Cross-cluster search security exception in Chrome

DaveyDevOps · April 11, 2018, 9:17pm

Elasticsearch version (bin/elasticsearch --version):
Version: 6.2.2, Build: 10b1edd/2018-02-16T19:01:30.685723Z, JVM: 1.8.0_121
and
Version: 5.6.6, Build: 7d99d36/2018-01-09T23:55:47.880Z, JVM: 1.8.0_121

Plugins installed: [x-pack, repository-hdfs]

JVM version (java -version):
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-tdc1-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)

OS version (uname -a if on a Unix-like system):
SLES Linux 3.0.101-0.113.TDC.1.R.0-default SMP Fri Dec 9 04:51:20 PST 2016 (ca32437) x86_64 x86_64 x86_64 GNU/Linux

Chrome version:
Version 65.0.3325.181 (Official Build) (64-bit)

Description of the problem including expected versus actual behavior:
We setup a proof of concept Cross-cluster search between our "local" 6x cluster and "remote" 5x cluster.
We were able to achieve the same results described in the examples.
However did some additional exploration of how cross-cluster search behaves.
In Chrome:
https://our.elastic.url/5x:remote_index,local_index/_search
behaves as expected but searching the remote index alone
https://our.elastic.url/5x:remote_index/_search
returns

{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "action [indices:admin/shards/search_shards] requires authentication",
        "header": {
          "WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""
        }
      }
    ],
    "type": "transport_exception",
    "reason": "unable to communicate with remote cluster [DEV35x]",
    "caused_by": {
      "type": "security_exception",
      "reason": "action [indices:admin/shards/search_shards] requires authentication",
      "header": {
        "WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""
      }
    }
  },
  "status": 500
}

Chrome developer tools show that the authenticate header is not being sent in the request (missing a 401 check/response?).

The same call (searching the remote index alone) return results in Kibana DEV tools, Internet Explorer and curl.

While the behavior seems to be limited to Chrome I thought it was still good to share.
Thank you.

Steps to reproduce:

Initially both clusters were hosted on the same set of machines. Later tested on separate machines, today I tested between two 6x clusters and continue to see the security exception.

Setup Cross-cluster search to a remote_cluster and create a remote_index where authentication will be required
In Kibana DEV tools GET /remote_cluster:remote_index/_search should return results
Access from Chrome https://elastichost:port/remote_cluster:remote_index/_search should return the security exception

TimV · April 12, 2018, 1:04am

I wasn't able to reproduce this, so I suspect it might be dependent on a particular chrome version/platform, but my guess is that it's a URL encoding issue.

Try encoding the : as %3A

https://our.elastic.url/5x%3Aremote_index/_search

DaveyDevOps · April 12, 2018, 3:03am

Thanks for taking a look at it. URL encoding is a good thought.
I tried out the %3A but still received the security exception.
If the issue appears to be limited to my particular browser I am not sure there is much more to do with this (and I think that is okay).

system · May 10, 2018, 3:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.