LDAP auth for ES no bypass or execute filters at all for action indices:monitor/status

On Monday, March 21, 2016 at 1:38:48 PM UTC-5, Cds Support wrote:

Hello,

I’m trying to do auth through our posix LDAP. I’m trying to configure search-guard where any user in the admins LDAP group has full (read/write) access to all indexes. Then any user in the kibana-users LDAP group has read/write on .kibana index and read to logstash-* indexes. Everything works fine without search-guard enabled so my ELK stack has been working before enabling search-guard.

Below are the versions for our two node (server) ELK stack on CentOS 6.7.

Logstash 1.5.3

Elasticsearch 1.7.1

Kibana 4.0.1

Redis 2.8.6

search-guard 1.7.3.0

Our posix LDAP tree is below.

root DSE: cn=posix

group base: cn=groups,cn=posix

admin group: cn=admins,cn=groups,cn=posix <----Attribute for users in this group is memberUid

kibana-users group: cn=kibana-users,cn=groups,cn=posix <----Attribute for users in this group is memberUid

user base: cn=users,cn=posix <----Attribute for users in this group is uid

Below is my search-guard config section of the elasticsearch.yml file.

Search-guard plugin config

searchguard.enabled: true

searchguard.ssl.transport.http.enabled: false

searchguard.allow_all_from_loopback: true

searchguard.key_path: /snapshot/search-guard-keys/preprod/

searchguard.http.xforwardedfor.header: DUMMY

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.ldap.LDAPAuthenticationBackend

searchguard.authentication.authentication_backend.cache.enable: false

searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.ldap.LDAPAuthorizator

searchguard.authentication.authorizer.cache.enable: false

searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator

searchguard.authentication.ldap.host: [“ldap.posixserver.com:389”]

searchguard.authentication.ldap.ldaps.ssl.enabled: false

searchguard.authentication.ldap.ldaps.starttls.enabled: false

searchguard.authentication.ldap.bind_dn: “uid=linux,cn=system,cn=posix”

searchguard.authentication.ldap.password: password111

searchguard.authentication.ldap.userbase: “cn=posix”

searchguard.authentication.ldap.usersearch: (uid={0})

searchguard.authentication.ldap.username_attribute: uid

searchguard.authentication.authorization.ldap.rolebase: “cn=groups,cn=posix”

searchguard.authentication.authorization.ldap.rolesearch: (cn={0})

searchguard.authentication.authorization.ldap.userroleattribute: memberUid

searchguard.authentication.authorization.ldap.userrolename: cn

searchguard.authentication.authorization.ldap.resolve_nested_roles: false

searchguard.actionrequestfilter.names: [“kibana-server”, “kibana-user”, “kibana-admin”, “logstash-server”, “logstash-user”]

searchguard.actionrequestfilter.kibana-server.allowed_actions: [

“cluster:monitor/nodes/info*”,

“cluster:monitor/health*”,

“indices:admin/create*”,

“indices:admin/exists*”,

“indices:admin/mapping/put*”,

“indices:admin/mappings/fields/get*”,

“indices:admin/refresh*”,

“indices:admin/validate/query*”,

“indices:data/read/get*”,

“indices:data/read/mget*”,

“indices:data/read/search*”,

“indices:data/write/delete*”,

“indices:data/write/index*”,

“indices:data/write/update*”

]

searchguard.actionrequestfilter.kibana-user.allowed_actions: [

“cluster:monitor/nodes/info*”,

“cluster:monitor/health*”,

“indices:admin/exists*”,

“indices:admin/mappings/fields/get*”,

“indices:admin/validate/query*”,

“indices:data/read/get*”,

“indices:data/read/mget*”,

“indices:data/read/search*”

]

searchguard.actionrequestfilter.kibana-admin.allowed_actions: [

“cluster:monitor/nodes/info*”,

“cluster:monitor/health*”,

“indices:admin/exists*”,

“indices:admin/mapping/put*”,

“indices:admin/mappings/fields/get*”,

“indices:admin/refresh*”,

“indices:admin/validate/query*”,

“indices:data/read/get*”,

“indices:data/read/mget*”,

“indices:data/read/search*”,

“indices:data/write/delete*”,

“indices:data/write/index*”,

“indices:data/write/update*”,

“indices:admin/create*”

]

searchguard.actionrequestfilter.logstash-server.allowed_actions: [

“indices:admin/template/get*”,

“indices:admin/template/put*”,

“indices:admin/create*”,

“indices:data/write/bulk*”,

“indices:data/write/index*”,

“indices:data/write/delete*”,

“indices:data/write/update*”,

“indices:data/read/search*”,

“indices:data/read/scroll*”

]

searchguard.actionrequestfilter.logstash-user.allowed_actions: [

“indices:admin/mappings/fields/get*”,

“indices:admin/validate/query*”,

“indices:data/read/search*”,

“indices:data/read/msearch*”,

“indices:admin/get*”

]

Below is what I ran to create the searchguard index.

curl -XPUT “http://localhost:9200/searchguard/ac/ac” -d '{

“acl”: [

{

“Comment”: “By default no filters are executed and no filters a by-passed. In such a case an exception is thrown and access will be denied.”,

“filters_bypass”: ,

“filters_execute”:

},

{

“Comment”: “For role admins all filters are bypassed (so none will be executed). This means unrestricted access.”,

“roles”: [“admins”],

“filters_bypass”: [“*”],

“filters_execute”:

},

{

“Comment”: “Allow kibana-users group manage kibana indices”,

“roles”: [“kibana-users”],

“indices”: [“.kibana”],

“filters_bypass”: [“actionrequestfilter.kibana-users”],

“filters_execute”: [“actionrequestfilter.kibana-admin”]

},

{

“Comment”: “Allow kibana-users group read logstash indices”,

“roles”: [“kibana-users”],

“indices”: [“logstash-*”],

“filters_bypass”: ,

“filters_execute”: [“actionrequestfilter.logstash-user”]

}

]

}’

Below is the error I’m getting when logging into the elasticsearch headplugin. http://logstash1.linuxlogs.com:9200/_plugin/head/ I can get into the head plugin, but nothing is showing up. So I’m wondering what I am missing in my configuration set up that is getting this error for me below and why I can’t see anything in the head plugin. The ‘testuser’ below is part of the admins LDAP group so it should have full (read/write) access to all indexes.

[2016-03-21 13:19:35,056][INFO ][com.floragunn.searchguard.rest.DefaultRestFilter] Authenticated user is User [name=testuser, roles=]

[2016-03-21 13:19:35,062][WARN ][com.floragunn.searchguard.filter.SearchGuardActionFilter] Cannot determine types for indices:monitor/status (class org.elasticsearch.action.admin.indices.status.IndicesStatusRequest) due to types method not found

[2016-03-21 13:19:35,064][INFO ][com.floragunn.searchguard.rest.DefaultRestFilter] Authenticated user is User [name=testuser, roles=]

[2016-03-21 13:19:35,071][ERROR][com.floragunn.searchguard.filter.SearchGuardActionFilter] Error while apply() due to com.floragunn.searchguard.tokeneval.MalformedConfigurationException: no bypass or execute filters at all for action indices:monitor/status

com.floragunn.searchguard.tokeneval.MalformedConfigurationException: no bypass or execute filters at all

at com.floragunn.searchguard.tokeneval.TokenEvaluator$Evaluator.validateAndMerge(TokenEvaluator.java:374)

at com.floragunn.searchguard.tokeneval.TokenEvaluator$Evaluator.(TokenEvaluator.java:362)

at com.floragunn.searchguard.tokeneval.TokenEvaluator.getEvaluator(TokenEvaluator.java:310)

at com.floragunn.searchguard.filter.SearchGuardActionFilter.apply0(SearchGuardActionFilter.java:253)

at com.floragunn.searchguard.filter.SearchGuardActionFilter.apply(SearchGuardActionFilter.java:90)

at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)

at com.floragunn.searchguard.filter.FLSActionFilter.applySecure(FLSActionFilter.java:76)

at com.floragunn.searchguard.filter.AbstractActionFilter.apply(AbstractActionFilter.java:97)

at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)

at com.floragunn.searchguard.filter.DLSActionFilter.applySecure(DLSActionFilter.java:73)

at com.floragunn.searchguard.filter.AbstractActionFilter.apply(AbstractActionFilter.java:97)

at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)

at com.floragunn.searchguard.filter.RequestActionFilter.applySecure(RequestActionFilter.java:94)

at com.floragunn.searchguard.filter.AbstractActionFilter.apply(AbstractActionFilter.java:97)

at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)

at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:82)

at org.elasticsearch.client.node.NodeIndicesAdminClient.execute(NodeIndicesAdminClient.java:77)

at org.elasticsearch.client.FilterClient$IndicesAdmin.execute(FilterClient.java:120)

at org.elasticsearch.rest.BaseRestHandler$HeadersAndContextCopyClient$IndicesAdmin.execute(BaseRestHandler.java:149)

at org.elasticsearch.client.support.AbstractIndicesAdminClient.status(AbstractIndicesAdminClient.java:577)

at org.elasticsearch.rest.action.admin.indices.status.RestIndicesStatusAction.handleRequest(RestIndicesStatusAction.java:61)

at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:53)

at org.elasticsearch.rest.RestController.executeHandler(RestController.java:225)

at org.elasticsearch.rest.RestController$RestHandlerFilter.process(RestController.java:299)

at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:280)

at com.floragunn.searchguard.rest.DefaultRestFilter.processSecure(DefaultRestFilter.java:37)

at com.floragunn.searchguard.rest.AbstractACRestFilter.process(AbstractACRestFilter.java:198)

at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:283)

at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:180)

at org.elasticsearch.http.HttpServer.internalDispatchRequest(HttpServer.java:121)

at org.elasticsearch.http.HttpServer$Dispatcher.dispatchRequest(HttpServer.java:83)

at org.elasticsearch.http.netty.NettyHttpServerTransport.dispatchRequest(NettyHttpServerTransport.java:327)

at org.elasticsearch.http.netty.HttpRequestHandler.messageReceived(HttpRequestHandler.java:63)

at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)

at org.elasticsearch.http.netty.pipelining.HttpPipeliningHandler.messageReceived(HttpPipeliningHandler.java:60)

at org.elasticsearch.common.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)

at org.elasticsearch.common.netty.handler.codec.http.HttpChunkAggregator.messageReceived(HttpChunkAggregator.java:145)

at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)

at org.elasticsearch.common.netty.handler.codec.http.HttpContentDecoder.messageReceived(HttpContentDecoder.java:108)

at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)

at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:296)

at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:459)

at org.elasticsearch.common.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:536)

at org.elasticsearch.common.netty.handler.codec.replay.ReplayingDecoder.messageReceived(ReplayingDecoder.java:435)

at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)

at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:74)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)

at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268)

at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255)

at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)

at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)

at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)

at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)

at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)

at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)

at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

at java.lang.Thread.run(Thread.java:745)

[2016-03-21 13:19:35,122][INFO ][com.floragunn.searchguard.rest.DefaultRestFilter] Authenticated user is User [name=testuser, roles=]

On Tuesday, March 22, 2016 at 3:07:58 PM UTC-5, Cds Support wrote:

FYI… I’m using openLDAP for our LDAP service.

On Monday, March 21, 2016 at 1:38:48 PM UTC-5, Cds Support wrote:

Hello,

I’m trying to do auth through our posix LDAP. I’m trying to configure search-guard where any user in the admins LDAP group has full (read/write) access to all indexes. Then any user in the kibana-users LDAP group has read/write on .kibana index and read to logstash-* indexes. Everything works fine without search-guard enabled so my ELK stack has been working before enabling search-guard.

Below are the versions for our two node (server) ELK stack on CentOS 6.7.

Logstash 1.5.3

Elasticsearch 1.7.1

Kibana 4.0.1

Redis 2.8.6

search-guard 1.7.3.0

Our posix LDAP tree is below.

root DSE: cn=posix

group base: cn=groups,cn=posix

admin group: cn=admins,cn=groups,cn=posix <----Attribute for users in this group is memberUid

kibana-users group: cn=kibana-users,cn=groups,cn=posix <----Attribute for users in this group is memberUid

user base: cn=users,cn=posix <----Attribute for users in this group is uid

Below is my search-guard config section of the elasticsearch.yml file.

Search-guard plugin config

searchguard.enabled: true

searchguard.ssl.transport.http.enabled: false

searchguard.allow_all_from_loopback: true

searchguard.key_path: /snapshot/search-guard-keys/preprod/

searchguard.http.xforwardedfor.header: DUMMY

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.ldap.LDAPAuthenticationBackend

searchguard.authentication.authentication_backend.cache.enable: false

searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.ldap.LDAPAuthorizator

searchguard.authentication.authorizer.cache.enable: false

searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator

searchguard.authentication.ldap.host: [“ldap.posixserver.com:389”]

searchguard.authentication.ldap.ldaps.ssl.enabled: false

searchguard.authentication.ldap.ldaps.starttls.enabled: false

searchguard.authentication.ldap.bind_dn: “uid=linux,cn=system,cn=posix”

searchguard.authentication.ldap.password: password111

searchguard.authentication.ldap.userbase: “cn=posix”

searchguard.authentication.ldap.usersearch: (uid={0})

searchguard.authentication.ldap.username_attribute: uid

searchguard.authentication.authorization.ldap.rolebase: “cn=groups,cn=posix”

searchguard.authentication.authorization.ldap.rolesearch: (cn={0})

searchguard.authentication.authorization.ldap.userroleattribute: memberUid

searchguard.authentication.authorization.ldap.userrolename: cn

searchguard.authentication.authorization.ldap.resolve_nested_roles: false

searchguard.actionrequestfilter.names: [“kibana-server”, “kibana-user”, “kibana-admin”, “logstash-server”, “logstash-user”]

searchguard.actionrequestfilter.kibana-server.allowed_actions: [

“cluster:monitor/nodes/info*”,

“cluster:monitor/health*”,

“indices:admin/create*”,

“indices:admin/exists*”,

“indices:admin/mapping/put*”,

“indices:admin/mappings/fields/get*”,

“indices:admin/refresh*”,

“indices:admin/validate/query*”,

“indices:data/read/get*”,

“indices:data/read/mget*”,

“indices:data/read/search*”,

“indices:data/write/delete*”,

“indices:data/write/index*”,

“indices:data/write/update*”

]

searchguard.actionrequestfilter.kibana-user.allowed_actions: [

“cluster:monitor/nodes/info*”,

“cluster:monitor/health*”,

“indices:admin/exists*”,

“indices:admin/mappings/fields/get*”,

“indices:admin/validate/query*”,

“indices:data/read/get*”,

“indices:data/read/mget*”,

“indices:data/read/search*”

]

searchguard.actionrequestfilter.kibana-admin.allowed_actions: [

“cluster:monitor/nodes/info*”,

“cluster:monitor/health*”,

“indices:admin/exists*”,

“indices:admin/mapping/put*”,

“indices:admin/mappings/fields/get*”,

“indices:admin/refresh*”,

“indices:admin/validate/query*”,

“indices:data/read/get*”,

“indices:data/read/mget*”,

“indices:data/read/search*”,

“indices:data/write/delete*”,

“indices:data/write/index*”,

“indices:data/write/update*”,

“indices:admin/create*”

]

searchguard.actionrequestfilter.logstash-server.allowed_actions: [

“indices:admin/template/get*”,

“indices:admin/template/put*”,

“indices:admin/create*”,

“indices:data/write/bulk*”,

“indices:data/write/index*”,

“indices:data/write/delete*”,

“indices:data/write/update*”,

“indices:data/read/search*”,

“indices:data/read/scroll*”

]

searchguard.actionrequestfilter.logstash-user.allowed_actions: [

“indices:admin/mappings/fields/get*”,

“indices:admin/validate/query*”,

“indices:data/read/search*”,

“indices:data/read/msearch*”,

“indices:admin/get*”

]

Below is what I ran to create the searchguard index.

curl -XPUT “http://localhost:9200/searchguard/ac/ac” -d '{

“acl”: [

{

“Comment”: “By default no filters are executed and no filters a by-passed. In such a case an exception is thrown and access will be denied.”,

“filters_bypass”: ,

“filters_execute”:

},

{

“Comment”: “For role admins all filters are bypassed (so none will be executed). This means unrestricted access.”,

“roles”: [“admins”],

“filters_bypass”: [“*”],

“filters_execute”:

},

{

“Comment”: “Allow kibana-users group manage kibana indices”,

“roles”: [“kibana-users”],

“indices”: [“.kibana”],

“filters_bypass”: [“actionrequestfilter.kibana-users”],

“filters_execute”: [“actionrequestfilter.kibana-admin”]

},

{

“Comment”: “Allow kibana-users group read logstash indices”,

“roles”: [“kibana-users”],

“indices”: [“logstash-*”],

“filters_bypass”: ,

“filters_execute”: [“actionrequestfilter.logstash-user”]

}

]

}’

Below is the error I’m getting when logging into the elasticsearch headplugin. http://logstash1.linuxlogs.com:9200/_plugin/head/ I can get into the head plugin, but nothing is showing up. So I’m wondering what I am missing in my configuration set up that is getting this error for me below and why I can’t see anything in the head plugin. The ‘testuser’ below is part of the admins LDAP group so it should have full (read/write) access to all indexes.

[2016-03-21 13:19:35,056][INFO ][com.floragunn.searchguard.rest.DefaultRestFilter] Authenticated user is User [name=testuser, roles=]

[2016-03-21 13:19:35,062][WARN ][com.floragunn.searchguard.filter.SearchGuardActionFilter] Cannot determine types for indices:monitor/status (class org.elasticsearch.action.admin.indices.status.IndicesStatusRequest) due to types method not found

[2016-03-21 13:19:35,064][INFO ][com.floragunn.searchguard.rest.DefaultRestFilter] Authenticated user is User [name=testuser, roles=]

[2016-03-21 13:19:35,071][ERROR][com.floragunn.searchguard.filter.SearchGuardActionFilter] Error while apply() due to com.floragunn.searchguard.tokeneval.MalformedConfigurationException: no bypass or execute filters at all for action indices:monitor/status

com.floragunn.searchguard.tokeneval.MalformedConfigurationException: no bypass or execute filters at all

at com.floragunn.searchguard.tokeneval.TokenEvaluator$Evaluator.validateAndMerge(TokenEvaluator.java:374)

at com.floragunn.searchguard.tokeneval.TokenEvaluator$Evaluator.<init>(TokenEvaluator.java:362)

at com.floragunn.searchguard.tokeneval.TokenEvaluator.getEvaluator(TokenEvaluator.java:310)

at com.floragunn.searchguard.filter.SearchGuardActionFilter.apply0(SearchGuardActionFilter.java:253)

at com.floragunn.searchguard.filter.SearchGuardActionFilter.apply(SearchGuardActionFilter.java:90)

at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)

at com.floragunn.searchguard.filter.FLSActionFilter.applySecure(FLSActionFilter.java:76)

at com.floragunn.searchguard.filter.AbstractActionFilter.apply(AbstractActionFilter.java:97)

at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)

at com.floragunn.searchguard.filter.DLSActionFilter.applySecure(DLSActionFilter.java:73)

at com.floragunn.searchguard.filter.AbstractActionFilter.apply(AbstractActionFilter.java:97)

at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)

at com.floragunn.searchguard.filter.RequestActionFilter.applySecure(RequestActionFilter.java:94)

at com.floragunn.searchguard.filter.AbstractActionFilter.apply(AbstractActionFilter.java:97)

at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)

at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:82)

at org.elasticsearch.client.node.NodeIndicesAdminClient.execute(NodeIndicesAdminClient.java:77)

at org.elasticsearch.client.FilterClient$IndicesAdmin.execute(FilterClient.java:120)

at org.elasticsearch.rest.BaseRestHandler$HeadersAndContextCopyClient$IndicesAdmin.execute(BaseRestHandler.java:149)

at org.elasticsearch.client.support.AbstractIndicesAdminClient.status(AbstractIndicesAdminClient.java:577)

at org.elasticsearch.rest.action.admin.indices.status.RestIndicesStatusAction.handleRequest(RestIndicesStatusAction.java:61)

at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:53)

at org.elasticsearch.rest.RestController.executeHandler(RestController.java:225)

at org.elasticsearch.rest.RestController$RestHandlerFilter.process(RestController.java:299)

at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:280)

at com.floragunn.searchguard.rest.DefaultRestFilter.processSecure(DefaultRestFilter.java:37)

at com.floragunn.searchguard.rest.AbstractACRestFilter.process(AbstractACRestFilter.java:198)

at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:283)

at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:180)

at org.elasticsearch.http.HttpServer.internalDispatchRequest(HttpServer.java:121)

at org.elasticsearch.http.HttpServer$Dispatcher.dispatchRequest(HttpServer.java:83)

at org.elasticsearch.http.netty.NettyHttpServerTransport.dispatchRequest(NettyHttpServerTransport.java:327)

at org.elasticsearch.http.netty.HttpRequestHandler.messageReceived(HttpRequestHandler.java:63)

at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)

at org.elasticsearch.http.netty.pipelining.HttpPipeliningHandler.messageReceived(HttpPipeliningHandler.java:60)

at org.elasticsearch.common.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)

at org.elasticsearch.common.netty.handler.codec.http.HttpChunkAggregator.messageReceived(HttpChunkAggregator.java:145)

at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)

at org.elasticsearch.common.netty.handler.codec.http.HttpContentDecoder.messageReceived(HttpContentDecoder.java:108)

at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)

at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:296)

at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:459)

at org.elasticsearch.common.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:536)

at org.elasticsearch.common.netty.handler.codec.replay.ReplayingDecoder.messageReceived(ReplayingDecoder.java:435)

at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)

at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:74)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)

at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268)

at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255)

at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)

at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)

at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)

at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)

at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)

at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)

at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

at java.lang.Thread.run(Thread.java:745)

[2016-03-21 13:19:35,122][INFO ][com.floragunn.searchguard.rest.DefaultRestFilter] Authenticated user is User [name=testuser, roles=]

On Tuesday, March 29, 2016 at 8:11:16 AM UTC-5, Cds Support wrote:

****Update on this. I got it where it can see the ldap groups for roles, but it’s grabbing all of the ldap groups.

Below is the authorization settings in elasticsearch.yml file

searchguard.authentication.authorization.ldap.rolebase: “cn=groups,cn=posix”

searchguard.authentication.authorization.ldap.rolesearch: (&(objectClass=posixGroup))(memberUid={0}))

searchguard.authentication.authorization.ldap.rolename: cn

searchguard.authentication.authorization.ldap.resolve_nested_roles: false

Below shows in the log how it assigns the role for every ldap group we have to the user. The testuser is only a part of the kibana-users ldap group. So how do I get it to only recognize it being part of the kibana-users ldap group as a role? Any help would be appreciated.

[2016-03-28 10:32:41,161][INFO ][com.floragunn.searchguard.rest.DefaultRestFilter] Authenticated user is User [name=testuser, roles=[webdev, rddev, admins, automation, dba, secure, appgroup, wasgroup, appdev, icpdev, kibana-users, devs, conversion, sysadm]]

On Tuesday, March 22, 2016 at 3:07:58 PM UTC-5, Cds Support wrote:

FYI… I’m using openLDAP for our LDAP service.

On Monday, March 21, 2016 at 1:38:48 PM UTC-5, Cds Support wrote:

Hello,

I’m trying to do auth through our posix LDAP. I’m trying to configure search-guard where any user in the admins LDAP group has full (read/write) access to all indexes. Then any user in the kibana-users LDAP group has read/write on .kibana index and read to logstash-* indexes. Everything works fine without search-guard enabled so my ELK stack has been working before enabling search-guard.

Below are the versions for our two node (server) ELK stack on CentOS 6.7.

Logstash 1.5.3

Elasticsearch 1.7.1

Kibana 4.0.1

Redis 2.8.6

search-guard 1.7.3.0

Our posix LDAP tree is below.

root DSE: cn=posix

group base: cn=groups,cn=posix

admin group: cn=admins,cn=groups,cn=posix <----Attribute for users in this group is memberUid

kibana-users group: cn=kibana-users,cn=groups,cn=posix <----Attribute for users in this group is memberUid

user base: cn=users,cn=posix <----Attribute for users in this group is uid

Below is my search-guard config section of the elasticsearch.yml file.

Search-guard plugin config

searchguard.enabled: true

searchguard.ssl.transport.http.enabled: false

searchguard.allow_all_from_loopback: true

searchguard.key_path: /snapshot/search-guard-keys/preprod/

searchguard.http.xforwardedfor.header: DUMMY

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.ldap.LDAPAuthenticationBackend

searchguard.authentication.authentication_backend.cache.enable: false

searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.ldap.LDAPAuthorizator

searchguard.authentication.authorizer.cache.enable: false

searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator

searchguard.authentication.ldap.host: [“ldap.posixserver.com:389”]

searchguard.authentication.ldap.ldaps.ssl.enabled: false

searchguard.authentication.ldap.ldaps.starttls.enabled: false

searchguard.authentication.ldap.bind_dn: “uid=linux,cn=system,cn=posix”

searchguard.authentication.ldap.password: password111

searchguard.authentication.ldap.userbase: “cn=posix”

searchguard.authentication.ldap.usersearch: (uid={0})

searchguard.authentication.ldap.username_attribute: uid

searchguard.authentication.authorization.ldap.rolebase: “cn=groups,cn=posix”

searchguard.authentication.authorization.ldap.rolesearch: (cn={0})

searchguard.authentication.authorization.ldap.userroleattribute: memberUid

searchguard.authentication.authorization.ldap.userrolename: cn

searchguard.authentication.authorization.ldap.resolve_nested_roles: false

searchguard.actionrequestfilter.names: [“kibana-server”, “kibana-user”, “kibana-admin”, “logstash-server”, “logstash-user”]

searchguard.actionrequestfilter.kibana-server.allowed_actions: [

“cluster:monitor/nodes/info*”,

“cluster:monitor/health*”,

“indices:admin/create*”,

“indices:admin/exists*”,

“indices:admin/mapping/put*”,

“indices:admin/mappings/fields/get*”,

“indices:admin/refresh*”,

“indices:admin/validate/query*”,

“indices:data/read/get*”,

“indices:data/read/mget*”,

“indices:data/read/search*”,

“indices:data/write/delete*”,

“indices:data/write/index*”,

“indices:data/write/update*”

]

searchguard.actionrequestfilter.kibana-user.allowed_actions: [

“cluster:monitor/nodes/info*”,

“cluster:monitor/health*”,

“indices:admin/exists*”,

“indices:admin/mappings/fields/get*”,

“indices:admin/validate/query*”,

“indices:data/read/get*”,

“indices:data/read/mget*”,

“indices:data/read/search*”

]

searchguard.actionrequestfilter.kibana-admin.allowed_actions: [

“cluster:monitor/nodes/info*”,

“cluster:monitor/health*”,

“indices:admin/exists*”,

“indices:admin/mapping/put*”,

“indices:admin/mappings/fields/get*”,

“indices:admin/refresh*”,

“indices:admin/validate/query*”,

“indices:data/read/get*”,

“indices:data/read/mget*”,

“indices:data/read/search*”,

“indices:data/write/delete*”,

“indices:data/write/index*”,

“indices:data/write/update*”,

“indices:admin/create*”

]

searchguard.actionrequestfilter.logstash-server.allowed_actions: [

“indices:admin/template/get*”,

“indices:admin/template/put*”,

“indices:admin/create*”,

“indices:data/write/bulk*”,

“indices:data/write/index*”,

“indices:data/write/delete*”,

“indices:data/write/update*”,

“indices:data/read/search*”,

“indices:data/read/scroll*”

]

searchguard.actionrequestfilter.logstash-user.allowed_actions: [

“indices:admin/mappings/fields/get*”,

“indices:admin/validate/query*”,

“indices:data/read/search*”,

“indices:data/read/msearch*”,

“indices:admin/get*”

]

Below is what I ran to create the searchguard index.

curl -XPUT “http://localhost:9200/searchguard/ac/ac” -d '{

“acl”: [

{

“Comment”: “By default no filters are executed and no filters a by-passed. In such a case an exception is thrown and access will be denied.”,

“filters_bypass”: ,

“filters_execute”:

},

{

“Comment”: “For role admins all filters are bypassed (so none will be executed). This means unrestricted access.”,

“roles”: [“admins”],

“filters_bypass”: [“*”],

“filters_execute”:

},

{

“Comment”: “Allow kibana-users group manage kibana indices”,

“roles”: [“kibana-users”],

“indices”: [“.kibana”],

“filters_bypass”: [“actionrequestfilter.kibana-users”],

“filters_execute”: [“actionrequestfilter.kibana-admin”]

},

{

“Comment”: “Allow kibana-users group read logstash indices”,

“roles”: [“kibana-users”],

“indices”: [“logstash-*”],

“filters_bypass”: ,

“filters_execute”: [“actionrequestfilter.logstash-user”]

}

]

}’

Below is the error I’m getting when logging into the elasticsearch headplugin. http://logstash1.linuxlogs.com:9200/_plugin/head/ I can get into the head plugin, but nothing is showing up. So I’m wondering what I am missing in my configuration set up that is getting this error for me below and why I can’t see anything in the head plugin. The ‘testuser’ below is part of the admins LDAP group so it should have full (read/write) access to all indexes.

[2016-03-21 13:19:35,056][INFO ][com.floragunn.searchguard.rest.DefaultRestFilter] Authenticated user is User [name=testuser, roles=]

[2016-03-21 13:19:35,062][WARN ][com.floragunn.searchguard.filter.SearchGuardActionFilter] Cannot determine types for indices:monitor/status (class org.elasticsearch.action.admin.indices.status.IndicesStatusRequest) due to types method not found

[2016-03-21 13:19:35,064][INFO ][com.floragunn.searchguard.rest.DefaultRestFilter] Authenticated user is User [name=testuser, roles=]

[2016-03-21 13:19:35,071][ERROR][com.floragunn.searchguard.filter.SearchGuardActionFilter] Error while apply() due to com.floragunn.searchguard.tokeneval.MalformedConfigurationException: no bypass or execute filters at all for action indices:monitor/status

com.floragunn.searchguard.tokeneval.MalformedConfigurationException: no bypass or execute filters at all

at com.floragunn.searchguard.tokeneval.TokenEvaluator$Evaluator.validateAndMerge(TokenEvaluator.java:374)

at com.floragunn.searchguard.tokeneval.TokenEvaluator$Evaluator.<init>(TokenEvaluator.java:362)

at com.floragunn.searchguard.tokeneval.TokenEvaluator.getEvaluator(TokenEvaluator.java:310)

at com.floragunn.searchguard.filter.SearchGuardActionFilter.apply0(SearchGuardActionFilter.java:253)

at com.floragunn.searchguard.filter.SearchGuardActionFilter.apply(SearchGuardActionFilter.java:90)

at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)

at com.floragunn.searchguard.filter.FLSActionFilter.applySecure(FLSActionFilter.java:76)

at com.floragunn.searchguard.filter.AbstractActionFilter.apply(AbstractActionFilter.java:97)

at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)

at com.floragunn.searchguard.filter.DLSActionFilter.applySecure(DLSActionFilter.java:73)

at com.floragunn.searchguard.filter.AbstractActionFilter.apply(AbstractActionFilter.java:97)

at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)

at com.floragunn.searchguard.filter.RequestActionFilter.applySecure(RequestActionFilter.java:94)

at com.floragunn.searchguard.filter.AbstractActionFilter.apply(AbstractActionFilter.java:97)

at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)

at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:82)

at org.elasticsearch.client.node.NodeIndicesAdminClient.execute(NodeIndicesAdminClient.java:77)

at org.elasticsearch.client.FilterClient$IndicesAdmin.execute(FilterClient.java:120)

at org.elasticsearch.rest.BaseRestHandler$HeadersAndContextCopyClient$IndicesAdmin.execute(BaseRestHandler.java:149)

at org.elasticsearch.client.support.AbstractIndicesAdminClient.status(AbstractIndicesAdminClient.java:577)

at org.elasticsearch.rest.action.admin.indices.status.RestIndicesStatusAction.handleRequest(RestIndicesStatusAction.java:61)

at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:53)

at org.elasticsearch.rest.RestController.executeHandler(RestController.java:225)

at org.elasticsearch.rest.RestController$RestHandlerFilter.process(RestController.java:299)

at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:280)

at com.floragunn.searchguard.rest.DefaultRestFilter.processSecure(DefaultRestFilter.java:37)

at com.floragunn.searchguard.rest.AbstractACRestFilter.process(AbstractACRestFilter.java:198)

at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:283)

at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:180)

at org.elasticsearch.http.HttpServer.internalDispatchRequest(HttpServer.java:121)

at org.elasticsearch.http.HttpServer$Dispatcher.dispatchRequest(HttpServer.java:83)

at org.elasticsearch.http.netty.NettyHttpServerTransport.dispatchRequest(NettyHttpServerTransport.java:327)

at org.elasticsearch.http.netty.HttpRequestHandler.messageReceived(HttpRequestHandler.java:63)

at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)

at org.elasticsearch.http.netty.pipelining.HttpPipeliningHandler.messageReceived(HttpPipeliningHandler.java:60)

at org.elasticsearch.common.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)

at org.elasticsearch.common.netty.handler.codec.http.HttpChunkAggregator.messageReceived(HttpChunkAggregator.java:145)

at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)

at org.elasticsearch.common.netty.handler.codec.http.HttpContentDecoder.messageReceived(HttpContentDecoder.java:108)

at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)

at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:296)

at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:459)

at org.elasticsearch.common.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:536)

at org.elasticsearch.common.netty.handler.codec.replay.ReplayingDecoder.messageReceived(ReplayingDecoder.java:435)

at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)

at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:74)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)

at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268)

at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255)

at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)

at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)

at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)

at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)

at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)

at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)

at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

at java.lang.Thread.run(Thread.java:745)

[2016-03-21 13:19:35,122][INFO ][com.floragunn.searchguard.rest.DefaultRestFilter] Authenticated user is User [name=testuser, roles=]