I've installed Shield plugin for ES and configured users with roles. But when I try to index some data with configured user, I always received this error:
[2015-11-22 10:31:58,795][INFO ][rest.suppressed ] /app-nginx-stats-2015-11-22/http-stats Params: {}
ElasticsearchSecurityException[unable to authenticate user [es_admin] for REST request [/app-nginx-stats-2015-11-22/http-stats]]
at org.elasticsearch.shield.support.Exceptions.authenticationError(Exceptions.java:39)
I know about issue with # in password so I've changed it to 123456 - doesn't help.
I also executed esusers list on ES node and I see my users in the output.
So what other common mistakes could lead to "unable to authenticate user" error? Or how can I debug such issues?
Related
I just defined the user in Elasticsearch (through Kibana UI) and want to test the user can reach and authorize in Elastic.
What endpoint can I use for testing a user is known to Elastic from the user's perspective? (no high privileges admin API)
All I tries required some kind of roles, requests looked like:
curl --basic --user user:pass https://evil.com:9200/_cat/indices
UPDTE With curl -v I see 401 / 403 to differentiate if password is correct, I'd like to have some endpoint that returns 200 for the correct password and 401 for incorrect or non existing user...
If I am understanding right so you just want to check if kibana is opening only with defined username and password or not.
So you can just hit
https://your_ip or kibana_ip_whichever_given:5601
or
http://your_ip or kibana_ip_whichever_given:5601
if you have used xpack.security in it then try https otherwise try it with http
You can use the X-Pack API to test if the user is known to the Elasticsearch cluster, without requiring high privileges. The API is available at the endpoint /_xpack/security/user/<username> and will return a 200 status code if the user is known and an error code (e.g. 401 or 403) if the user is not known or not authorized.
for more... https://discuss.elastic.co/t/216937
I am trying to connect to my Cockroachdb cluster using:
ccloud auth login && \
ccloud cluster sql ocean-panda
To which I am getting the following error:
logged in to "YASH KOTHARI's Organization" (org-3447v) as YASH KOTHARI
Retrieving cluster info: failed
Error: 401 Unauthorized
2022/11/02 17:58:59 401 Unauthorized
Therefore, it is logging into my account, but not giving me access to any of my clusters. What to do? Did I mess up any certificates or something? I have tried to remove and reinstall anything cockroachdb related but nothing is working. I tried to do this on someone else's system and it is working fine. I am getting this error just on my system!
I am on a Mac (M1) btw.
Thanks a ton for sharing this, we're currently testing some new connection flows using the ccloud CLI and this is a new one!
I'm going to look into it on our side, since this looks like a bug. In the meantime I'd recommend using the other connection options that are available. They can be reached using the "Connect" button in the cluster overview page.
A few other steps that could potentially get it working:
ccloud auth logout && ccloud auth login to refresh the login parameters
ccloud cluster list and see if the same error occurs
I am trying to do the performance testing of a logistics application. 2 types of users are there - Internal users & External Users. For internal users the authentication process happens normally; usual database. I was successful in executing the jmx script for Internal users. But for External users, the authentication process happens with Active Directory. In this case when i tried to execute the jmx script, the user is not getting logged in to the application. But the login api doesn't gives any error, the Response Code is 200 but in Response I'm getting the message "Try again". Do we need to do any additional settings in Jmeter for Active Directory Authentication? Can anybody help me in this?
For "internal" users you might need to add HTTP Authorization Manager and configure not only username and password but also domain, realm and use appropriate mechanism for NTLM or Kerberos
See Windows Authentication with Apache JMeter article for more detailed explanation and example configurations
You may be missing out on a few key things such as HTTP Headers or some additional data that needs to be sent with the request.
To resolve this. you can analyze the request in the developer tools of your browser and then generate the same headers with the request. This will resolve the issue.
I have GSuite Service Account and My app uses following scopes (these are working fine) :
https://www.googleapis.com/auth/admin.directory.customer.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/drive.readonly,https://www.googleapis.com/auth/drive.metadata.readonly,https://www.googleapis.com/auth/drive.photos.readonly
Now I Have to access gsuite groups, As mentioned here in api documentation : https://developers.google.com/admin-sdk/directory/v1/reference/groups/list
I Added these two scopes :
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/admin.directory.group
in my already existing scopes, and I'm unable to authorise my application now.
When I try to check this via api explorer in the above link, It throws an error : 400 - Bad Request. But the strangest thing happen, it returned 200 ONCE only while trying and returned the group I created, But I'm unable to make successful call again and keeps getting error.
Is there anything I'm missing here? Any help will be really appreciated.
Thanks.
NOTE: I can access gsuite users with above scopes as well, the issue is only with the groups.
As is mentioned on the documentation, 400 error is not related to the scopes that you are using. However the explorer API information is not correct as the "Customer" field is required, You can try it typing my_customer on that field and you should get a 200 if your user has the proper permissions.
I have submitted a request to update the current documentation.
I have installed the Dynatrace client and I've been using if for months. After a Windows password reset I am getting this error. I have tried entering the new and old password.
Error on Login - The login failed because either the specified user name or password is incorrect, or you are not allowed to access this Dynatrace Server.
Thank you
This could be cache issues or something at the AppMon server:
If the LDAP server is down completely, LDAP users cannot log in.
However, successful user authentications are cached on the AppMon
Server for 10 minutes by default. If the same user logs in within this
time frame, no LDAP request is sent again and the user's
authentication timeout is prolonged. The user's group membership is
not verified or updated within this time frame.
You can configure the authentication timeout by changing the value of the following system property in the dtserver.ini file:
-Dcom.dynatrace.diagnostics.ldapAuthenticationTimeout=600
Reference: Dynatrace AppMon Documentation