I'm working on an implementation of a custom authorization engine by following the instructions on this page and using this sample. I'm using Elasticsearch v8.2.0.
I've been able to generate the single zip file for my custom authorization engine and I've followed the steps to use the security extension as described on that page. I implemented the AuthorizationEngine to basically deny index operations. So implemented this method to deny.
The issue I'm facing is I don't think the security extension is being called as all my index actions like create, delete are succeeding. I would have expected a denial while running index-related actions. Even the logs don't seem to provide any information about whether the extension is used or not. Although the logs do say that my plugin was loaded. Any idea if I'm missing something ?
Authorization Engines are pretty tricky to get right, and are a really advanced feature. Are you sure that's the right answer to the problem you have?
I definitely do not recommend it if you have any other options.
It's hard to debug the problem without seeing your code. The only advice I can offer is to take it 1 step at a time. Put some logging in the constructor for your SecurityExtension and then some in the getAuthorizationEngine method and see whether they're being called.
I'm trying to use an external authorization engine to authorize requests that ES gets. Here is the code.
I was using print statements to figure out if the code is being called but I'll try to add some logs. Please do let me know if the code looks ok. I appreciate the help.
The problem is that you are testing with the elastic user. Builtin users will always use the RBAC engine. You need to use a custom user if you want to use your own engine.
Hey @TimV thanks for your reply. I create a custom role as described here and a custom user as described here. In this case too, it looks like it uses the RBAC engine. Is this the correct way to test or can you please recommend something else ?
Secondly, I'm using docker.elastic.co/elasticsearch/elasticsearch:8.2.0 for my setup which should fine, correct ?
$ curl --cacert http_ca.crt -u bob -X PUT "https://localhost:9200/my-index-000001?pretty"
Enter host password for user 'bob':
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "action [indices:admin/create] is unauthorized for user [bob] with roles [not_superuser], this action is granted by the index privileges [create_index,manage,all]"
}
],
"type" : "security_exception",
"reason" : "action [indices:admin/create] is unauthorized for user [bob] with roles [not_superuser], this action is granted by the index privileges [create_index,manage,all]"
},
"status" : 403
}
Test Query 2: Add a single document
$ curl --cacert http_ca.crt -u bob -X POST "https://localhost:9200/logs-my_app-default/_doc?pretty" -H 'Content-Type: application/json' -d'
{
"@timestamp": "2099-05-06T16:21:15.000Z",
"event": {
"original": "192.0.2.42 - - [06/May/2099:16:21:15 +0000] \"GET /images/bg.jpg HTTP/1.0\" 200 24736"
}
}
'
Enter host password for user 'bob':
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "action [indices:data/write/index] is unauthorized for user [bob] with roles [not_superuser], this action is granted by the index privileges [create_doc,create,index,write,all]"
}
],
"type" : "security_exception",
"reason" : "action [indices:data/write/index] is unauthorized for user [bob] with roles [not_superuser], this action is granted by the index privileges [create_doc,create,index,write,all]"
},
"status" : 403
}
In both the test cases, the RBAC engine seems to be making the decision and not the custom engine.
When I start ES with xpack.license.self_generated.type=trial, now my custom authorization code is now being called. Thanks @TimV , appreciate the help.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.