Segurity Problem using X-pack with 5.0.1

Elastic Stack Elasticsearch
1

Hi,

Recently I start to configure my EL Cluster and Kibana aganist a AD. Im using 5.0.1

I preferred to start configuring my cluster aganist and simple LDAP. I use for this OpenDS.

The main configuration in elasticsearch.yml is the next:

xpack.security.authc.realms:
  ldap1:
    type: ldap
    order: 0
    url: "ldap://127.0.0.1:389"
    user_dn_templates:
      - "cn={0},ou=usuarios,dc=XXXXX,dc=com"
    group_search:
      base_dn: "ou=roles,dc=XXXXX,dc=com"
    files:
      role_mapping: "/XXXXX/cluster-elk/EL-node 1_MD-5.0.1/config/x-pack/role_mapping.yml"
    unmapped_groups_as_roles: false

and my role-mapping.xml is like this;

role_app1:
  - "cn=role_app1,ou=aplicacion,ou=roles,dc=XXXX,dc=com"

All is working good but my problem is:

1.- I log with my user asign to role_app. Any problem
2.- I logout of kibana.
3.- In openDS, I change the password of my user.
4.- I try to login in kibana with the old password, and i can login....

Worst of all was that if I stop my openDS.... i can enter using old password....

If I have not made any configuration errors, I suspect that Xpack is internally saving the user and password and does not validate it against OpenDS anymore until a different user or password is entered.

This is normal? Is there a way to force by configuration that you always have to validate the user and password against the external security provider?

Thx!

2

Hi @olorasde,

The username and a hash of the password is being cached by x-pack for performance reasons. This can be disabled on a per realm basis. If you would like to disable it, in your ldap1 realm settings, add cache.ttl: -1. Details about the cache settings: https://www.elastic.co/guide/en/x-pack/current/ldap-realm.html

3

One thing to keep in mind is that if you disable this cache, as @jaymode describes, every request to Elasticsearch will make a request to your LDAP server to validate the user information, and this will slow your response times and put a lot of load on the LDAP server.

4

Thx for information Jay and Steve.

I assume that it is not currently possible to only force authentication in the login process, no?

Using this configuration, in my elasticsearch log console has begun to appear this exceptions, any ideas?

[2016-12-07T15:31:36,713][ERROR][o.e.x.m.c.c.ClusterStatsCollector] [node-MD-1] collector [cluster-stats-collector] - failed collecting data
java.lang.NullPointerException
        at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.usageStats(CachingUsernamePasswordRealm.java:193) ~[?:?]
        at org.elasticsearch.xpack.security.authc.ldap.support.AbstractLdapRealm.usageStats(AbstractLdapRealm.java:84) ~[?:?]
        at org.elasticsearch.xpack.security.authc.ldap.LdapRealm.usageStats(LdapRealm.java:72) ~[?:?]
        at org.elasticsearch.xpack.security.authc.Realms.lambda$usageStats$0(Realms.java:204) ~[?:?]
        at org.elasticsearch.xpack.security.authc.Realms$$Lambda$1474/187280844.apply(Unknown Source) ~[?:?]
        at java.util.HashMap.compute(HashMap.java:1188) ~[?:1.8.0_45]
        at org.elasticsearch.xpack.security.authc.Realms.usageStats(Realms.java:202) ~[?:?]
        at org.elasticsearch.xpack.security.SecurityFeatureSet.buildRealmsUsage(SecurityFeatureSet.java:118) ~[?:?]
        at org.elasticsearch.xpack.security.SecurityFeatureSet.usage(SecurityFeatureSet.java:103) ~[?:?]
        at org.elasticsearch.xpack.action.TransportXPackUsageAction$$Lambda$1473/1101385431.apply(Unknown Source) ~[?:?]
        at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[?:1.8.0_45]
        at java.util.Iterator.forEachRemaining(Iterator.java:116) ~[?:1.8.0_45]
        at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801) ~[?:1.8.0_45]
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:512) ~[?:1.8.0_45]
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:502) ~[?:1.8.0_45]
        at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_45]
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_45]
        at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) ~[?:1.8.0_45]
        at org.elasticsearch.xpack.action.TransportXPackUsageAction.masterOperation(TransportXPackUsageAction.java:65) ~[?:?]
        at org.elasticsearch.xpack.action.TransportXPackUsageAction.masterOperation(TransportXPackUsageAction.java:39) ~[?:?]
        at org.elasticsearch.action.support.master.TransportMasterNodeAction.masterOperation(TransportMasterNodeAction.java:86) ~[elasticsearch-5.0.1.jar:5.0.1]
        at org.elasticsearch.action.support.master.TransportMasterNodeAction$AsyncSingleAction$3.doRun(TransportMasterNodeAction.java:170) ~[elasticsearch-5.0.1.jar:5.0.1]
        at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:520) ~[elasticsearch-5.0.1.jar:5.0.1]
        at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-5.0.1.jar:5.0.1]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[?:1.8.0_45]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[?:1.8.0_45]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_45]

Thx!

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.