How to enable logging for shield?

security

(Al77056) #1

I am installing shield on top of the official docker image of elasticsearch. I was able to setup SSL with basic authentication, and verified that I have access via either chrome or a Python program.

I keep getting 401 errors when I tried to setup access through PKI, and the file elasticserach-access.log under /usr/share/elasticsearch/logs has a 0 file size. How can I enable logging for shield such that I can find out why the PKI client certificates I am using are not authenticated?


(Mark Walkom) #2

Try adding shield.authc: DEBUG to the logging.yml configuration file?


(Al77056) #3

Thanks Mark. Setting shield.authc to DEBUG or TRACE did provided some additional information, such as:
authenticated user [es_admin], with roles [[admin]]
However it does not provide much detail when the authentication failed. Here's what I've tried:

When I execute the following command, I got an error "curl: (51) SSL: no alternative certificate subject name matches target host name 'localhost'", which is expected.
curl -E client.crt --key client.key --cacert certs/cacert.pem -XGET 'https://localhost:9200'

When I changed the command to the following with the hostname I specified to create the server certificate:
curl -E client.crt --key client.key --cacert certs/cacert.pem -XGET 'https://esnode01:9200'
I received a response like the following:

{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentic
ation token for REST request [/]","header":{"WWW-Authenticate":"Basic realm="sh
ield""}}],"type":"security_exception","reason":"missing authentication token fo
r REST request [/]","header":{"WWW-Authenticate":"Basic realm="shield""}},"status":401}

What could be the cause of the error? The DEBUG / TRACE option does not provide any additional information in the logs.


(Elad Benedict) #4

I'm having the exact same problem.
Did you manage to get it working?

@eyaldahari - FYI


(system) #5