Shield 2.3, Elasticsearch 2.3: 'ldap' realm works, but 'file' realm does not

security

#1

Hi, I'm evaluating Shield for our company on our existing cluster. We are running Elasticsearch 2.3 with Kibana 4.5. LDAP authentiation via Kibana works partially. The part that works that it disallows non-existent accounts, and existent accounts with invalid credentials. But it doesn't work in the sense that once a user is authenticated, access is admin-level in Kibana. The defined test role is applied according to the elasticsearch log: "authenticated user [aa.test3], with roles [[aa_user]]". The roles.yml role definition for the group is:

aa_user:
cluster:
- monitor

which I expect should nearly completely restrict access. I noticed that when I run: curl localhost:9200 I'm getting back the tagline page without any credentials prompt, so I suspect that Shield is only partially operational. We have the Basic license installed. I read somewhere that the Basic license may not or will not work with Shield. Is this the case? If so, how can I get around this to fully evaluate Shield? If not, what is the reason for Shield behaving this way? Here’s what the realm looks like in the elasticsearch.yml.

shield:
authc:
realms:
native1:
type: native
order: 0
file1:
type: file
order: 1
enabled: true
ldap1:
type: ldap
order: 2
url: "ldap://somehost:389"
bind_dn: "uid=something, cn=that, cn=etc, dc=is, dc=private”
bind_password: something
user_search:
base_dn: "cn= that,cn=info,dc= is,dc= private"
attribute: uid
group_search:
base_dn: "cn=something,cn=that,dc=is,dc=private”
files:
role_mapping: "/etc/elasticsearch/shield/role_mapping.yml"
follow_referrals: true
unmapped_groups_as_roles: true

When I run: curl 'http://localhost:9200/_nodes?pretty&filter_path=**.plugins'

it shows that the shield plugin exists on each node as such:
{
"name" : "shield",
"version" : "2.3.0",
"description" : "Elasticsearch Shield (security)",
"jvm" : true,
"classname" : "org.elasticsearch.shield.ShieldPlugin",
"isolated" : false,
"site" : false
} ]

Thanks,
Justin


(Peter Pisljar) #2

When you initially install Shield, a 30 day trial license is installed that allows access to all features.

could you please update your post and put configurations in code blocks? this way the paddings are preserved and it will be much easier to read. You can do that by adding three back ticks ``` on an empty line before and after your code like:

```
my code
```

could you also provide your role_mappings.yml file ?

thanks for the additional information.


(Peter Pisljar) #3

here is the documentation on using kibana with shield

also could you provide output of curl 'localhost:9200/_license'

thanks


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.