Hi, I'm evaluating Shield for our company on our existing cluster. We are running Elasticsearch 2.3 with Kibana 4.5. LDAP authentiation via Kibana works partially. The part that works that it disallows non-existent accounts, and existent accounts with invalid credentials. But it doesn't work in the sense that once a user is authenticated, access is admin-level in Kibana. The defined test role is applied according to the elasticsearch log: "authenticated user [aa.test3], with roles [[aa_user]]". The roles.yml role definition for the group is:
aa_user:
cluster:
- monitor
which I expect should nearly completely restrict access. I noticed that when I run: curl localhost:9200 I'm getting back the tagline page without any credentials prompt, so I suspect that Shield is only partially operational. We have the Basic license installed. I read somewhere that the Basic license may not or will not work with Shield. Is this the case? If so, how can I get around this to fully evaluate Shield? If not, what is the reason for Shield behaving this way? Here’s what the realm looks like in the elasticsearch.yml.
shield:
authc:
realms:
native1:
type: native
order: 0
file1:
type: file
order: 1
enabled: true
ldap1:
type: ldap
order: 2
url: "ldap://somehost:389"
bind_dn: "uid=something, cn=that, cn=etc, dc=is, dc=private”
bind_password: something
user_search:
base_dn: "cn= that,cn=info,dc= is,dc= private"
attribute: uid
group_search:
base_dn: "cn=something,cn=that,dc=is,dc=private”
files:
role_mapping: "/etc/elasticsearch/shield/role_mapping.yml"
follow_referrals: true
unmapped_groups_as_roles: true
When I run: curl 'http://localhost:9200/_nodes?pretty&filter_path=**.plugins'
it shows that the shield plugin exists on each node as such:
{
"name" : "shield",
"version" : "2.3.0",
"description" : "Elasticsearch Shield (security)",
"jvm" : true,
"classname" : "org.elasticsearch.shield.ShieldPlugin",
"isolated" : false,
"site" : false
} ]
Thanks,
Justin