Global index permission definition for "JWT Validation Only" Authentication to Elasticsearch REST API?

Security
1

Hello,

I am creating a project whereby I would like to leverage only JWT validation as authentication to the REST API of Elasticsearch with Open Distro. I have configured the file: "/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml " as follows and this enables successful validation of the JWT passed in the “Authentication bearer ” GET request from my clients:

      jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: true
        transport_enabled: false
        order: 0
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: |-
              -----BEGIN PUBLIC KEY-----
              AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
              -----END PUBLIC KEY-----
            jwt_header: "Authorization"
            roles_key: null
            subject_key: "name"

When i then authenticate from a client, the JWT is correctly validated. To confirm the structure of the payloadof my JWT:

{
  "iss": "https://<Accounts Server >",
  "azp": "<Authorized Party>",
  "aud": "<Audience>",
  "sub": "1234567",
  "given_name": "user",
  "iat": 1571587385,
  "exp": 1571590985
}

Upon successful validation by the Open Distro security plugin, the client receives the following response:

{
	"error": {
		"root_cause": [{
			"type": "security_exception",
			"reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[], requestedTenant=null]"
		}],
		"type": "security_exception",
		"reason": "no permissions for [cluster:monitor/main] and User [name=user, roles=[], requestedTenant=null]"
	},
	"status": 403
}

For the purposes of the project requirements, I do not need for the security plugin to authenticate user/role and only wish for all clients with a valid JWT to have at least the “indices:data/write/index” permission to one of my indexes. When i try to write a document to an index the client receives the following response:

  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "no permissions for [indices:data/write/index] and User [name=user, roles=[], requestedTenant=null]"
      }
    ],
    "type": "security_exception",
    "reason": "no permissions for [indices:data/write/index] and User [name=user, roles=[], requestedTenant=null]"
  },
  "status": 403
}

Is there a method to disable all authentication to the Elasticsearch API (not Kibana) with Open Distro other than the JWT validation?
I assume this is achievable by simply defining a global permission of write to the desired indexes but do not know how to set this.

Many thanks in advance :smiley:
Major

2

I’ve answered my own question here by creating and mapping a new role to all users using the following:

PUT
https://10.226.42.55:9200/_opendistro/_security/api/roles/test_index_write

{
    "description": "Allow write to test index",
    "cluster_permissions": [
      "cluster_composite_ops"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "test"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "write"
        ]
      }
    ],
    "tenant_permissions": []
}

PUT
https://<HOSTNAME>:9200/_opendistro/_security/api/rolesmapping/test_index_write

{
   "backend_roles": [],
   "hosts": [],
   "users": [
     "*"
   ],
   "and_backend_roles": [],
   "description": "Allow write to test index"
}

Hope this helps anoyone else trying to achieve the same :slight_smile:

3

Hi Major,

Thanks for your post. It was really helpful

I successfully configure the authentication and was able to get an access token. I’m trying to use query my elastic directly via REST using this token, but I’m getting 403 forbidden.
Is it even possible? Since my users are not using Kibana, I want to authenticate and control users access to the Elastic endpoint with this access token.

sample query:

curl --location --request GET ‘https://endpoint/_search
–header ‘Content-Type: application/json’
–header ‘Authorization: Bearer eyJraWQiOiJxSGk4OGNoTERSODZWaUdURFM3MkxVajdpS2RBWlAwR3V3KzNhdmxNSzBFPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJiYWZlZTJmMS03YjhjLTRlYjUtYWRhMy0zNjJhZWQyNjk1MDgiLCJjb2duaXRvOmdyb3VwcyI6WyJhZG1pbmlzdHJhdG9ycyJdLCJ0b2tlbl91c2UiOiJhY2Nlc3MiLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIiwiYXV0aF90aW1lIjoxNTk0NzM0NTk5LCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAudXMtZWFzdC0xLmFtYXpvbmF3cy5jb21cL3VzLWVhc3QtMV9BbWdvTFlYYngiLCJleHAiOjE1OTQ3MzgxOTksImlhdCI6MTU5NDczNDU5OSwidmVyc2lvbiI6MiwianRpIjoiNmY3MzUwNDctZmQ0YS00YmZkLTk1M2EtMzU4NDdkNzYwYmM3IiwiY2xpZW50X2lkIjoiM2Vlcjlxb2pqbzVicnZqbDl2ZzZzMzZmcCIsInVzZXJuYW1lIjoiYmFmZWUyZjEtN2I4Yy00ZWI1LWFkYTMtMzYyYWVkMjY5NTA4In0.P8lAiZC_t01pv0R3qSY4lFlB9tg74DFKZ4no7FQ0s5G0z8Ugd2JOMoLas6ireB7deqAUnwVZZgYMrOQPfhBD6YCaJ-YCQoQQhhS3Wo8XkDLKq_oVpBgZdeK8T7KiQNKySPh5TQZ4zl27dHFIaih_4P8RRXf4W9zOeeqLI8XHiY9w5DVLVwrk87m7TWvqLWzUxUli0MzoLx6NACA9CYBE08F1on_0ZuAFMJOsNfBjYB_vxHKwd1qlmJnL–coZjaIESuypaMCfOwphttpZW8QTOB7iucEb_p0wVHbxNVMDnv13bGgnhaTZcXhB4_MFzyz9mJqu6aah3C4C8DsSfT2ow’
–data-raw ‘{
“query”:{
“match_all”:{}
}
}’

I hope you have had experience with this problem too so you can share some thoughts.

Thanks in advance