Curator with Shield: How to pass credentials securely?


(David Guertin) #1

I'm trying to run Curator 3.5 with Shield with SSL. I'm using the following options to curator:
--certificate (pem-encoded CA)
--client-cert (public key file)
--client-key (private key file)

and then the usual options to specify the host, indices to delete, age to delete, etc.

This command fails with:

{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm="shield""}}],"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm="shield""}},"status":401}

I've seen this before -- it wants credentials. So I add the option:
--http_auth (username):(password), and now it works.

But the only way I can make it work is to enter the password in the command, which makes me all kinds of uneasy. Is there an alternative that I'm missing?


(Aaron Mildenstein) #2

Curator should allow certificate based authentication, rather than requiring username and password. You may need to associate a certificate with a user for this to work.

Otherwise, the soon to be released Curator v4 uses configuration files, preventing the password from being on the command line.

(David Guertin) #3

Thanks. Please forgive the basic question, but how would I associate a certificate with a user?

(Aaron Mildenstein) #4

This is the Shield documentation on user PKI authentication.

(system) #5