Kopf plugin with Shield and Anonymous access

security

(Diranged) #1

We have ES configured to allow a light amount of anonymous access to the cluster for the simplest types of debugging, monitoring, etc.

elasticsearch.yaml

shield.authc.anonymous.roles: monitoring
shield.authc.anonymous.username: anonymous_user
shield.authc.authz_exception.authz_exception: true

roles.yaml

monitoring: 
  cluster: monitor
  indices: 
    "*": monitor

So simple curl calls work just fine..

[root@staging-us1-search-es-uswest2-9:/etc/elasticsearch/staging-us1-search/shield:60]# curl --insecure https://localhost:9200/_cluster/health?pretty
{
  "cluster_name" : "staging-us1-search",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 2,
  "number_of_data_nodes" : 2,
  "active_primary_shards" : 2,
  "active_shards" : 4,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

We can also access the kopf plugin.. but when we do, it fails to load any data with the following error (ignore the URL .. thats me doing some tunneling to get to the server)

If we switch the anonymous access to use the admin role, it works fine .. so im pretty sure this is just a role issue. Can someone help me create a role that will give the kopf plugin access to the data it needs?


#2

I have the same problem. Did you find a solution yet???


(system) #3