Abb
October 26, 2021, 6:52am
1
We have ElasticSearch Setup, and noticed that URL/api/status is being accessed publicly without being authenticated and this is sitting behind the load balancer.
However URL/api or URL/status throws unauthorised message as below
{“statusCode”:401,“error”:“Unauthorized”,“message”:“Unauthorized”}
Do we need to have extra setting to disable public access on /api/status
pablo
October 26, 2021, 9:51am
2
@Abb
Do you mean https://localhost:9200/api/status
?
If so, what response do you get?
Abb
October 26, 2021, 10:19am
3
@pablo
Yes, but its not localhost:9200, rather it on the Production.
https://someProdURL/api/status gives me the complete JSON-formatted server status details in response as mentioned here :
Access Kibana | Kibana Guide [8.4] | Elastic
But https://someProdURL/api or https://someProdURL/status returns {“statusCode”:401,“error”:“Unauthorized”,“message”:“Unauthorized”}
We tried these below settings in kibana.yml but still no luck
server.xsrf.disableProtection: false
status.allowAnonymous: false
opendistro_security.auth.anonymous_auth_enabled: false
oscark
October 26, 2021, 10:45am
4
My original issue for opendistro:
https://github.com/opensearch-project/security-dashboards-plugin/issues/579
!['', 'basicauth', 'jwt', 'openid', 'saml', 'proxy', 'kerberos', 'proxycache'].includes(
value
)
) {
return `allowed auth.type are ['', 'basicauth', 'jwt', 'openid', 'saml', 'proxy', 'kerberos', 'proxycache']`;
}
},
}),
anonymous_auth_enabled: schema.boolean({ defaultValue: false }),
unauthenticated_routes: schema.arrayOf(schema.string(), {
defaultValue: ['/api/status', '/api/reporting/stats'],
}),
forbidden_usernames: schema.arrayOf(schema.string(), { defaultValue: [] }),
logout_url: schema.string({ defaultValue: '' }),
}),
basicauth: schema.object({
enabled: schema.boolean({ defaultValue: true }),
unauthenticated_routes: schema.arrayOf(schema.string(), { defaultValue: ['/api/status'] }),
forbidden_usernames: schema.arrayOf(schema.string(), { defaultValue: [] }),
header_trumps_session: schema.boolean({ defaultValue: false }),
alternative_login: schema.object({
I have not updated to opensearch yet but I think the solution is to set auth.unauthenticated_routes: []
in opensearch dashboard configuration.
Abb
October 26, 2021, 10:52am
5
@oscark auth.unauthenticated_routes: []
is this setting to be used in kibana.yml? and does opendistro support it?
pablo
October 26, 2021, 11:27am
6
@Abb
Try opensearch_security.auth.unauthenticated_routes: []
Abb
October 26, 2021, 12:27pm
7
@pablo @oscark I tried the above setting… Still able to access the api
pablo
October 26, 2021, 12:45pm
8
@Abb
Could you send your config?
This worked for me.
opensearch_security.auth.unauthenticated_routes: []
This option has to go with empty brackets.
oscark
October 26, 2021, 2:09pm
9
So I think that opensearch should be (as Pablo wrote): opensearch_security.auth.unauthenticated_routes: []
And opendistro should use:
opendistro_security.auth.unauthenticated_routes: []
Abb
October 27, 2021, 10:38am
10
@oscark @pablo
Using opendistro_security.auth.unauthenticated_routes: []
did work for me but now the kubernetes kibana Deployment fails as readiness probe in kibana-deployment.yml
file uses /api/status/
to check kibana pod readiness.
readinessProbe:
httpGet:
path: /api/status
port: http
scheme: HTTPS
initialDelaySeconds: 60
periodSeconds: 30
Here are Logs of Kibana:
"method":"get","statusCode":401,"req":{"url":"/api/status","method":"get","headers":{"host":"10.xxx.x.xxx:5601","user-agent":"kube-pro │
│ be/1.19","accept-encoding":"gzip","connection":"close"},"remoteAddress":"10.xxx.x.xxx","userAgent":"kube-probe/1.19"},"res":{"statusCode":401,"responseTime":10,"contentLength":9},"message":"GET /api/status 401 10 │
│ ms - 9.0B"}
Do we have any reason Opendistro has bydefault open api/status
endpoint not /api
or /status
,what is the intention behind keeping only api/status open and not others?
However was curious to explore on the response that we received from /api/status/
is it ok to expose to public users?