Access Control in Elastic - missing authentication credentials for REST request - elasticsearch

I am using Elastic 7.9.2 version and wanted to use security.
so I ran :
bin/elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass ""
and then added
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p1
in config/elasticsearch.yaml
Now when I am running the ES by
bin/elasticsearch
getting below error :
"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials
for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-
8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST
request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-
8\""}},"status":401}root#ip-localhost:/var/log/elasticsearch
Can anyone please help!

Just pass authentication credential with url like below
curl -X GET "http://localhost:9200" -u elastic:pass123

I had security already enabled and user authentication working. Kibana loaded fine.
I have a 3 node cluster and stopped elasticsearch service on each node so I could add transport ssl.
After enabling xpack.security.transport.ssl.enabled and keystore and truststore settings, I got the same ""missing authentication credentials for REST request" error in Kibana. Turns out the error was because I only had one node running and needed a minimum of two. After enabling transport ssl on another node and starting it, kibana worked again.

If you enable security for your cluster you & still got some error with AUTH yours clients, documentation wrote, what you need enable ssl for client optional OR required. Please, read the original topic: https://discuss.elastic.co/t/missing-authentication-for-rest-request/154807/13

You need to pass the credentials with your request with -u username:password

To add the credentials to curl, you need to know them. The root user is elastic, the passwords can be reset using
bin/elasticsearch-setup-passwords auto
Then, you can use
curl -X GET "http://localhost:9200" -u elastic:password_from_console
as written above (go upvote).

GET https://localhost:9200
Authorization: Basic elastic:{your user password}

Related

Kerberos HTTP service Using GSS shows No valid credentials due to domain name or host name mismatch

I am having a Micro-Service Platform having multiple Micro-Services connected to each other, Platform uses Kerberos for authentication of Micro-Services. In One of Micro-Service Node hadoop is installed which uses separate KDC for Hadoop cluster authentication.
Lets say platform domain is "idm.com" and hadoop domain is "hadoop.com".
Resource Manager is running on one node. I have configure HTTP principal for spnego in core-site.xml using "hadoop.http.authentication.kerberos.principal" property to "HTTP/master.hadoop.com#HADOOP.COM" and nodes Hostname is "hadoopmaster.idm.com".
I do Kinit and acquire root user ticket from TGS. When I tried to do curl using "curl -k -v --negotiate -u : https://master.hadoop.com:8090/cluster" It shows GSS Exception: No valid credentials provided.
If I see klist it shows two ticket one krbtgt and second "HTTP/hadoopmaster.idm.com#HADOOP.COM"(I have added this principal in kdc database). First krbtgt i got using kinit and second HTTP one i Got it automatically after doing curl before curl the ticket was not there. Krb client acquired another for using HTTP service.
After some debugging I noticed the problem/behaviour is I got ticket for HTTP/hadoopmaster.idm.com#HADOOP.COM where I have configure hadoop to use HTTP/master.hadoop.com#HADOOP.COM. If we configure hadoop to use "HTTP/hadoopmaster.idm.com#HADOOP.COM" then ui is accessible.
I have added both FQDNs to /etc/hosts file.
It seems when I do curl using any of the FQDNs I got the HTTP ticket of the first entry in /etc/hosts file.
For example if
...
10.7.0.5 hadoopmaster.idm.com
10.7.0.5 master.hadoop.com
...
now if i do curl i will get HTTP/hadoopmaster.idm.com#HADOOP.COM in klist.
and if /etc/hosts looks like this
...
10.7.0.5 master.hadoop.com
10.7.0.5 hadoopmaster.idm.com
...
Now if i do curl i will get HTTP/master.hadoop.com in klist
In both the cases if i configure the hadoop property to the same i got using curl then UI will be accessible and other wise it will shows 403 GSSException which i guess means curl used spnego but didn't get valid credentials.
And if it matches with the hadoop's configured principal then it will work.
It looks like Hostname is causing problem is there any way to map this hostname or is there any kerberos config which can map this or any property which will give me exact ticket with exact hostname i have specified in curl despite of hadoop configurations.

Can't cURL information from Elasticsearch cluster

I am trying to install and setup Elasticsearch on a remote Machine running CenOS7 via this guide. Following the install and start instructions for RPM I entered the cURL command given on the guide to check its up and running: curl --cacert $ES_PATH_CONF/certs/http_ca.crt -u elastic https://localhost:9200
I was met with the following message:
curl: (77) Problem with the SSL CA cert (path? access rights?)
I tried to go to the domain with the following command:
curl https://localhost:9200/
And was met with this:
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
So I tried the previous command once adding a '-k' but was met with this error:
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}},"status":401}
I was able to complete the guide on my MacBook but have almost no experience working with remote machines or in CentOS 7. How do I successfully cURL the cluster information?

Can I use Elasticsearch https without cert and authentication

I successfully setup HTTPS for Elasticsearch server. Now I can use curl like curl -u elastic:111111 --cacerts "Path/to/my/cert" https://localhost:9200. How can I setup to use curl without user authentication and cert?
Sorry for my bad English :(

What is the default Username and Password for ElasticSearch 7.2.0 (when x-pack enabled)?

I did the change in config/elasticsearch.yml to
xpack.security.enabled: true
And now after starting elasticsearch (./bin/elasticsearch) and then do:
curl localhost:9200
getting:
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}
Then tried these 2:
curl localhost:9200 -u elastic:elastic
curl localhost:9200 -u elastic:changeme
getting:
{"error":{"root_cause":[{"type":"security_exception","reason":"failed to authenticate user [elastic]",
"header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}], "type":"security_exception", "reason":"failed to authenticate user [elastic]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}%
What is the default username/password for Elasticsearch 7.2.0?
You need to use elasticsearch-setup-passwords util to generate/set password for the inbuilt user of elastic.
To setup password you can use either one of the following commands:
bin/elasticsearch-setup-passwords interactive
bin/elasticsearch-setup-passwords auto
The interactive parameter prompts new password for the users, whereas auto generates them for you.
elastic user is the superuser for elastic-cluster.
Read more one configuring security here.

Get windows proxy username/password

I have an access to a preconfigured Windows XP 32-bit workstation.
It's under firewall and to get outside it uses http proxy server.
To get proxy settings I need host, port, username and password.
http: // username : password # server : port
I'm able to find the proxy url and port (from PAC - automatic config file),
but I don't know how to get username/password. Is there a way to read it somehow? At least username? I might get the admin rights.
Do you know any tool that can help?
I only found these MS docs about some methods to get proxy config connection, but I don't know how to determinate what's the provided credentials:
WinHttpGetIEProxyConfigForCurrentUser function
WINHTTP_CURRENT_USER_IE_PROXY_CONFIG structure
WinHttpGetProxyForUrl function
I've also found this lib, but it's rather for parsing PAC:
http://code.google.com/p/pacparser/
In windows you cannot get password.
To get connect throw a proxy you have to use SSPI, check libcurl, you can get a connected socket throw proxy, build it with enable-sspi and openssl.
Iterating on Fernando Sanchez's answer and Robert's comment, you need to authenticate via SSPI. In my case I've connected using NTLM using this link
With curl using ntlm :
curl.exe --proxy <proxy_name>:<proxy_port> --proxy-ntlm -U : https://www.google.com
Also to partially answer your question the -U : means from curl man page :
If you use a Windows SSPI-enabled curl binary and do either Negotiate
or NTLM authentication then you can tell curl to select the user name
and password from your environment by specifying a single colon with
this option: "-U :".
You can get the proxy name and port from the windows registry (regedit). Quote from Robert's comment:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
It can be present either in a manual way using REG_SZ ProxyServer or using an autoconfiguration script using REG_SZ AutoConfigURL = https://<configuration_url>
If the curl command above fails with Failure when receiving data from the peer maybe you have a curl release without NTLM, SSPI or OpenSSL. Try with the latest curl release

Resources