Closed shubhamverma27 closed 7 years ago
sscarduzio
commented
7 years ago Hello @shubhamverma27, Can you provide the ES logs showing the request getting through with admin privileges?
Also, please share the missing parts of the above ES elasticsearch.yml, starting with the "readonlyrest: " key.
Have you configured the kibana.yml too as per instructions?
readonlyrest.com/documentation/kibana.html
shubhamverma27
commented
7 years ago readonlyrest:
# IMPORTANT FOR LOGIN/LOGOUT TO WORK
prompt_for_basic_auth: false
response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
access_control_rules:
- name: "::LOGSTASH::"
auth_key: logstash:logstash
actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
indices: ["logstash-*"]
- name: "::KIBANA-SRV::"
auth_key: kibana:kibana
- name: "::RO::"
auth_key: xx:dev
kibana_access: ro
indices: [ ".kibana", ".kibana-devnull", "bsg"]
kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]
- name: "::RW::"
auth_key: clas:dev
kibana_access: rw
indices: [".kibana", ".kibana-devnull", "clas"]
kibana_hide_apps: ["readonlyrest_kbn", "timelion", "readonlyrest", "kibana:dev_tools", "kibana:management"]
- name: "::ADMIN::"
auth_key: admin:dev
# KIBANA ADMIN ACCESS NEEDED TO USE THE ROR KIBANA APP!
kibana_access: admin
- name: "::WEBSITE SEARCH BOX::"
indices: ["public"]
actions: ["indices:data/read/*"]
- name: "::Shubham::"
kibana_access: rw
indices: [".kibana", ".kibana-devnull", 'creditum']
kibana_hide_apps: ["readonlyrest_kbn", "timelion", "readonlyrest", "kibana:dev_tools", "kibana:management"]
auth_key: xxx:devhere it is after this code the ldap code is there
sscarduzio
commented
7 years ago OK without seeing any error logs .. I already see an issue in the settings:
- name: "test"
ldap_auth:
name: "ldap2"
groups: ["g3"]
type: allow
kibana_access: rw
indices: ["xxx"]
kibana_hide_apps: ["readonlyrest_kbn", "timelion", "readonlyrest", "kibana:dev_tools", "kibana:management"]In a rules block that includes kibana_access , when you have a indices rule, always include ".kibana", ".kibana-devnull" indices as well.
shubhamverma27
commented
7 years ago readonlyrest: enable: true prompt_for_basic_auth: false response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
access_control_rules:
- name: "::ADMIN::"
auth_key: admin:dev
# KIBANA ADMIN ACCESS NEEDED TO EDIT SECURITY SETTINGS IN ROR KIBANA APP!
kibana_access: admin
- name: "::shub::"
auth_key: shub:dev
kibana_access: rw
indices: [".kibana", ".kibana-devnull", "logstash-*"]
kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]
- name: "::RO::"
auth_key: ro:dev
kibana_access: ro
indices: [ ".kibana", ".kibana-devnull", "logstash-*"]
kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]
- name: "::KIBANA-SRV::"
auth_key: kibana:kibana
- name: Accept requests to index1 from users with valid LDAP credentials, belonging to LDAP group 'team1'
ldap_authentication: "ldap1"
ldap_authorization:
name: "ldap1" # ldap name from 'ldaps' section
groups: ["g1", "g2"] # group within 'ou=Groups,dc=example,dc=com'
indices: ["xxx"]
- name: Accept requests to index2 from users with valid LDAP credentials, belonging to LDAP group 'team2'
ldap_authentication:
name: "ldap2"
cache_ttl_in_sec: 60
ldap_authorization:
name: "ldap2"
groups: ["g3"]
cache_ttl_in_sec: 60
indices: ["xxx"]
ldaps:
- name: ldap1
host: "xx.xxx.com"
port: 389 # default 389
ssl_enabled: false # default true
ssl_trust_all_certs: true # default false
bind_dn: "cn=xx,dc=xxxx,dc=com" # skip for anonymous bind
bind_password: "xxx" # skip for anonymous bind
search_user_base_DN: "dc=xx,dc=com"
user_id_attribute: "uid" # default "uid"
search_groups_base_DN: "ou=Groups,dc=xxxx,dc=com"
unique_member_attribute: "uniqueMember" # default "uniqueMember"
connection_pool_size: 30 # default 30
connection_timeout_in_sec: 10 # default 1
request_timeout_in_sec: 10 # default 1
cache_ttl_in_sec: 60 # default 0 - cache disabled
- name: ldap2
host: "xxx.xxx.com"
port: 389
search_user_base_DN: "ou=People,dc=xx,dc=com"
search_groups_base_DN: "ou=Groups,dc=xx,dc=com"Hi I rewrote the whole thing again and now same error .. This is the same code as in Documentation!!.. Still any user id and password (random) is working..
shubhamverma27
commented
7 years ago @sscarduzio Hey , Any Idea what I am doing wrong?
sscarduzio
commented
7 years ago @shubhamverma27 I need to see the Elasticsearch logs of when you login with any password
shubhamverma27
commented
7 years ago @sscarduzio in the logs , I am getting , comment: AcceptSecurityContext error, data 52e, v1db1 error which means that invalid credentials but the same credentials do work in other apps
sscarduzio
commented
7 years ago @shubhamverma27 I'm looking for ReadonlyREST logs that show requests going through. Here is an example:
[2017-06-12T15:04:23,706][INFO ][o.e.p.r.a.ACL ] request: { ID:9927606--391744470, TYP:SearchRequest, USR:anna, BRS:true, ACT:indices:data/read/search, OA:127.0.0.1, IDX:.kibana, MET:GET, PTH:/.kibana/_search, CNT:<OMITTED, LENGTH=0>, HDR:Accept,Authorization,content-length,Host,User-Agent, HIS:[kibana->[auth_key->false]], [Dev->[kibana_access->true, indices->true, kibana_hide_apps->true, auth_key->true]] } matched block: Dev match: true}From this kind of log I can reconstruct the history of what rule and block has let the request through, and (in your case) should have not.
shubhamverma27
commented
7 years ago at org.elasticsearch.common.inject.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:116) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:47) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.InjectorImpl.callInContext(InjectorImpl.java:825) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:43) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.Scopes$1$1.get(Scopes.java:59) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:50) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.SingleParameterInjector.inject(SingleParameterInjector.java:42) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.SingleParameterInjector.getAll(SingleParameterInjector.java:66) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.ConstructorInjector.construct(ConstructorInjector.java:85) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:116) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:47) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.InjectorImpl.callInContext(InjectorImpl.java:825) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:43) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.Scopes$1$1.get(Scopes.java:59) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:50) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.SingleParameterInjector.inject(SingleParameterInjector.java:42) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.SingleParameterInjector.getAll(SingleParameterInjector.java:66) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.ConstructorInjector.construct(ConstructorInjector.java:85) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:116) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:47) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.InjectorImpl.callInContext(InjectorImpl.java:825) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:43) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.Scopes$1$1.get(Scopes.java:59) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:50) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.InjectorBuilder$1.call(InjectorBuilder.java:191) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.InjectorBuilder$1.call(InjectorBuilder.java:183) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.InjectorImpl.callInContext(InjectorImpl.java:818) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.InjectorBuilder.loadEagerSingletons(InjectorBuilder.java:183) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.InjectorBuilder.loadEagerSingletons(InjectorBuilder.java:173) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.InjectorBuilder.injectDynamically(InjectorBuilder.java:161) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.InjectorBuilder.build(InjectorBuilder.java:96) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.Guice.createInjector(Guice.java:96) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.Guice.createInjector(Guice.java:70) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.common.inject.ModulesBuilder.createInjector(ModulesBuilder.java:43) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.node.Node.<init>(Node.java:491) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.node.Node.<init>(Node.java:242) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:232) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:232) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:350) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:114) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:67) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.cli.Command.main(Command.java:88) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91) [elasticsearch-5.4.1.jar:5.4.1]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84) [elasticsearch-5.4.1.jar:5.4.1]Caused by: com.unboundid.ldap.sdk.LDAPBindException: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1 at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:2171) ~[?:?] at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:2087) ~[?:?] at org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidConnection.lambda$null$0(UnboundidConnection.java:66) ~[?:?] ... 102 more [2017-06-12T17:46:50,946][INFO ][o.e.p.r.e.IndexLevelActionFilter] [IHb1r-c] Readonly REST plugin was loaded... [2017-06-12T17:46:51,458][INFO ][o.e.n.Node ] initialized [2017-06-12T17:46:51,459][INFO ][o.e.n.Node ] [IHb1r-c] starting ...
[2017-06-12T17:46:51,798][WARN ][o.e.b.BootstrapChecks ] [IHb1r-c] max file descriptors [4096] for elasticsearch process is too low, increase to at least [65536] [2017-06-12T17:46:51,798][WARN ][o.e.b.BootstrapChecks ] [IHb1r-c] max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144] [2017-06-12T17:46:54,906][INFO ][o.e.c.s.ClusterService ] [IHb1r-c] new_master {IHb1r-c}{IHb1r-clR2OnHTWJltAFww}{SNAReHrJRQOBnj-Ux4N8nQ}{localhost}{127.0.0.1:9300}, reason: zen-disco-elected-as-master ([0] nodes joined)
[2017-06-12T17:46:54,958][INFO ][o.e.n.Node ] [IHb1r-c] started
[2017-06-12T17:46:55,623][INFO ][o.e.g.GatewayService ] [IHb1r-c] recovered [7] indices into cluster_state
[2017-06-12T17:46:58,081][INFO ][o.e.p.r.a.ACL ] ADDING #::ADMIN::: readonlyrest Rules Block :: { name: '::ADMIN::', policy: ALLOW}
[2017-06-12T17:46:58,083][INFO ][o.e.p.r.a.ACL ] ADDING #::shub::: readonlyrest Rules Block :: { name: '::shub::', policy: ALLOW}
[2017-06-12T17:46:58,083][INFO ][o.e.p.r.a.ACL ] ADDING #::RO::: readonlyrest Rules Block :: { name: '::RO::', policy: ALLOW}
[2017-06-12T17:46:58,084][INFO ][o.e.p.r.a.ACL ] ADDING #::KIBANA-SRV::: readonlyrest Rules Block :: { name: '::KIBANA-SRV::', policy: ALLOW}
[2017-06-12T17:46:58,092][ERROR][o.e.p.r.e.IndexLevelActionFilter] [IHb1r-c] Cannot configure ReadonlyREST plugin
org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.LdapClientException$InitializationException: LDAP binding problem
at org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidConnection.lambda$null$0(UnboundidConnection.java:72) ~[?:?]
at java.util.Optional.ifPresent(Optional.java:159) ~[?:1.8.0_131]
at org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidConnection.lambda$connect$1(UnboundidConnection.java:64) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
at org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidConnection.connect(UnboundidConnection.java:45) ~[?:?]
at org.elasticsearch.plugin.readonlyrest.acl.definitions.ldaps.unboundid.UnboundidConnection.
shubhamverma27
commented
7 years ago No Such logs are generated once I have my bind_dn and password in place but if i comment them out for anonymous login i get these logs and ldap doesnt work while other users work
[2017-06-12T17:54:36,444][INFO ][o.e.p.r.a.ACL ] no block has matched, forbidding by default: { ID:1667926186-416695414, TYP:NodesInfoRequest, USR:bsg(?), BRS:false, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<OMITTED, LENGTH=0>, HDR:Authorization,Connection,content-length,Host, HIS:[::KIBANA-SRV::->[auth_key->false]], [::ADMIN::->[auth_key->false]], [::RO::->[auth_key->false]], [ldaptest->[ldap_authentication->false]], [::shub::->[auth_key->false]] } [2017-06-12T17:54:36,446][INFO ][o.e.p.r.e.IndexLevelActionFilter] [IHb1r-c] forbidden request: { ID:1667926186-416695414, TYP:NodesInfoRequest, USR:bsg(?), BRS:false, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<OMITTED, LENGTH=0>, HDR:Authorization,Connection,content-length,Host, HIS:[::KIBANA-SRV::->[auth_key->false]], [::ADMIN::->[auth_key->false]], [::RO::->[auth_key->false]], [ldaptest->[ldap_authentication->false]], [::shub::->[auth_key->false]] } Reason: null (null) [2017-06-12T17:54:50,642][INFO ][o.e.p.r.a.ACL ] no block has matched, forbidding by default: { ID:1480747216-1368086602, TYP:NodesInfoRequest, USR:shubhamv(?), BRS:false, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<OMITTED, LENGTH=0>, HDR:Authorization,Connection,content-length,Host, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RO::->[auth_key->false]], [::shub::->[auth_key->false]], [::ADMIN::->[auth_key->false]], [ldaptest->[ldap_authentication->false]] } [2017-06-12T17:54:50,644][INFO ][o.e.p.r.e.IndexLevelActionFilter] [IHb1r-c] forbidden request: { ID:1480747216-1368086602, TYP:NodesInfoRequest, USR:shubhamv(?), BRS:false, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<OMITTED, LENGTH=0>, HDR:Authorization,Connection,content-length,Host, HIS:[::KIBANA-SRV::->[auth_key->false]], [::RO::->[auth_key->false]], [::shub::->[auth_key->false]], [::ADMIN::->[auth_key->false]], [ldaptest->[ldap_authentication->false]] } Reason: null (null) [2017-06-12T17:55:00,160][INFO ][o.e.p.r.a.ACL ] no block has matched, forbidding by default: { ID:546616713-2066390722, TYP:NodesInfoRequest, USR:bsgauth(?), BRS:false, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<OMITTED, LENGTH=0>, HDR:Authorization,Connection,content-length,Host, HIS:[::ADMIN::->[auth_key->false]], [::RO::->[auth_key->false]], [ldaptest->[ldap_authentication->false]], [::KIBANA-SRV::->[auth_key->false]], [::shub::->[auth_key->false]] } [2017-06-12T17:55:00,162][INFO ][o.e.p.r.e.IndexLevelActionFilter] [IHb1r-c] forbidden request: { ID:546616713-2066390722, TYP:NodesInfoRequest, USR:bsgauth(?), BRS:false, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<OMITTED, LENGTH=0>, HDR:Authorization,Connection,content-length,Host, HIS:[::ADMIN::->[auth_key->false]], [::RO::->[auth_key->false]], [ldaptest->[ldap_authentication->false]], [::KIBANA-SRV::->[auth_key->false]], [::shub::->[auth_key->false]] } Reason: null (null)
sscarduzio
commented
7 years ago OK you dont have those logs because the default verbosity is ERROR. You can enable them adding verbosity: "info" to the LDAP block.
shubhamverma27
commented
7 years ago I added this line but still its the same... The problem is in logs its showing not bound and any random user is getting logged it This happens when bind_dn and password is mentioned if i remove that the LDAP itself stops working and i get the required error logs and also the same unbound log!!! @sscarduzio
The last log is
[2017-06-12T18:20:35,295][INFO ][o.e.p.r.e.IndexLevelActionFilter] [IHb1r-c] [CLUSTERWIDE SETTINGS] good settings found in index, overriding elasticsearch.yml [2017-06-12T18:20:35,596][INFO ][o.e.c.r.a.AllocationService] [IHb1r-c] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.kibana][0]] ...]).
Even after adding verbosity info
shubhamverma27
commented
7 years ago @sscarduzio I am using active directory , does that make any difference?
shubhamverma27
commented
7 years ago [2017-06-12T19:07:20,232][INFO ][o.e.p.r.e.IndexLevelActionFilter] [IHb1r-c] forbidden request: { ID:1755372949-509965873, TYP:NodesInfoRequest, USR:bsgsadsda(?), BRS:false, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<OMITTED, LENGTH=0>, HDR:Authorization,Connection,content-length,Host, HIS:[::shub::->[auth_key->false]], [::RO::->[auth_key->false]], [::ADMIN::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [ldaptest->[ldap_authentication->false]] } Reason: null (null)
Does it log help ??at any point
sscarduzio
commented
7 years ago OK I saw the stack trace, finally something I can really work on.
For Active Directory, have a look at this: https://forum.readonlyrest.com/t/ldap-configuration-for-active-directory/152
shubhamverma27
commented
7 years ago Thanks @sscarduzio ... i figured it out...its working now :)
sscarduzio
commented
7 years ago really? Dude you're awesome! What was wrong?
shubhamverma27
commented
7 years ago @sscarduzio Not really... It was a mistake in my configuration for host dn settings :P 🤕
Hi , I have been trying to use the LDAP authetnication and getting errors!! I am stuck at this..after adding this code ..Entering any username and password authenticates and gives admin priveledges i am using pro version and all the default kibana users are there