弹性搜索中的Active Directory AuthorizationException

时间:2015-04-24 06:53:01

标签: nest elasticsearch-plugin elasticsearch elasticsearch-shield

我正在尝试使用AD身份验证。我能够成功登录,但我无权在奇迹中执行任何查询。 每次我在奇迹中执行查询时,我都会收到以下错误。下面是详细信息

{
   "error": "AuthorizationException[action [indices:data/read/search] is unauthorized for user [shivang.Mittal]]",
   "status": 403
}

elasticsearch.yml (C:\ ES \ elasticsearch-1.4.4 \ config)

 shield:
   authc:
     realms:
       active_directory:
         type: active_directory
         domain_name: tavant.in
         url: "LDAP://DODC1.tavant.in:389"
         user_dn_templates:
          - "cn={0}, dc=tavant, dc=in"
         group_search:
          base_dn: "dc=tavant,dc=in"
         files:
           role_mapping: "C:/ES/elasticsearch-1.4.4/config/shield/role_mapping.yml"

role_mapping.yml (C:\ ES \ elasticsearch-1.4.4 \ config \ shield)。 在节点中复制相同的文件(C:\ ES \ elasticsearch-1.4.4 \ data \ elasticsearch \ nodes \ 0)

admin:
  - "cn=users, dc=tavant,dc=in"

roles.yml 

admin:
  cluster: all
  indices:
    '*': all

更新

根据Jaymode的建议,我添加了shield.auth:debug。 下面是日志(我认为这将是有用的)

    [2015-04-27 11:54:12][DEBUG][shield.authc.ldap.support] [Talisman] the roles [[]], are mapped from these [active_directory] groups [[CN=Users,CN=Builtin,DC=tavant,DC=in, CN=Domain Users,CN=Users,DC=tavant,DC=in, 
    [2015-04-27 11:54:14,935][DEBUG][shield.authc.activedirectory] [Talisman] authenticated user [shivang.Mittal], with roles [[]]
    [2015-04-27 11:54:16,447][ERROR][marvel.agent.exporter    ] [Talisman] error adding the marvel template to [[0:0:0:0:0:0:0:0]:9200] response code [401 Unauthorized]. content: [{"error":"AuthenticationException[missing authentication token for REST request [/_template/marvel]]","status":401}]
    [2015-04-27 11:54:16,447][ERROR][marvel.agent.exporter    ] [Talisman] failed to verify/upload the marvel template to [[0:0:0:0:0:0:0:0]:9200]:
    Server returned HTTP response code: 401 for URL: http://[0:0:0:0:0:0:0:0]:9200/_template/marvel
[2015-04-27 11:54:16,447][ERROR][marvel.agent.exporter    ] [Talisman] failed to verify/upload the marvel template to [[0:0:0:0:0:0:0:0]:9200]:
Server returned HTTP response code: 401 for URL: http://[0:0:0:0:0:0:0:0]:9200/_template/marvel

1 个答案:

答案 0 :(得分:3)

编辑2 :根据您的日志消息,您可能希望使用以下映射

admin:
  - "CN=Users,CN=Builtin,DC=tavant,DC=in"

编辑:我想我看到了你的问题。在你的role_mapping.yml中你有:

admin:
  - "cn=users, dc=tavant,dc=tavant"

最有可能的是:

admin:
  - "cn=users,dc=tavant,dc=in"

我想知道您用于角色映射的DN是否正确并且正在检索。如果设置调试日志记录,则将记录为该用户找到的组列表。要启用调试日志记录,请编辑C:\ ES \ elasticsearch-1.4.4 \ config \ logging.yml文件:

...
logger:
    # Add the line below
    shield.authc: DEBUG
...

日志行看起来像这样:the roles [], are mapped from these [active_directory] groups [ list of group DNs here ] for realm [active_directory/active_directory]

在该行中,您将找到检索到的组DN的实际列表。此外,您的领域配置可以简化为以下内容:

shield:
  authc:
    realms:
      active_directory:
        type: active_directory
        domain_name: tavant.in
        url: "LDAP://DODC1.tavant.in:389"

其他设置实际上似乎只是指定了未指定的默认值。

相关问题
最新问题