elasticsearch-readonlyrest-plugin
elasticsearch-readonlyrest-plugin copied to clipboard
sscarduzio
Using sentinl with readonlyrest pro
Hi @sscarduzio ,I have been trying to use this plugin with sentinl for alerting but due to ror authorization i am getting error log "No indices found",as it is not getting access to the indices As per developers of sentinl , they use authetication details from kibana , so i used userid and password as kibana kibana which helped me atleast run the plugin but still no access to indices. is there any workaround to this?
Error Log on opening sentinl
[2017-06-13T18:35:55,323][INFO ][o.e.p.r.e.IndexLevelActionFilter] [IHb1r-c] forbidden request: { ID:1255220618-1730246922, TYP:MainRequest, USR:[no basic auth header], BRS:false, ACT:cluster:monitor/main, OA:127.0.0.1, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<OMITTED, LENGTH=0>, HDR:Connection,Content-Length,Host, HIS:[readonly->[methods->false]], [::KIBANA-SRV::->[auth_key->false]], [ldaptest2->[ldap_authentication->false]], [::ADMIN::->[auth_key->false]], [::shub::->[auth_key->false]], [ALLOW->[methods->false]], [ldaptest->[ldap_authentication->false]], [ldaptest3->[ldap_authentication->false]], [::verma::->[auth_key->false]], [::RO::->[auth_key->false]] } Reason: null (null)
no block has matched, forbidding by default: { ID:624756349-151015906, TYP:PutIndexTemplateRequest, USR:[no basic auth header], BRS:true, ACT:indices:admin/template/put, OA:127.0.0.1, IDX:heartbeat-, MET:PUT, PTH:/_template/heartbeat, CNT:<OMITTED, LENGTH=1904>, HDR:Accept,Accept-Encoding,Content-Length,Content-Type,Host,User-Agent, HIS:[ALLOW->[methods->false]], [::verma::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [readonly->[methods->false]], [::ADMIN::->[auth_key->false]], [::shub::->[auth_key->false]], [ldaptest2->[ldap_authentication->false]], [ldaptest3->[ldap_authentication->false]], [::RO::->[auth_key->false]], [ldaptest->[ldap_authentication->false]] } [2017-06-13T18:37:52,405][INFO ][o.e.p.r.e.IndexLevelActionFilter] [IHb1r-c] forbidden request: { ID:624756349-151015906, TYP:PutIndexTemplateRequest, USR:[no basic auth header], BRS:true, ACT:indices:admin/template/put, OA:127.0.0.1, IDX:heartbeat-, MET:PUT, PTH:/_template/heartbeat, CNT:<OMITTED, LENGTH=1904>, HDR:Accept,Accept-Encoding,Content-Length,Content-Type,Host,User-Agent, HIS:[ALLOW->[methods->false]], [::verma::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [readonly->[methods->false]], [::ADMIN::->[auth_key->false]], [::shub::->[auth_key->false]], [ldaptest2->[ldap_authentication->false]], [ldaptest3->[ldap_authentication->false]], [::RO::->[auth_key->false]], [ldaptest->[ldap_authentication->false]] } Reason: null (null)
more logs
So for what concerns third party plugins and integrations, you can proceed with this common troubleshooting technique:
Install ROR for ES + the third party plugin. Put verbosity to info in all rule blocks and start using the thing.
Keep an eye on the forbidden log lines in Elasticsearch: what action ("ACT") or indices ("IDX") are attempted to be accessed? And you go and allow those selectively.
Also, in the "HIS" (history) field, you can find insight on what rule in what block is matching (true) or not matching (false).
@sscarduzio I was able to run it by adding POST and GET methods allow but then it resulted in any userid/password combination getting authenticated So now I think I need to mention the uri_re for the plugin..how to find that..Not able to find it in the Logs with verbosity
- name: ALLOWPOST
type: allow
methods: [POST]
uri_re: ^/.kibana/config/_search
hosts: [localhost]
verbosity: info
- name: readonly
type: allow
methods: [OPTIONS,GET]
uri_re: ^/watcher_alarms*
hosts: [localhost]
verbosity: info
These Uri_re not working
Hi I want to match the uri to ^/watcher_alarms-2017.06.14/ if i put it it works but it i put ^/watcher_alarms-*/ it doesnt how do i make it match to every date? @sscarduzio
@sscarduzio Hi, Its working now, But the problem is that I have to provide a POST and GET exception for every index that i want to access via sentinl . This way it opens the indices to other apps too as we allow post and get without mentioning the requester
Is there some way to put an exception for post and get for all queries generating from a given plugin? Here are the logs from the request :- request: { ID:1984742033--2018744667, TYP:SearchRequest, USR:[no basic auth header], BRS:false, ACT:indices:data/read/search, OA:127.0.0.1, IDX:watcher, MET:POST, PTH:/watcher/watch/_search, CNT:<OMITTED, LENGTH=0>, HDR:Connection,Content-Length,Host, HIS:[ALLOWHEAD2->[methods->true, hosts->true, uri_re->true]], [ALLOWPOST->[hosts->true, uri_re->false]], [::ADMIN::->[auth_key->false]], [::RO::->[auth_key->false]], [::verma::->[auth_key->false]], [::shub::->[auth_key->false]], [ALLOWPOST2->[hosts->true, uri_re->false]] } matched block: ALLOWHEAD2 match: true}
get the plugin to use HTTP Basic Auth and you'd be 100% sorted. If the feature is not there, request it to the plugin maintainer, it generally is a piece of cake to implement..
@ld57 yeah ..That i figured out.. but the problem is mentioning it for each index
Well i am currently in its migration (sentinl aka kaae), and I should meet your remarks next week.
I will tell you my conclusion.
Kr
Ld
@sscarduzio is there any way to hide the ldap settings and other relevent settings from the admin user and just let him add/remove users through kibana ui?
Hi,
giving feedback, I am late in my tests, sorry for the delay, but I still not be able to drive them yet :(
Hey,
finally I am back with my first test, integrating sentinl with RoR. sorry for the delay.
just finished to configure it. testing the issue about indexes access.
working on