I’m wondering if it is possible to change ACL when the cluster is actively secured by searchguard.

I’m trying to GET /searchguard/ac/ac or PUT new rules in but obviously as the documentation and the error logs define I can’t query it.

[2015-07-01 16:32:56,325][INFO ][com.floragunn.searchguard.rest.DefaultRestFilter] Authenticated user is User [name=simon, roles=[admin]]
[2015-07-01 16:32:56,546][ERROR][com.floragunn.searchguard.filter.SearchGuardActionFilter] Error while apply() due to java.lang.RuntimeException: Only allowed from localhost (loopback) for action indices:data/read/get
java.lang.RuntimeException: Only allowed from localhost (loopback)

curl -v -XGET ‘http://localhost:9200/searchguard/ac/ac’ -u simon -v
Enter host password for user ‘simon’:

• About to connect() to localhost port 9200 (#0)
• Trying 127.0.0.1… connected
• Connected to localhost (127.0.0.1) port 9200 (#0)
• Server auth using Basic with user ‘simon’

GET /searchguard/ac/ac HTTP/1.1
Authorization: Basic c2ltbzEyMzQ6QWRtaW4xMjMt
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: localhost:9200
Accept: /

< HTTP/1.1 500 Internal Server Error
< Set-Cookie: es_searchguard_session=efa9f1ee-3e10-4138-8ee7-65f6c2acb200; Max-Age=3600; Expires=Wed, 01 Jul 2015 16:10:26 GMT; HTTPOnly
< Content-Type: application/json; charset=UTF-8
< Content-Length: 177
<

• Connection #0 to host localhost left intact
• Closing connection #0
  {“error”:"RuntimeException[java.lang.RuntimeException: Only allowed from localhost (loopback)]; nested: RuntimeException[Only allowed from localhost (loop[

This my searchguard/ac/ac:

{
  "acl": [
    {
      "__Comment__": "By default no filters are executed and no filters a by-passed. In such a case an exception is thrown and access will be denied.",
      "filters_bypass": [],
      "filters_execute": []
    },
    {
      "__Comment__": "Role admin",
      "roles": [
        "admin"
      ],
      "filters_bypass": [
        "*"
      ],
      "filters_execute": []
    }
  ]
}

And this is part of my elasticsearch.yml

network.bind_host: [“elastic.host”,“127.0.0.1”]
network.publish_host: elastic.host
transport.tcp.port: 9300-9400

Thank you !

Hi,

I don’t think it is possible, except if this is set to true :

If this is true (default is false) then allow all HTTP REST requests from nodes loopback (e.g. localhost)

searchguard.allow_all_from_loopback: true

But what I don’t get is your error : “Only allowed from localhost (loopback)]”

I suppose that this means that your “searchguard.allow_all_from_loopback” is set to true,…

So if you are trying to achieve it locally, as it seems to be, I really don’t get your error, sorry !

Try posting your elasticsearch.yml maybe ?

I’m wondering if it is possible to change ACL when the cluster is actively secured by searchguard.

For me it’s clear that this action should be performable.

I’m trying to GET /searchguard/ac/ac or PUT new rules in but obviously as the documentation and the error logs define I can’t query it.

I’m geting same error message on any operation on ‘searchguard’ index - e.g.:

curl -v ‘127.0.0.1:9200/searchguard/audit/_search?pretty=true’ -u admin:mypassword

While user ‘admin’ has ‘admin’ role:

[2015-09-07 18:16:38,326][TRACE][com.floragunn.searchguard.filter.SearchGuardActionFilter] user User [name=admin, roles=[admin]]

[2015-07-01 16:32:56,325][INFO ][com.floragunn.searchguard.rest.DefaultRestFilter] Authenticated user is User [name=simon, roles=[admin]]
[2015-07-01 16:32:56,546][ERROR][com.floragunn.searchguard.filter.SearchGuardActionFilter] Error while apply() due to java.lang.RuntimeException: Only allowed from localhost (loopback) for action indices:data/read/get
java.lang.RuntimeException: Only allowed from localhost (loopback)

So the reason is in line 230 of SearchGuardActionFilter.java:

https://github.com/floragunncom/search-guard/blob/es1.6/src/main/java/com/floragunn/searchguard/filter/SearchGuardActionFilter.java#L230

There is code block as follows:

if (ci.contains(settings.get(ConfigConstants.SEARCHGUARD_CONFIG_INDEX_NAME, ConfigConstants.DEFAULT_SECURITY_CONFIG_INDEX))) {
auditListener.onMissingPrivileges(user.getName(), request);
throw new RuntimeException(“Only allowed from localhost (loopback)”);
}

So that means that if only request is being send into index name that keeps configuration ACLs, then this request will be denied with exception"Only allowed from localhost (loopback)"

It seems to me, that in above code there should be some checking what is originator IP address and if it’s not 127.0.0.1 it should throw exception.

BTW: Regarding config options mentioned by another user (searchguard.allow_all_from_loopback) - it’s set to ‘false’ for me. If it would be set to ‘true’, than no checking would be done at all - so request made to ‘localhost’ would just pass.

Any help?

AdamLis;

Hi,

I had the same issue and this fix worked for me:

I raised a PR but it seems there are some problems with the test on the master branch which this one is based from.

Let me know if it works for anyone else.