I am installing shield on top of the official docker image of elasticsearch. I was able to setup SSL with basic authentication, and verified that I have access via either chrome or a Python program.
I keep getting 401 errors when I tried to setup access through PKI, and the file elasticserach-access.log under /usr/share/elasticsearch/logs has a 0 file size. How can I enable logging for shield such that I can find out why the PKI client certificates I am using are not authenticated?
Try adding shield.authc: DEBUG to the logging.yml configuration file?
Thanks Mark. Setting shield.authc to DEBUG or TRACE did provided some additional information, such as:
authenticated user [es_admin], with roles [[admin]]
However it does not provide much detail when the authentication failed. Here's what I've tried:
When I execute the following command, I got an error "curl: (51) SSL: no alternative certificate subject name matches target host name 'localhost'", which is expected.
curl -E client.crt --key client.key --cacert certs/cacert.pem -XGET 'https://localhost:9200'
When I changed the command to the following with the hostname I specified to create the server certificate:
curl -E client.crt --key client.key --cacert certs/cacert.pem -XGET 'https://esnode01:9200'
I received a response like the following:
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentic
ation token for REST request [/]","header":{"WWW-Authenticate":"Basic realm="sh
ield""}}],"type":"security_exception","reason":"missing authentication token fo
r REST request [/]","header":{"WWW-Authenticate":"Basic realm="shield""}},"status":401}
What could be the cause of the error? The DEBUG / TRACE option does not provide any additional information in the logs.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.