Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error connecting to OpenSearch server with selective anonymous access permitted #556

Open
jgough opened this issue Apr 28, 2022 · 5 comments

Comments

@jgough
Copy link

jgough commented Apr 28, 2022

I don't know if OpenSearch is officially supporte by Cerebro but it seems to be 100% compatible. I am having an issue though when anonymous access is enabled. I suspect the same error below would also be present on Elasticsearch given the similarity.

To reproduce:

  1. Set up an OpenSearch cluster with anonymous access permitted where the anonymous user does not have full permissions
  2. Try to connect via Cerebro:

Result:
Cerebro tries to connect anonymously without authentication and returns the error Unexpected response status: [403]
This is because the server can be accessed but the anonymous user is not allowed to monitor the health of the cluster - that requires a user with the correct permissions
image

OpenSearch itself is returns a 403 response to the request with the message
no permissions for [cluster:monitor/health] and User [name=opendistro_security_anonymous, backend_roles=[opendistro_security_anonymous_backendrole], requestedTenant=null]

In this situation I would expect cerebro to present me with a login to allow me to enter credentials for access, since the anonymous access didn't have sufficient permissions.

This seems to be because the code is not expecting a 403 response and will only treat a 401 as the situation to ask for credentials:
https://github.com/lmenezes/cerebro/blob/main/public/js/app.js#L606

I've experimented with the source code and it seems if I add case 403: here then it seems to fix this issue and presents me with the typical login screen.

@jgough
Copy link
Author

jgough commented May 5, 2022

Looks like the 403 response is probably a bug in OpenSearch and it should be returning a 401. I have filed an issue here opensearch-project/security#1825

@jonkerw85
Copy link

@jgough This might not apply to you. But I'm running OpenSearch with an Nginx proxy in front of it. Nginx is configured with basic auth. This works flawlessly.

@jgough
Copy link
Author

jgough commented May 6, 2022

@wjonkerhulst I believe this is specifically related to the anonymous auth (setting anonymous_auth_enabled: true) so may not actually be a bug in Cerebro. Without anonymous auth enabled it works 100%.

@bkimbrough88
Copy link

I don't know about anonymous auth, but I found this error when I connected cerebro up to my OpenSearch cluster. I can view the nodes, but the overview page simply won't load:

{
  "error": "Failure for [_stats/docs,store?ignore_unavailable=true]"
}

Note I'm currently running OpenSearch 1.3.2 and connected to the cluster using my admin user and password with basic auth.

@jgough
Copy link
Author

jgough commented Jul 13, 2022

@bkimbrough88 That issue seems unrelated to this issue which is specifically around the HTTP response code 403 when anonymous_auth_enable is set to true. I have no issues with OpenSearch 1.3.2 and Cerebro when this is not set and can open the Overview page with no problem.

As an aside, try making a curl request to your database and check the user you are using to log in has permission to access e.g.
curl -u "username:password" http://myserver/_stats/docs,store?ignore_unavailable=true. If you get an error with a security exception then you may need to check the permissions of the user you are using.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants