Custom Realm Authentication Validation


(Alex) #1

Hi All,

I have created a custom realm and trying to validate that it is working in curl. It has the following request headers:

  • audience
  • referer
  • stoken
  • username

How do I test this is working via curl? It seems to only work if I use the --user elastic:changeme argument. Ideally it should work like something similiar to the below:
curl -H "referer: http://thing-docvr.dir.thing.com/" -H "audience: docvr-search-80-d3search.thing.com" -H "stoken: STOKEN_VALUE_HERE" http://localhost:9200

Any advice?


(Tim Vernum) #2

It looks like the answer is that you have tested it, and it's not working.

If all it is supposed to need is those headers in order to authenticate, and you are passing them via curl but receiving unauthenticated errors, then your realm isn't working.

I suggest that you add logging to your realm, and trace what is happening. That's going to be more effective than having us guess.


(Alex) #3

I believe I need to use Log4j to do that. I have integrated it within my custom realm and tested that it works, however I can't get the logs to show within elasticsearch.log and they don't seem to be creating a file like expected. I followed this (https://stackoverflow.com/questions/21206993/very-simple-log4j2-xml-configuration-file-using-console-and-file-appender).

How do I integrate the logger with Elasticsearch?

EDIT - I worked this out... For the sake of completeness I will update this with my fix for others who may stumble across this.


(Alex) #4

Okay, so from debugging it seems the CustomRealm authenticate function is never actually called. My custom realm gets all the headers from the request and then prints them.

Within the function which gets the data from the headers, I print "In ThreadContext Thingy within CustomRealm" and print the header values. I then validate that they are all not null, if they are not null I create a new token. If they are null, i return null. This all works.

Around 20 seconds later, I get an error

[2017-09-07T11:33:22,926][WARN ][o.e.c.InternalClusterInfoService] [SLB-1G3QD12] Failed to execute NodeStatsAction for ClusterInfoUpdateJob
org.elasticsearch.ElasticsearchSecurityException: error attempting to authenticate request
at org.elasticsearch.xpack.security.support.Exceptions.authenticationError(Exceptions.java:33) ~[?:?]
at ....

I have attached my log to this post.

The authenticate function within the custom realm has the following comment "his method will only be called if the token is a supported token. " Does this mean that I need to say that it is a support token somehow? If so, how? I didn't see this within the custom-realm example.

Cheers!

EDIT - It seems whenever I post I fix it... There is a function within CustomRealm called supports... I added my token there and it is now calling the authenticate function.... still broken though... stay tuned.


(Alex) #5

So turns out that the main issue was that it wasn't in the supports section. After that, the issue was that my token was no long valid. Classic ID10T.

The main take away was that I evidently failed at integrating log4j2 but when running elasticsearch.exe from command line it outputted everything from System.out.println.


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.