Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ElasticsearchException[Security configuration cannot be loaded for unknown reasons #21

Open
vkhazin opened this issue Sep 8, 2016 · 7 comments
Open

ElasticsearchException[Security configuration cannot be loaded for unknown reasons #21

vkhazin opened this issue Sep 8, 2016 · 7 comments

Comments

@vkhazin
Copy link

vkhazin commented Sep 8, 2016
edited
Loading

curl -v http://app.user:***@localhost:9200/_search?pretty=true

*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9200 (#0)
* Server auth using Basic with user 'app.user'
> GET /_search?pretty=true HTTP/1.1
> Authorization: Basic YXBwLnVzZXI6Um9nZXJzMTIz
> User-Agent: curl/7.40.0
> Host: localhost:9200
> Accept: */*
> 
< HTTP/1.1 500 Internal Server Error
< Content-Type: application/json; charset=UTF-8
< Content-Length: 480
< 
{
  "error" : {
    "root_cause" : [ {
      "type" : "runtime_exception",
      "reason" : "ElasticsearchException[Security configuration cannot be loaded for unknown reasons]"
    } ],
    "type" : "runtime_exception",
    "reason" : "ElasticsearchException[Security configuration cannot be loaded for unknown reasons]",
    "caused_by" : {
      "type" : "exception",
      "reason" : "Security configuration cannot be loaded for unknown reasons"
    }
  },
  "status" : 500
}

elasticsearch.yml configurations

# Armor
armor.key_path: "/data/elasticsearch/armor"
armor.authentication.authentication_backend.impl: com.petalmd.armor.authentication.backend.simple.SettingsBasedAuthenticationBackend
armor.authentication.http_authenticator.impl: com.petalmd.armor.authentication.http.basic.HTTPBasicAuthenticator
armor.authentication.authorizer.impl: com.petalmd.armor.authorization.simple.SettingsBasedAuthorizator

# Users
armor.authentication.settingsdb.digest: SHA256
armor.authentication.settingsdb.user.app.user: 94aa520b351f5df1abcd3195bf9f06888475e143a4ef20922c4cabe445e66719

# Roles
armor.authentication.authorization.settingsdb.roles.app.user: ["admin"]

# Permissions
armor.restactionfilter.names: ["admin"]
armor.actionrequestfilter.admin.allowed_actions: ["*"]

There is no localhost:9200/ac index present at the time of testing, adding the default settings did not seem to have any impact:

curl -XPUT 'http://localhost:9200/armor/ac/ac' -d '{
    "acl": [
    {
        "__Comment__": "By default no filters are executed and no filters a by-passed. In such a case an exception is thrown and access will be denied.",
        "filters_bypass": [],
        "filters_execute": []
     },
     {
           "__Comment__": "For role *admin* all filters are bypassed (so none will be executed). This means unrestricted access.",
           "roles": [
               "admin"
           ],
           "filters_bypass": ["*"],
           "filters_execute": []
     }
     ]
}'

Root level request seems to succeed:

curl -v http://app.user:***@localhost:9200/?pretty=true
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9200 (#0)
* Server auth using Basic with user 'app.user'
> GET /?pretty=true HTTP/1.1
> Authorization: Basic YXBwVXNlcjpSb2dlcnMxMjM=
> User-Agent: curl/7.40.0
> Host: localhost:9200
> Accept: */*
> 
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=UTF-8
< Content-Length: 366
< 
{
  "name" : "audit-log-dev-elasticsearch-host03",
  "cluster_name" : "audit-logs-dev-elasticsearch-cluster",
  "version" : {
    "number" : "2.3.3",
    "build_hash" : "218bdf10790eef486ff2c41a3df5cfa32dadcfde",
    "build_timestamp" : "2016-05-17T15:40:04Z",
    "build_snapshot" : false,
    "lucene_version" : "5.5.0"
  },
  "tagline" : "You Know, for Search"
}
* Connection #0 to host localhost left intact
@vkhazin
Copy link
Author

vkhazin commented Sep 8, 2016
edited
Loading

Debug log:

[2016-09-08 20:40:47,199][ERROR][com.petalmd.armor.filter.ArmorActionFilter] Error while apply() due to ElasticsearchException[Security configuration cannot be loaded for unknown reasons] for action indices:data/read/search
ElasticsearchException[Security configuration cannot be loaded for unknown reasons]
    at com.petalmd.armor.service.ArmorConfigService.getSecurityConfiguration(ArmorConfigService.java:72)
    at com.petalmd.armor.filter.ArmorActionFilter.apply0(ArmorActionFilter.java:186)
    at com.petalmd.armor.filter.ArmorActionFilter.apply(ArmorActionFilter.java:90)
    at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
    at com.petalmd.armor.filter.FLSActionFilter.applySecure(FLSActionFilter.java:96)
    at com.petalmd.armor.filter.AbstractActionFilter.apply(AbstractActionFilter.java:118)
    at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
    at com.petalmd.armor.filter.DLSActionFilter.applySecure(DLSActionFilter.java:95)
    at com.petalmd.armor.filter.AbstractActionFilter.apply(AbstractActionFilter.java:118)
    at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
    at com.petalmd.armor.filter.RequestActionFilter.applySecure(RequestActionFilter.java:72)
    at com.petalmd.armor.filter.AbstractActionFilter.apply(AbstractActionFilter.java:118)
    at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
    at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)
    at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:85)
    at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:58)
    at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)
    at org.elasticsearch.client.FilterClient.doExecute(FilterClient.java:52)
    at org.elasticsearch.rest.BaseRestHandler$HeadersAndContextCopyClient.doExecute(BaseRestHandler.java:83)
    at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)
    at org.elasticsearch.client.support.AbstractClient.search(AbstractClient.java:582)
    at org.elasticsearch.rest.action.search.RestSearchAction.handleRequest(RestSearchAction.java:85)
    at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:54)
    at org.elasticsearch.rest.RestController.executeHandler(RestController.java:205)
    at org.elasticsearch.rest.RestController$RestHandlerFilter.process(RestController.java:279)
    at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:260)
    at com.petalmd.armor.rest.RestActionFilter.processSecure(RestActionFilter.java:58)
    at com.petalmd.armor.rest.AbstractACRestFilter.process(AbstractACRestFilter.java:138)
    at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:263)
    at com.petalmd.armor.rest.DefaultRestFilter.processSecure(DefaultRestFilter.java:38)
    at com.petalmd.armor.rest.AbstractACRestFilter.process(AbstractACRestFilter.java:199)
    at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:263)
    at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:176)
    at org.elasticsearch.http.HttpServer.internalDispatchRequest(HttpServer.java:128)
    at org.elasticsearch.http.HttpServer$Dispatcher.dispatchRequest(HttpServer.java:86)
    at org.elasticsearch.http.netty.NettyHttpServerTransport.dispatchRequest(NettyHttpServerTransport.java:449)
    at org.elasticsearch.http.netty.HttpRequestHandler.messageReceived(HttpRequestHandler.java:61)
    at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
    at org.elasticsearch.http.netty.pipelining.HttpPipeliningHandler.messageReceived(HttpPipeliningHandler.java:60)
    at org.jboss.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
    at org.jboss.netty.handler.codec.http.HttpChunkAggregator.messageReceived(HttpChunkAggregator.java:145)
    at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
    at org.jboss.netty.handler.codec.http.HttpContentDecoder.messageReceived(HttpContentDecoder.java:108)
    at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
    at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
    at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:459)
    at org.jboss.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:536)
    at org.jboss.netty.handler.codec.replay.ReplayingDecoder.messageReceived(ReplayingDecoder.java:435)
    at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
    at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:75)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
    at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
    at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
    at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
    at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
    at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
    at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
    at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)

[2016-09-08 20:40:47,206][WARN ][rest.suppressed          ] /_search Params: {pretty=true}
java.lang.RuntimeException: ElasticsearchException[Security configuration cannot be loaded for unknown reasons]
    at com.petalmd.armor.filter.ArmorActionFilter.apply(ArmorActionFilter.java:98)
    at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
    at com.petalmd.armor.filter.FLSActionFilter.applySecure(FLSActionFilter.java:96)
    at com.petalmd.armor.filter.AbstractActionFilter.apply(AbstractActionFilter.java:118)
    at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
    at com.petalmd.armor.filter.DLSActionFilter.applySecure(DLSActionFilter.java:95)
    at com.petalmd.armor.filter.AbstractActionFilter.apply(AbstractActionFilter.java:118)
    at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
    at com.petalmd.armor.filter.RequestActionFilter.applySecure(RequestActionFilter.java:72)
    at com.petalmd.armor.filter.AbstractActionFilter.apply(AbstractActionFilter.java:118)
    at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
    at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)
    at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:85)
    at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:58)
    at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)
    at org.elasticsearch.client.FilterClient.doExecute(FilterClient.java:52)
    at org.elasticsearch.rest.BaseRestHandler$HeadersAndContextCopyClient.doExecute(BaseRestHandler.java:83)
    at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)
    at org.elasticsearch.client.support.AbstractClient.search(AbstractClient.java:582)
    at org.elasticsearch.rest.action.search.RestSearchAction.handleRequest(RestSearchAction.java:85)
    at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:54)
    at org.elasticsearch.rest.RestController.executeHandler(RestController.java:205)
    at org.elasticsearch.rest.RestController$RestHandlerFilter.process(RestController.java:279)
    at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:260)
    at com.petalmd.armor.rest.RestActionFilter.processSecure(RestActionFilter.java:58)
    at com.petalmd.armor.rest.AbstractACRestFilter.process(AbstractACRestFilter.java:138)
    at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:263)
    at com.petalmd.armor.rest.DefaultRestFilter.processSecure(DefaultRestFilter.java:38)
    at com.petalmd.armor.rest.AbstractACRestFilter.process(AbstractACRestFilter.java:199)
    at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:263)
    at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:176)
    at org.elasticsearch.http.HttpServer.internalDispatchRequest(HttpServer.java:128)
    at org.elasticsearch.http.HttpServer$Dispatcher.dispatchRequest(HttpServer.java:86)
    at org.elasticsearch.http.netty.NettyHttpServerTransport.dispatchRequest(NettyHttpServerTransport.java:449)
    at org.elasticsearch.http.netty.HttpRequestHandler.messageReceived(HttpRequestHandler.java:61)
    at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
    at org.elasticsearch.http.netty.pipelining.HttpPipeliningHandler.messageReceived(HttpPipeliningHandler.java:60)
    at org.jboss.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
    at org.jboss.netty.handler.codec.http.HttpChunkAggregator.messageReceived(HttpChunkAggregator.java:145)
    at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
    at org.jboss.netty.handler.codec.http.HttpContentDecoder.messageReceived(HttpContentDecoder.java:108)
    at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
    at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
    at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:459)
    at org.jboss.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:536)
    at org.jboss.netty.handler.codec.replay.ReplayingDecoder.messageReceived(ReplayingDecoder.java:435)
    at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
    at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:75)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
    at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
    at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
    at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
    at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
    at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
    at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
    at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
    at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
    at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)
Caused by: ElasticsearchException[Security configuration cannot be loaded for unknown reasons]
    at com.petalmd.armor.service.ArmorConfigService.getSecurityConfiguration(ArmorConfigService.java:72)
    at com.petalmd.armor.filter.ArmorActionFilter.apply0(ArmorActionFilter.java:186)
    at com.petalmd.armor.filter.ArmorActionFilter.apply(ArmorActionFilter.java:90)
    ... 71 more

@vkhazin
Copy link
Author

vkhazin commented Sep 8, 2016

Populating /ac/ac data translates to another error:

*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9200 (#0)
* Server auth using Basic with user 'app.user'
> GET /_search?pretty=true HTTP/1.1
> Authorization: Basic YXBwLnVzZXI6Um9nZXJzMTIz
> User-Agent: curl/7.40.0
> Host: localhost:9200
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Content-Type: application/json; charset=UTF-8
< Content-Length: 388
< 
{
  "error" : {
    "root_cause" : [ {
      "type" : "forbidden_exception",
      "reason" : "Attempt from null to _all indices for indices:data/read/search and User [name=app.user, roles=[admin]]"
    } ],
    "type" : "forbidden_exception",
    "reason" : "Attempt from null to _all indices for indices:data/read/search and User [name=app.user, roles=[admin]]"
  },
  "status" : 403
}
* Connection #0 to host localhost left intact

@jehuty0shift
Copy link
Contributor

"_all" access (that you try to address by issiueing only a _search request) is forbidden for any user (even admin in your case), you will have to specify a proper indice to make it work. For your configuration errors, they come indeed from the fact that you didn't populate /armor/ac/ac before

@vkhazin
Copy link
Author

vkhazin commented Sep 11, 2016
edited
Loading

Something is odd, here is my /armor/ac/ac config:

{
    "acl": [
      {
          "__Comment__": "By default all filters are executed.",
          "filters_bypass": [],
          "filters_execute": [*]
       },
       {
             "__Comment__": "For role *admin* all filters are bypassed (so none will be executed). This means unrestricted access.",
             "roles": ["admins"],
             "filters_bypass": ["*"],
             "filters_execute": []
       }
     ]
}

Here is elasticsearch.yml (armor portion):

# Armor
armor.key_path: "/data/elasticsearch/armor"
armor.authentication.authentication_backend.impl: com.petalmd.armor.authentication.backend.simple.SettingsBasedAuthenticationBackend
armor.authentication.http_authenticator.impl: com.petalmd.armor.authentication.http.basic.HTTPBasicAuthenticator
armor.authentication.authorizer.impl: com.petalmd.armor.authorization.simple.SettingsBasedAuthorizator

# Users
armor.authentication.settingsdb.digest: SHA256
armor.authentication.settingsdb.user.app-user: <deleted>
armor.authentication.settingsdb.user.kibana-user: <deleted>

# Roles
armor.authentication.authorization.settingsdb.roles.app-user: ["admins"]
armor.authentication.authorization.settingsdb.roles.kibana-user: ["kibana-users"]

# Permissions
armor.restactionfilter.names: ["admins", "kibana-users"]
armor.actionrequestfilter.admins.allowed_actions: ["*"]
armor.actionrequestfilter.kibana-users.allowed_actions: ["indices:data/read/*"]

Here is my request and response as admin:

curl app-user:<deleted>@localhost:9200/audit-log-2016-08/audit-events/1?pretty=true

{
  "_index" : "audit-log-2016-08",
  "_type" : "audit-events",
  "_id" : "1",
  "_version" : 1,
  "found" : true,
  "_source" : {
    "dummy" : 1
  }
}

And here is my request and response as kibana-user

curl kibana-user:<deleted>@localhost:9200/audit-log-2016-08/audit-events/1?pretty=true

{
  "error" : {
    "root_cause" : [ {
      "type" : "forbidden_exception",
      "reason" : "Forbidden action RestGetAction . Allowed actions: []"
    } ],
    "type" : "forbidden_exception",
    "reason" : "Forbidden action RestGetAction . Allowed actions: []"
  },
  "status" : 403
}

I have tried following armor/ac/ac configuration as well with the same result:

{
    "acl": [
      {
          "__Comment__": "By default no filters are executed and no filters a by-passed. In such a case an exception is thrown and access will be denied.",
          "filters_bypass": [],
          "filters_execute": [*]
       },
       {
             "__Comment__": "For role *admin* all filters are bypassed (so none will be executed). This means unrestricted access.",
             "roles": ["admins"],
             "filters_bypass": ["*"],
             "filters_execute": []
       },
       {
             "__Comment__": "For role kibana-users all filters are executed.",
             "roles": ["kibana-users"],
             "indices": ["audit-log-2016-08"],
             "filters_bypass": [],
             "filters_execute": ["*"]
       }
     ]
}

What am I missing in the configurations?

@jehuty0shift
Copy link
Contributor

Hello @vkhazin , Your configuration is malformed (didn't check the documentation but maybe it's misleading)

You declare two restactionfilter but instead configure two requestactionfilter. They are not equivalent. Restaction filter allow someone to block a request that is made from Rest and Request Action Filter blocks both a Rest Request and Transport Request. That the one you want to use if you use it.
Here is the configuration you want :

armor.actionrequestfilter.names: ["admins", "kibana-users"]
armor.actionrequestfilter.admins.allowed_actions: ["*"]
armor.actionrequestfilter.kibana-users.allowed_actions: ["indices:data/read/*"]

@vkhazin
Copy link
Author

vkhazin commented Sep 20, 2016
edited
Loading

Hey @jehuty0shift,

Thank you for your comments!
Indeed now I am able to execute:

curl kibana-user:<deleted>@localhost:9200/audit-log-2016-08/audit-events/1?pretty=true

with the same results as for 'admin':

{
  "took" : 6,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "failed" : 0
  },
  "hits" : {
    "total" : 1,
    "max_score" : 1.0,
    "hits" : [ {
      "_index" : "audit-log-2016-08",
      "_type" : "audit-events",
      "_id" : "1",
      "_score" : 1.0,
      "_source" : {
        "dummy" : 1
      }
    } ]
  }
}

@jmaitrehenry
Copy link
Contributor

I have an issue for upgrading the documentation #3.
If I understand @vkhazin your problem is now solved? Can I close this issue ?

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jmaitrehenry @vkhazin @jehuty0shift