弹性搜索中的 Active Directory AuthorizationException
Active Directory AuthorizationException in elastic search
我正在尝试使用 AD 身份验证。我能够成功登录,但我无权在 marvel 中执行任何查询。
每次我在 marvel 中执行查询时,我都会得到以下 error.Below 是详细信息
{
"error": "AuthorizationException[action [indices:data/read/search] is unauthorized for user [shivang.Mittal]]",
"status": 403
}
elasticsearch.yml (C:\ES\elasticsearch-1.4.4\config)
shield:
authc:
realms:
active_directory:
type: active_directory
domain_name: tavant.in
url: "LDAP://DODC1.tavant.in:389"
user_dn_templates:
- "cn={0}, dc=tavant, dc=in"
group_search:
base_dn: "dc=tavant,dc=in"
files:
role_mapping: "C:/ES/elasticsearch-1.4.4/config/shield/role_mapping.yml"
role_mapping.yml (C:\ES\elasticsearch-1.4.4\config\shield)。
在 Node(C:\ES\elasticsearch-1.4.4\data\elasticsearch\nodes[=40=])
中复制相同的文件
admin:
- "cn=users, dc=tavant,dc=in"
roles.yml
admin:
cluster: all
indices:
'*': all
更新
根据 Jaymode 的建议,我添加了 shield.auth: debug。
下面是日志(我认为这会有用)
[2015-04-27 11:54:12][DEBUG][shield.authc.ldap.support] [Talisman] the roles [[]], are mapped from these [active_directory] groups [[CN=Users,CN=Builtin,DC=tavant,DC=in, CN=Domain Users,CN=Users,DC=tavant,DC=in,
[2015-04-27 11:54:14,935][DEBUG][shield.authc.activedirectory] [Talisman] authenticated user [shivang.Mittal], with roles [[]]
[2015-04-27 11:54:16,447][ERROR][marvel.agent.exporter ] [Talisman] error adding the marvel template to [[0:0:0:0:0:0:0:0]:9200] response code [401 Unauthorized]. content: [{"error":"AuthenticationException[missing authentication token for REST request [/_template/marvel]]","status":401}]
[2015-04-27 11:54:16,447][ERROR][marvel.agent.exporter ] [Talisman] failed to verify/upload the marvel template to [[0:0:0:0:0:0:0:0]:9200]:
Server returned HTTP response code: 401 for URL: http://[0:0:0:0:0:0:0:0]:9200/_template/marvel
[2015-04-27 11:54:16,447][ERROR][marvel.agent.exporter ] [Talisman] failed to verify/upload the marvel template to [[0:0:0:0:0:0:0:0]:9200]:
Server returned HTTP response code: 401 for URL: http://[0:0:0:0:0:0:0:0]:9200/_template/marvel
编辑 2:根据您的日志消息,您可能想要使用以下映射
admin:
- "CN=Users,CN=Builtin,DC=tavant,DC=in"
编辑:我想我明白了你的问题。在您的 role_mapping.yml 中,您有:
admin:
- "cn=users, dc=tavant,dc=tavant"
最有可能是:
admin:
- "cn=users,dc=tavant,dc=in"
我想知道您用于角色映射的 DN 是否正确并且正在检索中。如果您设置调试日志记录,将为用户找到的组列表将被记录下来。要启用调试日志记录,请编辑 C:\ES\elasticsearch-1.4.4\config\logging.yml 文件:
...
logger:
# Add the line below
shield.authc: DEBUG
...
日志行看起来像这样:the roles [], are mapped from these [active_directory] groups [ list of group DNs here ] for realm [active_directory/active_directory]
在该行中,您将找到检索到的组 DN 的实际列表。此外,您的领域配置可以简化为以下内容:
shield:
authc:
realms:
active_directory:
type: active_directory
domain_name: tavant.in
url: "LDAP://DODC1.tavant.in:389"
其他设置实际上似乎只是指定了默认值(如果未指定)。
我正在尝试使用 AD 身份验证。我能够成功登录,但我无权在 marvel 中执行任何查询。 每次我在 marvel 中执行查询时,我都会得到以下 error.Below 是详细信息
{
"error": "AuthorizationException[action [indices:data/read/search] is unauthorized for user [shivang.Mittal]]",
"status": 403
}
elasticsearch.yml (C:\ES\elasticsearch-1.4.4\config)
shield:
authc:
realms:
active_directory:
type: active_directory
domain_name: tavant.in
url: "LDAP://DODC1.tavant.in:389"
user_dn_templates:
- "cn={0}, dc=tavant, dc=in"
group_search:
base_dn: "dc=tavant,dc=in"
files:
role_mapping: "C:/ES/elasticsearch-1.4.4/config/shield/role_mapping.yml"
role_mapping.yml (C:\ES\elasticsearch-1.4.4\config\shield)。 在 Node(C:\ES\elasticsearch-1.4.4\data\elasticsearch\nodes[=40=])
中复制相同的文件admin:
- "cn=users, dc=tavant,dc=in"
roles.yml
admin:
cluster: all
indices:
'*': all
更新
根据 Jaymode 的建议,我添加了 shield.auth: debug。 下面是日志(我认为这会有用)
[2015-04-27 11:54:12][DEBUG][shield.authc.ldap.support] [Talisman] the roles [[]], are mapped from these [active_directory] groups [[CN=Users,CN=Builtin,DC=tavant,DC=in, CN=Domain Users,CN=Users,DC=tavant,DC=in,
[2015-04-27 11:54:14,935][DEBUG][shield.authc.activedirectory] [Talisman] authenticated user [shivang.Mittal], with roles [[]]
[2015-04-27 11:54:16,447][ERROR][marvel.agent.exporter ] [Talisman] error adding the marvel template to [[0:0:0:0:0:0:0:0]:9200] response code [401 Unauthorized]. content: [{"error":"AuthenticationException[missing authentication token for REST request [/_template/marvel]]","status":401}]
[2015-04-27 11:54:16,447][ERROR][marvel.agent.exporter ] [Talisman] failed to verify/upload the marvel template to [[0:0:0:0:0:0:0:0]:9200]:
Server returned HTTP response code: 401 for URL: http://[0:0:0:0:0:0:0:0]:9200/_template/marvel
[2015-04-27 11:54:16,447][ERROR][marvel.agent.exporter ] [Talisman] failed to verify/upload the marvel template to [[0:0:0:0:0:0:0:0]:9200]:
Server returned HTTP response code: 401 for URL: http://[0:0:0:0:0:0:0:0]:9200/_template/marvel
编辑 2:根据您的日志消息,您可能想要使用以下映射
admin:
- "CN=Users,CN=Builtin,DC=tavant,DC=in"
编辑:我想我明白了你的问题。在您的 role_mapping.yml 中,您有:
admin:
- "cn=users, dc=tavant,dc=tavant"
最有可能是:
admin:
- "cn=users,dc=tavant,dc=in"
我想知道您用于角色映射的 DN 是否正确并且正在检索中。如果您设置调试日志记录,将为用户找到的组列表将被记录下来。要启用调试日志记录,请编辑 C:\ES\elasticsearch-1.4.4\config\logging.yml 文件:
...
logger:
# Add the line below
shield.authc: DEBUG
...
日志行看起来像这样:the roles [], are mapped from these [active_directory] groups [ list of group DNs here ] for realm [active_directory/active_directory]
在该行中,您将找到检索到的组 DN 的实际列表。此外,您的领域配置可以简化为以下内容:
shield:
authc:
realms:
active_directory:
type: active_directory
domain_name: tavant.in
url: "LDAP://DODC1.tavant.in:389"
其他设置实际上似乎只是指定了默认值(如果未指定)。