Monitoring: Unauthorized user when sending metrics to the monitoring cluster


#1

Hi All,

I'd like to send the monitoring events to a dedicated monitoring ES cluster (both use v.5.2.0) using the following start parameters:

-Ecluster.name=cluster9500 -Enode.name=node9500 -Ehttp.port=9500 -Expack.monitoring.exporters.id1.type=http -Expack.monitoring.exporters.id1.host=localhost:9200 -Expack.monitoring.exporters.id1.auth.username=elastic -Expack.monitoring.exporters.id1.auth.password=changeme
(localhost:9200 - is the "remote" dedicated monitoring cluster :))
but it seems it does not use the specified credentials:

[2017-02-05T21:06:37,633][WARN ][o.e.x.m.e.h.HttpExporter ] [xpack.monitoring.exporters.id1] is not using https, but using user authentication with plaintext username/password!
...
[2017-02-05T21:06:44,672][INFO ][o.e.n.Node               ] [node9500] started
[2017-02-05T21:06:47,969][ERROR][o.e.x.m.e.h.VersionHttpResource] failed to verify minimum version [5.0.0-beta1] on the [xpack.monitoring.exporters.id1] monitoring cluster
org.elasticsearch.client.ResponseException: GET http://localhost:9200/?filter_path=version.number: HTTP/1.1 403 Forbidden
{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [anonymous_user]"}],"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [anonymous_user]"},"status":403}
        at org.elasticsearch.client.RestClient$1.completed(RestClient.java:311) ~[?:?]
        at org.elasticsearch.client.RestClient$1.completed(RestClient.java:300) ~[?:?]
        at org.apache.http.concurrent.BasicFuture.completed(BasicFuture.java:119) ~[?:?]
        at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.responseCompleted(DefaultClientExchangeHandlerImpl.java:177) ~[?:?]
        at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.processResponse(HttpAsyncRequestExecutor.java:436) ~[?:?]
        at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.inputReady(HttpAsyncRequestExecutor.java:326) ~[?:?]
        at org.apache.http.impl.nio.DefaultNHttpClientConnection.consumeInput(DefaultNHttpClientConnection.java:265) ~[?:?]
        at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:81) ~[?:?]
        at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:39) ~[?:?]
        at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:114) ~[?:?]
        at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) ~[?:?]
        at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) ~[?:?]
        at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) ~[?:?]
        at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) ~[?:?]
        at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) ~[?:?]
        at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588) ~[?:?]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73]

Does it really ignore the auth settings or I forgot something in the configuration?
Thanks!


(Chris Earle) #2

Hi @jetnet,

Does this exception continue to happen every 10 seconds?

Prior to 5.3 (currently unreleased), the underlying RestClient did not use Preemptive Authentication. As a result, it first sends an anonymous request to the other side, but if it gets rejected then it will send the same request with authentication.

Starting with 5.3, Preemptive Authentication will be the default behavior for the RestClient and therefore for the HTTP Exporter as well.

Let me know,
Chris


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.