Shield with Custom REST plugins

security

(le hoang) #1

Hi,

We've been scratching our heads at this for a while so we thought we'd give it a shot here.

Some background: We have an application that uses ElasticSearch with a custom plugin with a custom REST endpoint that we've written for ElasticSearch 2.1. We have tried the application with the plugin and it works fine. The custom REST endpoint has a structure like so: //_function?param1=&param2=. We have since tried to get this plugin working with Shield installed on ElasticSearch. We are coming across a problem that Shield is erroring with:

[2016-01-29 16:00:08,062][INFO ][rest.suppressed ] /index_test/_function Params: {field=testfield, size=50, index=index_test, term=a}
ElasticsearchSecurityException[action [indices/termlist] is unauthorized for user [user1]]
at org.elasticsearch.shield.support.Exceptions.authorizationError(Exceptions.java:45)
at org.elasticsearch.shield.authz.InternalAuthorizationService.denialException(InternalAuthorizationService.java:294)
at org.elasticsearch.shield.authz.InternalAuthorizationService.denial(InternalAuthorizationService.java:268)
at org.elasticsearch.shield.authz.InternalAuthorizationService.authorize(InternalAuthorizationService.java:165)
at org.elasticsearch.shield.action.ShieldActionFilter.apply(ShieldActionFilter.java:105)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:99)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:77)
at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:58)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:347)
at org.elasticsearch.client.FilterClient.doExecute(FilterClient.java:52)
at
I've tried playing around with the roles.yml file but have had no luck. The user currently has role admin and the roles.yml for admin is as follows:

admin:
cluster: all
indices:
'*':
privileges: all

Some advice on how we can fix this would be greatly appreciated.


(Jay Modi) #2

Hi,

I believe you need to change your action name to follow the standard naming convention for it to work with shield. That said, it is unknown if shield can properly protect this custom endpoint as we are not aware of what it does and you may encounter other issues when the action does not work with shield.

Jay


(le hoang) #3

Thanks Jay. This worked.


(system) #4