我正在尝试使用AD身份验证。我能够成功登录,但无权执行任何惊奇的查询。
每次我以惊奇的方式执行查询时,都会收到以下错误。以下是详细信息
{
"error": "AuthorizationException[action [indices:data/read/search] is unauthorized for user [shivang.Mittal]]",
"status": 403
}
elasticsearch.yml(C:\ ES \ elasticsearch-1.4.4 \ config)
shield:
authc:
realms:
active_directory:
type: active_directory
domain_name: tavant.in
url: "LDAP://DODC1.tavant.in:389"
user_dn_templates:
- "cn={0}, dc=tavant, dc=in"
group_search:
base_dn: "dc=tavant,dc=in"
files:
role_mapping: "C:/ES/elasticsearch-1.4.4/config/shield/role_mapping.yml"
role_mapping.yml(C:\ ES \ elasticsearch-1.4.4 \ config \ shield)。
在Node(C:\ ES \ elasticsearch-1.4.4 \ data \ elasticsearch \ nodes \ 0)中复制相同文件
admin:
- "cn=users, dc=tavant,dc=in"
角色
admin:
cluster: all
indices:
'*': all
更新
根据Jaymode的建议,我添加了shield.auth:debug。
以下是日志(我认为这很有用)
[2015-04-27 11:54:12][DEBUG][shield.authc.ldap.support] [Talisman] the roles [[]], are mapped from these [active_directory] groups [[CN=Users,CN=Builtin,DC=tavant,DC=in, CN=Domain Users,CN=Users,DC=tavant,DC=in,
[2015-04-27 11:54:14,935][DEBUG][shield.authc.activedirectory] [Talisman] authenticated user [shivang.Mittal], with roles [[]]
[2015-04-27 11:54:16,447][ERROR][marvel.agent.exporter ] [Talisman] error adding the marvel template to [[0:0:0:0:0:0:0:0]:9200] response code [401 Unauthorized]. content: [{"error":"AuthenticationException[missing authentication token for REST request [/_template/marvel]]","status":401}]
[2015-04-27 11:54:16,447][ERROR][marvel.agent.exporter ] [Talisman] failed to verify/upload the marvel template to [[0:0:0:0:0:0:0:0]:9200]:
Server returned HTTP response code: 401 for URL: http://[0:0:0:0:0:0:0:0]:9200/_template/marvel
[2015-04-27 11:54:16,447][ERROR][marvel.agent.exporter ] [Talisman] failed to verify/upload the marvel template to [[0:0:0:0:0:0:0:0]:9200]:
Server returned HTTP response code: 401 for URL: http://[0:0:0:0:0:0:0:0]:9200/_template/marvel
最佳答案
编辑2 :基于您的日志消息,您可能希望使用以下映射
admin:
- "CN=Users,CN=Builtin,DC=tavant,DC=in"
编辑:我认为我看到了您的问题。在您的role_mapping.yml中,您具有:
admin:
- "cn=users, dc=tavant,dc=tavant"
它最有可能应该是:
admin:
- "cn=users,dc=tavant,dc=in"
我想知道您用于角色映射的DN是否正确并且正在被检索。如果设置调试日志记录,则将记录为用户找到的组列表。要启用调试日志记录,请编辑C:\ ES \ elasticsearch-1.4.4 \ config \ logging.yml文件:
...
logger:
# Add the line below
shield.authc: DEBUG
...
日志行将如下所示:
the roles [], are mapped from these [active_directory] groups [ list of group DNs here ] for realm [active_directory/active_directory]在该行中,您将找到检索到的组DN的实际列表。此外,您的 Realm 配置可以简化为以下内容:
shield:
authc:
realms:
active_directory:
type: active_directory
domain_name: tavant.in
url: "LDAP://DODC1.tavant.in:389"
实际上,其他设置似乎只是在指定未指定默认值的情况。
关于nest - Elasticsearch 中的Active Directory AuthorizationException,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/29840630/