Clear cache API

security

(Mariusz Derela) #1

Hello

Based on the documentation we should use POST request on __shield/realm/NAME/_cache/clear to clear evicts users from the user cache.
However it looks like that this handler doesnt work anymore...

$ curl -u admin -XPOST http://127.0.0.1:9200/_shield/realm/ldap1/_cache/clear Enter host password for user 'admin': No handler found for uri [/_shield/realm/ldap1/_cache/clear] and method [POST]

Any advice?


(Michal) #2

Hello Mariusz,

I have the same issue like you.
Technical documentation of Shield sukcs :confused:


(Jay Modi) #3

Hi Mariusz,

Can you share the version of shield and elasticsearch that you are using? Also can you share your shield settings from the elasticsearch.yml file?

-Jay


(Mariusz Derela) #4

Hi, we are using version 2.3.1

"version": {
"number": "2.3.1",
"build_hash": "bd980929010aef404e7cb0843e61d0665269fc39",
"build_timestamp": "2016-04-04T12:25:05Z",
"build_snapshot": false,
"lucene_version": "5.5.0"
}

And shield in the same version :

license 2.3.1 j  
shield  2.3.1 j  

On each host.

Our current configuration (more or less) looks like that:

cluster.name: {{ cluster }}
node.name: ${HOSTNAME}-{{ item.0 }}
node.master: {{ item.3 }}
node.data: {{ item.4 }}
node.rack: ${HOSTNAME}
path.data: {{ item.1 }}
bootstrap.mlockall: 1
network.bind_host: ${HOSTNAME}
network.publish_host: ${HOSTNAME}
network.host: ${HOSTNAME}
http.port: {{ item.2 }}
discovery.zen.ping.unicast.hosts: {{ hosts }}
discovery.zen.minimum_master_nodes: 4
node.max_local_storage_nodes: 3
cluster.routing.allocation.awareness.attributes: rack
cluster.routing.allocation.same_shard.host: 1
processors: 13
index.merge.scheduler.max_thread_count: 1

shield.ssl.keystore.path: /etc/elasticsearch/node{{ item.0 }}/shield/node.jks
shield.ssl.keystore.password: OUR_SECRET_PASSWORD :slight_smile:

shield:
authc:
realms:
ldap1:
type: ldap
hostname_verification: 0
order: 0
url: "ldaps://{{ ldap_server }}:636"
user_dn_templates:
- "uid={0}, ou=People, o=company"
{{ ldap_users }}
group_search:
base_dn: {{ ldap_group }}
files:
role_mapping: "/etc/elasticsearch/node{{ item.0 }}/shield/role_mapping.yml


(Michal) #5

any update?


(Mariusz Derela) #6

no :frowning:
I still do not know how to accelerate the propagation of the permissions changes. It looks like that you need to be really calm before you upgrade ELK to the newest version.

Maybe better is to wait a little before publish a new "stable" version... updating the whole infra every week is really painfull.


(Jay Modi) #7

@us3r @michalterbert thank you for bringing this to our attention. In the process of adding a new alias for this API, the prior one was inadvertently removed. As a workaround, you can use the following command:

curl -u admin -XPOST http://127.0.0.1:9200/_shield/realm/ldap1/_clear_cache

I'll ensure the documentation is updated and the pre-existing API is restored for the next release.


(system) #8