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
at com.petalmd.armor.filter.RequestActionFilter.applySecure(RequestActionFilter.java:72)
at com.petalmd.armor.filter.AbstractActionFilter.apply(AbstractActionFilter.java:118)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:85)
at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:58)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)
at org.elasticsearch.client.FilterClient.doExecute(FilterClient.java:52)
at org.elasticsearch.rest.BaseRestHandler$HeadersAndContextCopyClient.doExecute(BaseRestHandler.java:83)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)
at org.elasticsearch.client.support.AbstractClient.search(AbstractClient.java:582)
at org.elasticsearch.rest.action.search.RestSearchAction.handleRequest(RestSearchAction.java:85)
at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:54)
at org.elasticsearch.rest.RestController.executeHandler(RestController.java:205)
at org.elasticsearch.rest.RestController$RestHandlerFilter.process(RestController.java:279)
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:260)
at com.petalmd.armor.rest.RestActionFilter.processSecure(RestActionFilter.java:58)
at com.petalmd.armor.rest.AbstractACRestFilter.process(AbstractACRestFilter.java:138)
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:263)
at com.petalmd.armor.rest.DefaultRestFilter.processSecure(DefaultRestFilter.java:38)
at com.petalmd.armor.rest.AbstractACRestFilter.process(AbstractACRestFilter.java:199)
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:263)
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:176)
at org.elasticsearch.http.HttpServer.internalDispatchRequest(HttpServer.java:128)
at org.elasticsearch.http.HttpServer$Dispatcher.dispatchRequest(HttpServer.java:86)
at org.elasticsearch.http.netty.NettyHttpServerTransport.dispatchRequest(NettyHttpServerTransport.java:449)
at org.elasticsearch.http.netty.HttpRequestHandler.messageReceived(HttpRequestHandler.java:61)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.http.netty.pipelining.HttpPipeliningHandler.messageReceived(HttpPipeliningHandler.java:60)
at org.jboss.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.handler.codec.http.HttpChunkAggregator.messageReceived(HttpChunkAggregator.java:145)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.handler.codec.http.HttpContentDecoder.messageReceived(HttpContentDecoder.java:108)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:459)
at org.jboss.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:536)
at org.jboss.netty.handler.codec.replay.ReplayingDecoder.messageReceived(ReplayingDecoder.java:435)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:75)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
[2016-09-08 20:40:47,206][WARN ][rest.suppressed ] /_search Params: {pretty=true}
java.lang.RuntimeException: ElasticsearchException[Security configuration cannot be loaded for unknown reasons]
at com.petalmd.armor.filter.ArmorActionFilter.apply(ArmorActionFilter.java:98)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
at com.petalmd.armor.filter.FLSActionFilter.applySecure(FLSActionFilter.java:96)
at com.petalmd.armor.filter.AbstractActionFilter.apply(AbstractActionFilter.java:118)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
at com.petalmd.armor.filter.DLSActionFilter.applySecure(DLSActionFilter.java:95)
at com.petalmd.armor.filter.AbstractActionFilter.apply(AbstractActionFilter.java:118)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
at com.petalmd.armor.filter.RequestActionFilter.applySecure(RequestActionFilter.java:72)
at com.petalmd.armor.filter.AbstractActionFilter.apply(AbstractActionFilter.java:118)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:85)
at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:58)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)
at org.elasticsearch.client.FilterClient.doExecute(FilterClient.java:52)
at org.elasticsearch.rest.BaseRestHandler$HeadersAndContextCopyClient.doExecute(BaseRestHandler.java:83)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)
at org.elasticsearch.client.support.AbstractClient.search(AbstractClient.java:582)
at org.elasticsearch.rest.action.search.RestSearchAction.handleRequest(RestSearchAction.java:85)
at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:54)
at org.elasticsearch.rest.RestController.executeHandler(RestController.java:205)
at org.elasticsearch.rest.RestController$RestHandlerFilter.process(RestController.java:279)
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:260)
at com.petalmd.armor.rest.RestActionFilter.processSecure(RestActionFilter.java:58)
at com.petalmd.armor.rest.AbstractACRestFilter.process(AbstractACRestFilter.java:138)
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:263)
at com.petalmd.armor.rest.DefaultRestFilter.processSecure(DefaultRestFilter.java:38)
at com.petalmd.armor.rest.AbstractACRestFilter.process(AbstractACRestFilter.java:199)
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:263)
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:176)
at org.elasticsearch.http.HttpServer.internalDispatchRequest(HttpServer.java:128)
at org.elasticsearch.http.HttpServer$Dispatcher.dispatchRequest(HttpServer.java:86)
at org.elasticsearch.http.netty.NettyHttpServerTransport.dispatchRequest(NettyHttpServerTransport.java:449)
at org.elasticsearch.http.netty.HttpRequestHandler.messageReceived(HttpRequestHandler.java:61)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.http.netty.pipelining.HttpPipeliningHandler.messageReceived(HttpPipeliningHandler.java:60)
at org.jboss.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.handler.codec.http.HttpChunkAggregator.messageReceived(HttpChunkAggregator.java:145)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.handler.codec.http.HttpContentDecoder.messageReceived(HttpContentDecoder.java:108)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:459)
at org.jboss.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:536)
at org.jboss.netty.handler.codec.replay.ReplayingDecoder.messageReceived(ReplayingDecoder.java:435)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:75)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: ElasticsearchException[Security configuration cannot be loaded for unknown reasons]
at com.petalmd.armor.service.ArmorConfigService.getSecurityConfiguration(ArmorConfigService.java:72)
at com.petalmd.armor.filter.ArmorActionFilter.apply0(ArmorActionFilter.java:186)
at com.petalmd.armor.filter.ArmorActionFilter.apply(ArmorActionFilter.java:90)
... 71 more
Populating /ac/ac data translates to another error:
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9200 (#0)
* Server auth using Basic with user 'app.user'
> GET /_search?pretty=true HTTP/1.1
> Authorization: Basic YXBwLnVzZXI6Um9nZXJzMTIz
> User-Agent: curl/7.40.0
> Host: localhost:9200
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Content-Type: application/json; charset=UTF-8
< Content-Length: 388
<
{
"error" : {
"root_cause" : [ {
"type" : "forbidden_exception",
"reason" : "Attempt from null to _all indices for indices:data/read/search and User [name=app.user, roles=[admin]]"
} ],
"type" : "forbidden_exception",
"reason" : "Attempt from null to _all indices for indices:data/read/search and User [name=app.user, roles=[admin]]"
},
"status" : 403
}
* Connection #0 to host localhost left intact
"_all" access (that you try to address by issiueing only a _search request) is forbidden for any user (even admin in your case), you will have to specify a proper indice to make it work. For your configuration errors, they come indeed from the fact that you didn't populate /armor/ac/ac before
Something is odd, here is my /armor/ac/ac config:
{
"acl": [
{
"__Comment__": "By default all filters are executed.",
"filters_bypass": [],
"filters_execute": [*]
},
{
"__Comment__": "For role *admin* all filters are bypassed (so none will be executed). This means unrestricted access.",
"roles": ["admins"],
"filters_bypass": ["*"],
"filters_execute": []
}
]
}
Here is elasticsearch.yml (armor portion):
# Armor
armor.key_path: "/data/elasticsearch/armor"
armor.authentication.authentication_backend.impl: com.petalmd.armor.authentication.backend.simple.SettingsBasedAuthenticationBackend
armor.authentication.http_authenticator.impl: com.petalmd.armor.authentication.http.basic.HTTPBasicAuthenticator
armor.authentication.authorizer.impl: com.petalmd.armor.authorization.simple.SettingsBasedAuthorizator
# Users
armor.authentication.settingsdb.digest: SHA256
armor.authentication.settingsdb.user.app-user: <deleted>
armor.authentication.settingsdb.user.kibana-user: <deleted>
# Roles
armor.authentication.authorization.settingsdb.roles.app-user: ["admins"]
armor.authentication.authorization.settingsdb.roles.kibana-user: ["kibana-users"]
# Permissions
armor.restactionfilter.names: ["admins", "kibana-users"]
armor.actionrequestfilter.admins.allowed_actions: ["*"]
armor.actionrequestfilter.kibana-users.allowed_actions: ["indices:data/read/*"]
Here is my request and response as admin:
curl app-user:<deleted>@localhost:9200/audit-log-2016-08/audit-events/1?pretty=true
{
"_index" : "audit-log-2016-08",
"_type" : "audit-events",
"_id" : "1",
"_version" : 1,
"found" : true,
"_source" : {
"dummy" : 1
}
}
And here is my request and response as kibana-user
curl kibana-user:<deleted>@localhost:9200/audit-log-2016-08/audit-events/1?pretty=true
{
"error" : {
"root_cause" : [ {
"type" : "forbidden_exception",
"reason" : "Forbidden action RestGetAction . Allowed actions: []"
} ],
"type" : "forbidden_exception",
"reason" : "Forbidden action RestGetAction . Allowed actions: []"
},
"status" : 403
}
I have tried following armor/ac/ac configuration as well with the same result:
{
"acl": [
{
"__Comment__": "By default no filters are executed and no filters a by-passed. In such a case an exception is thrown and access will be denied.",
"filters_bypass": [],
"filters_execute": [*]
},
{
"__Comment__": "For role *admin* all filters are bypassed (so none will be executed). This means unrestricted access.",
"roles": ["admins"],
"filters_bypass": ["*"],
"filters_execute": []
},
{
"__Comment__": "For role kibana-users all filters are executed.",
"roles": ["kibana-users"],
"indices": ["audit-log-2016-08"],
"filters_bypass": [],
"filters_execute": ["*"]
}
]
}
What am I missing in the configurations?
Hello @vkhazin , Your configuration is malformed (didn't check the documentation but maybe it's misleading)
You declare two restactionfilter but instead configure two requestactionfilter. They are not equivalent. Restaction filter allow someone to block a request that is made from Rest and Request Action Filter blocks both a Rest Request and Transport Request. That the one you want to use if you use it. Here is the configuration you want :
armor.actionrequestfilter.names: ["admins", "kibana-users"]
armor.actionrequestfilter.admins.allowed_actions: ["*"]
armor.actionrequestfilter.kibana-users.allowed_actions: ["indices:data/read/*"]
Hey @jehuty0shift,
Thank you for your comments! Indeed now I am able to execute:
curl kibana-user:<deleted>@localhost:9200/audit-log-2016-08/audit-events/1?pretty=true
with the same results as for 'admin':
{
"took" : 6,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 1,
"max_score" : 1.0,
"hits" : [ {
"_index" : "audit-log-2016-08",
"_type" : "audit-events",
"_id" : "1",
"_score" : 1.0,
"_source" : {
"dummy" : 1
}
} ]
}
}
I have an issue for upgrading the documentation #3. If I understand @vkhazin your problem is now solved? Can I close this issue ?
Thanks!
curl -v http://app.user:***@localhost:9200/_search?pretty=true
elasticsearch.yml configurations
There is no localhost:9200/ac index present at the time of testing, adding the default settings did not seem to have any impact:
Root level request seems to succeed: