0

我正在尝试使用 AD 身份验证。我能够成功登录,但我无权在 Marvel 中执行任何查询。每次我在奇迹中执行查询时,我都会收到以下错误。以下是详细信息

{
   "error": "AuthorizationException[action [indices:data/read/search] is unauthorized for user [shivang.Mittal]]",
   "status": 403
}

elasticsearch.yml (C:\ES\elasticsearch-1.4.4\config)

 shield:
   authc:
     realms:
       active_directory:
         type: active_directory
         domain_name: tavant.in
         url: "LDAP://DODC1.tavant.in:389"
         user_dn_templates:
          - "cn={0}, dc=tavant, dc=in"
         group_search:
          base_dn: "dc=tavant,dc=in"
         files:
           role_mapping: "C:/ES/elasticsearch-1.4.4/config/shield/role_mapping.yml"

role_mapping.yml (C:\ES\elasticsearch-1.4.4\config\shield)。在 Node(C:\ES\elasticsearch-1.4.4\data\elasticsearch\nodes\0) 中复制了相同的文件

admin:
  - "cn=users, dc=tavant,dc=in"

角色.yml

admin:
  cluster: all
  indices:
    '*': all

更新

根据 Jaymode 的建议,我添加了 shield.auth: debug。下面是日志(我认为这很有用)

    [2015-04-27 11:54:12][DEBUG][shield.authc.ldap.support] [Talisman] the roles [[]], are mapped from these [active_directory] groups [[CN=Users,CN=Builtin,DC=tavant,DC=in, CN=Domain Users,CN=Users,DC=tavant,DC=in, 
    [2015-04-27 11:54:14,935][DEBUG][shield.authc.activedirectory] [Talisman] authenticated user [shivang.Mittal], with roles [[]]
    [2015-04-27 11:54:16,447][ERROR][marvel.agent.exporter    ] [Talisman] error adding the marvel template to [[0:0:0:0:0:0:0:0]:9200] response code [401 Unauthorized]. content: [{"error":"AuthenticationException[missing authentication token for REST request [/_template/marvel]]","status":401}]
    [2015-04-27 11:54:16,447][ERROR][marvel.agent.exporter    ] [Talisman] failed to verify/upload the marvel template to [[0:0:0:0:0:0:0:0]:9200]:
    Server returned HTTP response code: 401 for URL: http://[0:0:0:0:0:0:0:0]:9200/_template/marvel
[2015-04-27 11:54:16,447][ERROR][marvel.agent.exporter    ] [Talisman] failed to verify/upload the marvel template to [[0:0:0:0:0:0:0:0]:9200]:
Server returned HTTP response code: 401 for URL: http://[0:0:0:0:0:0:0:0]:9200/_template/marvel
4

1 回答 1

3

编辑 2:根据您的日志消息,您可能希望使用以下映射

admin:
  - "CN=Users,CN=Builtin,DC=tavant,DC=in"

编辑:我想我看到了你的问题。在你的 role_mapping.yml 你有:

admin:
  - "cn=users, dc=tavant,dc=tavant"

它很可能是:

admin:
  - "cn=users,dc=tavant,dc=in"

我想知道您用于角色映射的 DN 是否正确并且正在被检索。如果您设置调试日志记录,则会记录为用户找到的组列表。要启用调试日志记录,请编辑 C:\ES\elasticsearch-1.4.4\config\logging.yml 文件:

...
logger:
    # Add the line below
    shield.authc: DEBUG
...

日志行将如下所示:the roles [], are mapped from these [active_directory] groups [ list of group DNs here ] for realm [active_directory/active_directory]

在该行中,您将找到检索到的组 DN 的实际列表。此外,您的领域配置可以简化为以下内容:

shield:
  authc:
    realms:
      active_directory:
        type: active_directory
        domain_name: tavant.in
        url: "LDAP://DODC1.tavant.in:389"

其他设置实际上似乎只是指定了未指定的默认值。

于 2015-04-24T18:25:05.090 回答