Docker [ES+Shield]


(Tehina) #1

Bonjour,

Dans une optique de sécurisation d'Elasticsearch, j'ai été amené à installer Shield.

J'ai donc créé un dockerfile allant chercher l'image officielle d'Elasticsearch et en y mettant directement les ligne correspondantes pour installer les plugins dont j'ai besoin: Shield et HQ.

Cependant, j'ai un soucis au niveau de l'authentification qui m'est constamment refusée, alors que j'arrive a créer des utilisateurs qui apparaissent dans "esusers list" et dans users (etc/elasticsearch/shield):

root@3be61fa46b4d:/usr/share/elasticsearch/bin# curl -u admin 'http://localhost:9200/_shield'
Enter host password for user 'admin':
{"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [admin] for REST request [/_shield]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}}],"type":"security_exception","reason":"unable to authenticate user [admin] for REST request [/_shield]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}},"status":401}
    root@3be61fa46b4d:/usr/share/elasticsearch/bin# shield/esusers list
    admin          : admin

root@3be61fa46b4d:/etc/elasticsearch/shield# ls
logging.yml  role_mapping.yml  roles.yml  users  users_roles

root@3be61fa46b4d:/etc/elasticsearch/shield# cat users
admin:$2a$10$4Z6ixwTnEewy7r4QjHTh2OIo3SJszTDm6GM7ZeqSI7k.quC5HA7NW

En recherchant un peu des problèmes identiques, j'ai pu trouvé plusieurs pistes (testées):

  • Celle de changer la variable d'environnement

export ES_JAVA_OPTS="-Des.path.conf=/etc/elasticsearch"

  • Celle de déplacer le dossier shield se trouvant dans etc/elasticsearch
  • Et celle de mettre un symlink entre usr/share/elasticsearch/config et etc/elasticsearch/shield

[2016-02-02 13:25:31,930][INFO ][node ] [Box] version[2.1.1], pid[1], build[40e2c53/2015-12-15T13:05:55Z]
[2016-02-02 13:25:31,932][INFO ][node ] [Box] initializing ...
[2016-02-02 13:25:32,620][INFO ][plugins ] [Box] loaded [license, shield], sites [hq]
[2016-02-02 13:25:32,657][INFO ][env ] [Box] using [1] data paths, mounts [[/usr/share/elasticsearch/data (/dev/disk/by-label/DOROOT)]], net usable_space [15.2gb], net total_space [19.5gb], spins? [possibly], types [ext4]
[2016-02-02 13:25:33,201][INFO ][http ] [Box] Using [org.elasticsearch.http.netty.NettyHttpServerTransport] as http transport, overridden by [shield]
[2016-02-02 13:25:33,758][INFO ][transport ] [Box] Using [org.elasticsearch.shield.transport.ShieldServerTransportService] as transport service, overridden by [shield]
[2016-02-02 13:25:33,764][INFO ][transport ] [Box] Using [org.elasticsearch.shield.transport.netty.ShieldNettyTransport] as transport, overridden by [shield]
[2016-02-02 13:25:39,616][INFO ][node ] [Box] initialized
[2016-02-02 13:25:39,617][INFO ][node ] [Box] starting ...
Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/usr/share/elasticsearch/config/shield/system_key" "read")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
at sun.nio.fs.UnixPath.checkRead(UnixPath.java:795)
at sun.nio.fs.UnixFileSystemProvider.checkAccess(UnixFileSystemProvider.java:290)
at java.nio.file.Files.exists(Files.java:2385)
at org.elasticsearch.shield.crypto.InternalCryptoService.readSystemKey(InternalCryptoService.java:185)
at org.elasticsearch.shield.crypto.InternalCryptoService.loadKeys(InternalCryptoService.java:133)
at org.elasticsearch.shield.crypto.InternalCryptoService.doStart(InternalCryptoService.java:115)
at org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:68)
at org.elasticsearch.node.Node.start(Node.java:242)
at org.elasticsearch.bootstrap.Bootstrap.start(Bootstrap.java:221)
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:287)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)
Refer to the log for complete error details.
[2016-02-02 13:25:39,643][INFO ][node ] [Box] stopping ...
[2016-02-02 13:25:39,654][INFO ][node ] [Box] stopped
[2016-02-02 13:25:39,655][INFO ][node ] [Box] closing ...
[2016-02-02 13:25:39,676][INFO ][node ] [Box] closed

Malheureusement aucune de ces solutions de fonctionnent, c'est pourquoi je me permet de partager mon problème afin d'avoir une aide extérieure qui serait largement bienvenue :slightly_smiling:


(Nicolas Seyvet) #2

J ai le meme probleme...

y a t il une solution?


(system) #3