Hello,

Is there a plan for 5.0 please ?

Thanks for your help.

Hello,

Some problems, can someone help me please ?

config in elasticsearch.yml :

armor.actionrequestfilter.names: ["admin"]
armor.actionrequestfilter.admin.allowed_actions: ["*"]

This was done before and is ok :

curl -XPUT 'http://localhost:9200/armor/ac/ac' -d '{
"acl": [
{
"Comment": "By default no filters are executed and no filters a by-passed. In such a case an exception is thrown and access will be denied.",
"filters_bypass": [],
"filters_execute": []
},
{
"Comment": "For role admin all filters are bypassed (so none will be executed). This means unrestricted access.",
"roles": [
"admin"
],
"filters_bypass": ["*"],
"filters_execute": []
}
]
}'

How can i disable this error on startup please ?

[2016-12-05 16:30:43,169][ERROR][com.petalmd.armor.service.ArmorConfigService] [Rancor] Try to refresh security configuration but it failed due to NoShardAvailableActionException[No shard available for [get [armor][ac][ac]: routing [null]]]
NoShardAvailableActionException[No shard available for [get [armor][ac][ac]: routing [null]]]

Cannot create daily index :

Caused by: ElasticsearchException[Security configuration cannot be loaded for unknown reasons]
at com.petalmd.armor.service.ArmorConfigService.getSecurityConfiguration(ArmorConfigService.java:72)
at com.petalmd.armor.filter.ArmorActionFilter.apply0(ArmorActionFilter.java:186)
at com.petalmd.armor.filter.ArmorActionFilter.apply(ArmorActionFilter.java:90)

[2016-12-05 00:59:43,069][ERROR][com.petalmd.armor.filter.ArmorActionFilter] Error while apply() due to java.lang.NullPointerException for action indices:data/write/bulk
java.lang.NullPointerException
[2016-12-05 00:59:43,069][WARN ][rest.suppressed ] path: /_bulk, params: {}

cannot access armor index too ?

curl -u user:pass "http://localhost:9200/armor/ac/ac"
{"error":{"root_cause":[{"type":"forbidden_exception","reason":"Only allowed from localhost (loopback)"}],"type":"forbidden_exception","reason":"Only allowed from localhost (loopback)"},"status":403}[root@lnxadm1 elasticsearch]

Thanks for your help.

Hello,

Kibana: 4.1.1
Elasticsearch: 1.7.3

Thanks for the fork. Configuration given by SergeyBear on this page works.

floragunncom/search-guard#3

Now i'm trying to activate this FLS configuration:

armor.rewrite_get_as_search: true
armor.flsfilter.names: ["stripsensitive"]
armor.flsfilter.stripsensitive.source_includes: []
armor.flsfilter.stripsensitive.source_excludes: ["41281f0f7948"]

and "filters_bypass": ["flsfilter.stripsensitive"] on kibana part, it breaks, even for root user with a

TypeError: Cannot read property 'timed_out' of undefined
    at http://localhost:5601/index.js?_b=7489:43071:17
    at Function.Promise.try (http://localhost:5601/index.js?_b=7489:46434:26)
    at http://localhost:5601/index.js?_b=7489:46412:27
    at Array.map (native)
    at Function.Promise.map (http://localhost:5601/index.js?_b=7489:46411:30)
    at callResponseHandlers (http://localhost:5601/index.js?_b=7489:43064:22)
    at http://localhost:5601/index.js?_b=7489:43182:16
    at wrappedCallback (http://localhost:5601/index.js?_b=7489:20893:81)
    at wrappedCallback (http://localhost:5601/index.js?_b=7489:20893:81)
    at http://localhost:5601/index.js?_b=7489:20979:26

Same for DLS, with this configuration

armor.rewrite_get_as_search: true
armor.dlsfilter.names: ["a"]
armor.dlsfilter.a: ["exists","source", "false"]

This time, filter is not given to anyone and kibana still breaks on this.

When i remove dls/fls rules from yaml, it works again.

Did i missed something ?

Thanks for your help

cat /proc/version

Linux version 4.4.19-29.55.amzn1.x86_64 (mockbuild@gobi-build-64012) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Mon Aug 29 23:29:40 UTC 2016

curl localhost:9200

{
  "name" : "Shamrock",
  "cluster_name" : "elasticsearch",
  "version" : {
    "number" : "2.3.3",
    "build_hash" : "218bdf10790eef486ff2c41a3df5cfa32dadcfde",
    "build_timestamp" : "2016-05-17T15:40:04Z",
    "build_snapshot" : false,
    "lucene_version" : "5.5.0"
  },
  "tagline" : "You Know, for Search"
}

java -version

java version "1.7.0_111"
OpenJDK Runtime Environment (amzn-2.6.7.2.68.amzn1-x86_64 u111-b01)
OpenJDK 64-Bit Server VM (build 24.111-b01, mixed mode)

sudo bin/plugin install com.petalmd/armor/2.3.3

-> Installing com.petalmd/armor/2.3.3...
Trying https://download.elastic.co/com.petalmd/armor/armor-2.3.3.zip ...
Trying https://search.maven.org/remotecontent?filepath=com/petalmd/armor/2.3.3/armor-2.3.3.zip ...
Trying https://oss.sonatype.org/service/local/repositories/releases/content/com/petalmd/armor/2.3.3/armor-2.3.3.zip ...
Trying https://github.com/com.petalmd/armor/archive/2.3.3.zip ...
Trying https://github.com/com.petalmd/armor/archive/master.zip ...
ERROR: failed to download out of all possible locations..., use --verbose to get detailed information

Hi @jmaitrehenry , i was trying to validate the logic written in TokenEvaluator to check if ROLE A has access to Index A only . This seems not working as After authenticating and getting the roles for the user , the ACL for Indices is not getting applied , can you please verify once .

Hi I tried to install armor for 2.0 Elastic search and i am getting below error and as per elasticsearch 2.0 plugin documentation keeping plugin-descriptor in root directory of the plugin is mandatory but some how plugin tool is not taking the descriptor even if i manually place and again build the zip.

./plugin install file:///armor2.1/target/releases/armor-2.0.0-SNAPSHOT.zip --verbose
-> Installing from file:///armor2.1/target/releases/armor-2.0.0-SNAPSHOT.zip...
Trying file:///armor2.1/target/releases/armor-2.0.0-SNAPSHOT.zip ...
Downloading ........................................................................DONE
Verifying file:///armor2.1/target/releases/armor-2.0.0-SNAPSHOT.zip checksums if available ...
NOTE: Unable to verify checksum for downloaded plugin (unable to find .sha1 or .md5 file to verify)
ERROR: Could not find plugin descriptor 'plugin-descriptor.properties' in plugin zip

I'm having a little trouble implementing dls filters on a shared index environment for logstash.

I'm trying to restrict the results that kibana returns for a shared index environment. For each document I have a username field and If the current user matches the username field they should be able to see the document.

This seems to be working great for the table graphs in kibana. However, the pie/line/bar/histrogram graphs are completely bypassing the dls filters.

I have attached a screenshot of kibana - one with kibana filtering the account to the current user like the dls filter is supposed to. The other with the normal behavior showing the kibana graphs bypassing the dls filter.

Any idea's on how to resolve this?

Thanks,

Rory

user/role mappings:

users

armor.authentication.settingsdb.user.test1: test1
armor.authentication.settingsdb.user.test2: test2
...

roles

armor.authentication.authorization.settingsdb.roles.admin: ["root"]
armor.authentication.authorization.settingsdb.roles.logstash: ["logstash"]
armor.authentication.authorization.settingsdb.roles.test1: ["kibana","loguser"]
armor.authentication.authorization.settingsdb.roles.test2: ["kibana","loguser"]

dls filters

armor.dlsfilter.names: ["acc_test1","acc_test2","acc_username"]
armor.dlsfilter.acc_test1: ["term", "account", "test1", "false"]
armor.dlsfilter.acc_test2: ["term", "account", "test2", "false"]
armor.dlsfilter.acc_username: ["user_name", "account", "false"]

acl rules:

curl -XPUT 'http://localhost:9200/armor/ac/ac?pretty' -d '
{"acl": [
{
"Comment": "Default is to execute no filters - return no results",
"filters_bypass": [],
"filters_execute": []
},
{
"Comment": "kibana index",
"indices": ["kibana-"],
"filters_bypass": [""],
"filters_execute": []
},
{
"Comment": "kibana mt user test",
"users" : ["test1"],
"indices": ["logstash-*"],
"filters_bypass": [],
"filters_execute": ["dlsfilter.acc_username"]
}
]}'

I'm lost ! I've settup a 3 nodes cluster with armor, and armor.allow_cluster_monitor: true !

My understanding, is that parameter permit cluster monitoring without authentication, right ?

The cluster doesn't work because authentication is still needed ! Do i need to specify some acls to authorize cluster monitoring without authentication ?

Thanks for your help.

After building the package using maven as standard plugin installation did not work, ElasticSearch service will fail on start:

sudo service elasticsearch start

Starting elasticsearch: Exception in thread "main" ElasticsearchException[java.security.AccessControlException: access denied ("java.io.FilePermission" "." "read")]
    at com.petalmd.armor.service.ArmorService.<init>(ArmorService.java:162)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
    at <<<guice>>>
    at org.elasticsearch.node.Node.<init>(Node.java:213)
    at org.elasticsearch.node.Node.<init>(Node.java:140)
    at org.elasticsearch.node.NodeBuilder.build(NodeBuilder.java:143)
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:178)
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270)
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)

curl -v http://app.user:***@localhost:9200/_search?pretty=true

*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9200 (#0)
* Server auth using Basic with user 'app.user'
> GET /_search?pretty=true HTTP/1.1
> Authorization: Basic YXBwLnVzZXI6Um9nZXJzMTIz
> User-Agent: curl/7.40.0
> Host: localhost:9200
> Accept: */*
> 
< HTTP/1.1 500 Internal Server Error
< Content-Type: application/json; charset=UTF-8
< Content-Length: 480
< 
{
  "error" : {
    "root_cause" : [ {
      "type" : "runtime_exception",
      "reason" : "ElasticsearchException[Security configuration cannot be loaded for unknown reasons]"
    } ],
    "type" : "runtime_exception",
    "reason" : "ElasticsearchException[Security configuration cannot be loaded for unknown reasons]",
    "caused_by" : {
      "type" : "exception",
      "reason" : "Security configuration cannot be loaded for unknown reasons"
    }
  },
  "status" : 500
}

elasticsearch.yml configurations

# Armor
armor.key_path: "/data/elasticsearch/armor"
armor.authentication.authentication_backend.impl: com.petalmd.armor.authentication.backend.simple.SettingsBasedAuthenticationBackend
armor.authentication.http_authenticator.impl: com.petalmd.armor.authentication.http.basic.HTTPBasicAuthenticator
armor.authentication.authorizer.impl: com.petalmd.armor.authorization.simple.SettingsBasedAuthorizator

# Users
armor.authentication.settingsdb.digest: SHA256
armor.authentication.settingsdb.user.app.user: 94aa520b351f5df1abcd3195bf9f06888475e143a4ef20922c4cabe445e66719

# Roles
armor.authentication.authorization.settingsdb.roles.app.user: ["admin"]

# Permissions
armor.restactionfilter.names: ["admin"]
armor.actionrequestfilter.admin.allowed_actions: ["*"]

There is no localhost:9200/ac index present at the time of testing, adding the default settings did not seem to have any impact:

curl -XPUT 'http://localhost:9200/armor/ac/ac' -d '{
    "acl": [
    {
        "__Comment__": "By default no filters are executed and no filters a by-passed. In such a case an exception is thrown and access will be denied.",
        "filters_bypass": [],
        "filters_execute": []
     },
     {
           "__Comment__": "For role *admin* all filters are bypassed (so none will be executed). This means unrestricted access.",
           "roles": [
               "admin"
           ],
           "filters_bypass": ["*"],
           "filters_execute": []
     }
     ]
}'

Root level request seems to succeed:

curl -v http://app.user:***@localhost:9200/?pretty=true
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9200 (#0)
* Server auth using Basic with user 'app.user'
> GET /?pretty=true HTTP/1.1
> Authorization: Basic YXBwVXNlcjpSb2dlcnMxMjM=
> User-Agent: curl/7.40.0
> Host: localhost:9200
> Accept: */*
> 
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=UTF-8
< Content-Length: 366
< 
{
  "name" : "audit-log-dev-elasticsearch-host03",
  "cluster_name" : "audit-logs-dev-elasticsearch-cluster",
  "version" : {
    "number" : "2.3.3",
    "build_hash" : "218bdf10790eef486ff2c41a3df5cfa32dadcfde",
    "build_timestamp" : "2016-05-17T15:40:04Z",
    "build_snapshot" : false,
    "lucene_version" : "5.5.0"
  },
  "tagline" : "You Know, for Search"
}
* Connection #0 to host localhost left intact

Seems that this project derives from https://github.com/floragunncom/search-guard which is licensed under the Apache License 2. Pls. respect chapter 4 and make clear that your work derives from floragunncom searchguard as requested here: http://www.apache.org/licenses/LICENSE-2.0

Thanks!

I have using simple setting based authentication. And confiured kibana user and password in kibana yml file. But kibana is not able to connect to elastic search when armor is used.Screen shot of my error and acl rule has beenis attachecd

"acl": [
{
"Comment": "By default no filters are executed and no filters a by-passed. In such a case an exception is thrown and access will be denied.",
"filters_bypass": [],
"filters_execute": []
},
{
"Comment": "For role admin all filters are bypassed (so none will be executed). This means unrestricted access.",
"roles": [
"admin"
],
"filters_bypass": [""],
"filters_execute": []
},
{
"Comment": "Internal kibana index",
"roles": ["kibana"],
"indices": [".kibana"],
"filters_bypass": [""],
"filters_execute": []
}
]
}

Elastic yml file configuration as follows
armor.rewrite_get_as_search: true
armor.authentication.authentication_backend.impl: com.petalmd.armor.authentication.backend.simple.SettingsBasedAuthenticationBackend
armor.authentication.authorizer.impl: com.petalmd.armor.authorization.simple.SettingsBasedAuthorizator
armor.authentication.http_authenticator.impl: com.petalmd.armor.authentication.http.basic.HTTPBasicAuthenticator
armor.authentication.settingsdb.user.admin: password
armor.authentication.settingsdb.user.kibana: kibana
armor.authentication.authorization.settingsdb.roles.admin: ["admin"]
armor.authentication.authorization.settingsdb.roles.kibana: ["kibana"]
armor.actionrequestfilter.names: ["readonly"]
armor.actionrequestfilter.readonly.allowed_actions: ["indices:data/read/", "monitor"]
armor.actionrequestfilter.readonly.forbidden_actions: ["cluster:admin", "indices:admin_", "indices:data/write_"]

kibana yml as follows
elasticsearch.username: "kibana"
elasticsearch.password: "kibana"

screenshot of kibana issue

Plese help if some one has faced the issue earlier

Hello,

Sorry, i'm not a git specialist ! I have the KEY file but where is the .asc file please ?

Thanks for your help.

Regards.

When attempting to install using elasticsearch plugin, elasticsearch plugin throws a file not found exception:

/usr/share/elasticsearch/bin/plugin -i com.petalmd/armor --verbose
-> Installing com.petalmd/armor...
Trying https://github.com/com.petalmd/armor/archive/master.zip...
Failed: IOException[Can't get https://github.com/com.petalmd/armor/archive/master.zip to /usr/share/elasticsearch/plugins/armor.zip]; nested: FileNotFoundException[https://github.com/com.petalmd/armor/archive/master.zip]; nested: FileNotFoundException[https://github.com/com.petalmd/armor/archive/master.zip];
Failed to install com.petalmd/armor, reason: failed to download out of all possible locations..., use --verbose to get detailed information

If we receive an 401 error on bad login, Kibana will re-ask for user/pass.

Error: Unknown error while connecting to Elasticsearch
Error: AuthException[com.petalmd.armor.authentication.AuthException: No user julien or wrong password (digest: sha512)]; nested: AuthException[No user julien or wrong password (digest: sha512)];