Access Granted in access log but AuthorizationException in response

security

#1

Hi All,

Have a strange issue. Using AD with shield to authenticate users and have an account that is tied to a role that is not being allowed to carry out it's actions.

With the account, I can execute a curl command against the basic url (localhost:9200) and get back the status response fine (with status, cluster name, version etc), but when I do anything else, for instance localhost:9200/_cat/indices I get an access granted message in the log for it:

[2016-10-03 11:09:48,086] [node-d01] [transport] [access_granted] origin_type=[rest], origin_address=[/192.168.1.18:37964], principal=[curator], action=[cluster:monitor/state], indices=[]

But in the response to the curl command I get an AuthorizationException:

{"error":"RemoteTransportException[[es-m01-node-m01][inet[/10.65.4.41:9300]][cluster:monitor/state]]; nested: AuthorizationException[action [cluster:monitor/state] is unauthorized for user [curator]]; ","status":403}

How is it possible that it's getting access granted and yet refused the action too!?

For reference, i've also now been trying this with the admin settings for that role (in roles.yml):

curator:
cluster: monitor
indices:
'*': all


(Jay Modi) #2

It looks like the role may not exist or has different permissions on a remote node in the cluster (10.65.4.41). Can your check the other node to see if the role exists there?


#3

Yep that's fixed it! Thanks very much, as the curl was just talking to one node didn't think permissions on the others would be needed (and failed to see the different IP addresses in the curl response)


(system) #4