-
Notifications
You must be signed in to change notification settings - Fork 715
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error connecting to OpenSearch server with selective anonymous access permitted #556
Comments
Looks like the |
@jgough This might not apply to you. But I'm running OpenSearch with an Nginx proxy in front of it. Nginx is configured with basic auth. This works flawlessly. |
@wjonkerhulst I believe this is specifically related to the anonymous auth (setting |
I don't know about anonymous auth, but I found this error when I connected cerebro up to my OpenSearch cluster. I can view the nodes, but the overview page simply won't load:
Note I'm currently running OpenSearch 1.3.2 and connected to the cluster using my admin user and password with basic auth. |
@bkimbrough88 That issue seems unrelated to this issue which is specifically around the HTTP response code As an aside, try making a curl request to your database and check the user you are using to log in has permission to access e.g. |
I don't know if OpenSearch is officially supporte by Cerebro but it seems to be 100% compatible. I am having an issue though when anonymous access is enabled. I suspect the same error below would also be present on Elasticsearch given the similarity.
To reproduce:
Result:
Cerebro tries to connect anonymously without authentication and returns the error
Unexpected response status: [403]
This is because the server can be accessed but the anonymous user is not allowed to monitor the health of the cluster - that requires a user with the correct permissions
OpenSearch itself is returns a
403
response to the request with the messageno permissions for [cluster:monitor/health] and User [name=opendistro_security_anonymous, backend_roles=[opendistro_security_anonymous_backendrole], requestedTenant=null]
In this situation I would expect cerebro to present me with a login to allow me to enter credentials for access, since the anonymous access didn't have sufficient permissions.
This seems to be because the code is not expecting a 403 response and will only treat a 401 as the situation to ask for credentials:
https://github.com/lmenezes/cerebro/blob/main/public/js/app.js#L606
I've experimented with the source code and it seems if I add
case 403:
here then it seems to fix this issue and presents me with the typical login screen.The text was updated successfully, but these errors were encountered: