Shield not recognizing users file?

security

#1

Hello,
I'm currently testing the Shield product in our dev environment. I'm running into a problem with the configuration. We want to eventually use the Active Directory settings but first I'm just setting up the local authentication for the Marvel and Kibana users. However, it doesn't seem to work. I created a marvel_server user, and gave it the marvel_agent role. I added the "marvel.agent.exporter.es.hosts:" url to include the credentials to both of our nodes in the cluster, and set the same settings on both nodes. However, I'm seeing the error in our log:

error adding the marvel template to [http://marvel_server:XXXXXX@URL:9200] response code [401 Unauthorized]. content: [{"error":"AuthenticationException[unable to authenticate user [marvel_server] for REST request [/_template/marvel]]","status":401}]

I'm getting this for both servers, on both servers. I've verified that the user has the marvel_agent role installed, and I even tried giving it the full admin role. Still get the same error. I'm running elasticsearch as root, just in case there's a permissions issue, and that doesn't help.

I'm also seeing a similar problem with Kibana. I created a kibana4_server user and gave it the kibana4_server role. Added the username and password in the kibana.yml file "kibana_elasticsearch_username" parameter. I also set myself an admin account. However, now the kibana instance won't even start and gives me an "Authentication Exception" error.

Anybody know what I'm doing wrong? It's like Shield isn't reading the users file or something. However, I know it is because when I go to the URL:9200 directly, it asks me for credentials and then lets me in once I enter my user credential, as well as the marvel credential.


(Jay Modi) #2

HI @slee,

How did you install Elasticsearch and Shield?

Your configuration files may be in the wrong location if you are using a RPM/DEB installation of elasticsearch. In the case of a RPM/DEB installation there should be a shield directory under /etc/elasticsearch. If you do not have it, you can copy the $ES_HOME/config/shield directory to /etc/elasticsearch. Then make sure you have your environment configured properly. This is a known limitation with Shield installation right now and we are working on improving this to be much more seamless out of the box.


#3

Thanks for the response Jay! I installed via the rpm package. That thought occurred to me as well, so I explicitly set the path for the users file and the user roles file in the elasticsearch.yml. I did this by using the line: shield.authc.realms.files.users:/path/ and shield.authc.realms.files.users_roles:/path/. This didn't anything though. I'll look over the links you sent me, but my install is pretty standard, just straight rpm installs for es and logstash

Edit:OK, just reread your post. I missed the part about /etc/ the first time, I'll check that next time I'm at the office


(Jay Modi) #4

The shield.authc.realms.files.users and shield.authc.realms.files.users_roles settings did not have an effect since they were missing a realm name.

An example configuration with a esusers realm named realm_name:

shield:
  authc:
    realms:
      realm_name:
        type: esusers
        files:
          users: /path/to/users
          users_roles: /path/to/users_roles

#5

Thanks jay, they actually did but I was responding from memory on my phone and just forgot to add it, sorry. I did get it working though, once I moved the config files over to the /etc/elasticsearch folder. It would help if they included that in the official documentation, unless I just completely glossed over it


(system) #6