hello i’m sorry for asking so many questions but i couldn’t get searchguard to work with kibana 4.0.2. and i couldn’t figure out what’s the problem…
btw, plain search against elasticsearch works and searchguard seems to be functioning as intended. it just stops working whenever kibana is involved…
kibana goes to the following error page as soon as i verify myself as user ‘marketing’ with role ‘guest’:
Fatal Error
Courier Fetch Error: unhandled error Error: ArrayIndexOutOfBoundsException[0]
at respond (http://127.0.0.1:9548/index.js?_b=6004:81691:15)
at checkRespForFailure (http://127.0.0.1:9548/index.js?_b=6004:81659:7)
at http://127.0.0.1:9548/index.js?_b=6004:80322:7
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78)
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78)
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78)
at http://127.0.0.1:9548/index.js?_b=6004:21030:76
at Scope.$eval (http://127.0.0.1:9548/index.js?_b=6004:22017:28)
at Scope.$digest (http://127.0.0.1:9548/index.js?_b=6004:21829:31)
at Scope.$apply (http://127.0.0.1:9548/index.js?_b=6004:22121:24)
Error: unhandled error Error: ArrayIndexOutOfBoundsException[0]
at respond (http://127.0.0.1:9548/index.js?_b=6004:81691:15)
at checkRespForFailure (http://127.0.0.1:9548/index.js?_b=6004:81659:7)
at http://127.0.0.1:9548/index.js?_b=6004:80322:7
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78)
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78)
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78)
at http://127.0.0.1:9548/index.js?_b=6004:21030:76
at Scope.$eval (http://127.0.0.1:9548/index.js?_b=6004:22017:28)
at Scope.$digest (http://127.0.0.1:9548/index.js?_b=6004:21829:31)
at Scope.$apply (http://127.0.0.1:9548/index.js?_b=6004:22121:24)
at handleError (http://127.0.0.1:9548/index.js?_b=6004:42664:22)
at DocRequest.AbstractReqProvider.AbstractReq.handleFailure (http://127.0.0.1:9548/index.js?_b=6004:42740:14)
at http://127.0.0.1:9548/index.js?_b=6004:42945:17
at Array.forEach (native)
at http://127.0.0.1:9548/index.js?_b=6004:42943:18
at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78)
at http://127.0.0.1:9548/index.js?_b=6004:21030:76
at Scope.$eval (http://127.0.0.1:9548/index.js?_b=6004:22017:28)
at Scope.$digest (http://127.0.0.1:9548/index.js?_b=6004:21829:31)
at Scope.$apply (http://127.0.0.1:9548/index.js?_b=6004:22121:24)
here’s my search-guard setting and acl setting(i’m trying to apply minimum security just to get it work first, i want role ‘admin’ to be able to do everything and role ‘guest’ to have the field ‘user’ filtered out on all search responses):
#############################################################################################
SEARCH GUARD
Configuration
#############################################################################################
Enable or disable the complete Searchguard plugin functionality
searchguard.enabled: false
Path where to write/read the searchguard master key file
searchguard.key_path: /tmp/dldm/elasticsearchConfig
When using DLS or FLS and a get or mget is performed then rewrite it as search request
searchguard.rewrite_get_as_search: true
The index name where Searchguard will store its configuration and various other informations related to Searchguard itself
This index can only be access from localhost
searchguard.config_index_name: searchguard
Enable or disable HTTP session which caches the authentication and authorization informations in a cookie
searchguard.http.enable_sessions: false
Enable or disable audit logging
searchguard.auditlog.enabled: true
If this is true (default is false) then Searchguard will check if elasticsearch is running as root/windows admin and if so then abort.
searchguard.check_for_root: false
If this is true (default is false) then allow all HTTP REST requests from nodes loopback (e.g. localhost)
searchguard.allow_all_from_loopback: true
#############################################################################################
X-Forwarded-For (XFF) header
#############################################################################################
X-Forwarded-For (XFF) header
If you have a http proxy in front of elasticsearch you have to configure this options to handle XFF properly
searchguard.http.xforwardedfor.header: null
#searchguard.http.xforwardedfor.trustedproxies: null
#searchguard.http.xforwardedfor.enforce: false
#############################################################################################
Authentication backend
#############################################################################################
searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend
searchguard.authentication.authentication_backend.cache.enable: true
#############################################################################################
Authorization backend (authorizer)
#############################################################################################
searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator
searchguard.authentication.authorizer.cache.enable: true
#############################################################################################
HTTP authentication method
#############################################################################################
Define HTTP authentication method. In future we will here have more like NTLM, SPNEGO/Kerberos and Digest.
searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator
#####################################################
Settings based authentication (define users and password directly here in the settings. Note: this is per node)
#searchguard.authentication.settingsdb.user.: password
searchguard.authentication.settingsdb.user.root: ********
searchguard.authentication.settingsdb.user.kibana: ********
searchguard.authentication.settingsdb.user.marketing: ********
#####################################################
Settings based authorization (define users and their roles directly here in the settings. Note: this is per node)
#searchguard.authentication.authorization.settingsdb.roles.:
searchguard.authentication.authorization.settingsdb.roles.root: [“admin”]
searchguard.authentication.authorization.settingsdb.roles.kibana: [“guest”]
searchguard.authentication.authorization.settingsdb.roles.marketing: [“guest”]
#####################################################
##############################################################################################
Below here you configure what authenticated and authorized users are allowed to do (or not)#
This maps to the acl defined in the searchguard configuration index
#############################################################################################
Configure the field level security (fls) filter to filter _source
searchguard.flsfilter.names: [“guest”]
searchguard.flsfilter.guest.source_excludes: [“user”]
- ACL:
{
“acl”: [
{
“Comment”: “By default no filters are executed and no filters are by-passed. In such a case a exception is thrown and access will be denied.”,
“filters_bypass”: ,
“filters_execute”:
},
{
“Comment”: “For role ‘admin’ all filters are bypassed (so none will be executed). This means unrestricted access.”,
“roles”: [
“admin”
],
“filters_bypass”: [“*”],
“filters_execute”:
},
{
“Comment”: “For role ‘guest’ all filters will be executed.”,
“roles”: [
“guest”
],
“filters_bypass”: ,
“filters_execute”: [“*”]
}
]
}
Attached is the elasticsearch log.
data_manager.log (163 KB)