Hello Jay, I am having a similar issue using ES 1.4.3 + Shield 1.1. As soon as my application instance (with embedded ES node.client) starts up, it throws :
*Caused by: org.elasticsearch.shield.authz.AuthorizationException: action [indices:admin/exists] is unauthorized for user [__es_system_user]* and therefore my application will not start. I have tried the following as per the documentation here (https://www.elastic.co/guide/en/shield/current/authentication.html#anonymous-access) : *shield.authc: anonymous: roles: admin* and *shield.authc: anonymous: username: __es_system_user roles: admin* but they don't have any affect. If there is any documentation I can read of the restriction(s) in ES/Shield, please can you point me to it ? I need to understand if this is something we can program/config around or whether we can patch Shield 1.1 (we only support v1.1 until next release of our application). Thanks, Steve. On Wednesday, 22 April 2015 13:34:07 UTC+1, Jay Modi wrote: > > Hi Bert, > > Thank you for the detailed report and reproduction of this issue. This is > a known limitation with Shield and certain operations in elasticsearch. > We're working to resolve this in a future release. > > We will be documenting this limitation and all of the operations affected > shortly; this was something that we had forgotten to document. > > -Jay > > On Monday, April 20, 2015 at 10:46:40 AM UTC-4, Bert Vermeiren wrote: >> >> Hi, >> >> Using: >> * ElasticSearch 1.5.1 >> * SHIELD 1.2 >> >> Whenever I use a terms lookup filter in a search query, I get an >> UnAuthorizedException for the [__es_system_user] user although the actual >> user has even 'admin' role privileges. >> This seems a bug to me, where the terms filter does not have the correct >> security context. >> >> This is very easy to reproduce, see gist : >> >> https://gist.github.com/bertvermeiren/c29e0d9ee54bb5b0b73a >> >> Scenario : >> >> # Add user 'admin' with default 'admin' role. >> ./bin/shield/esusers useradd admin -p admin1 -r admin >> >> # create index. >> curl -XPUT 'admin:admin1@localhost:9200/customer' >> >> # create a document on the index >> curl -XPUT 'admin:admin1@localhost:9200/customer/external/1' -d ' >> { >> "name" : "John Doe", >> "token" : "token1" >> }' >> >> # create additional index for the "terms lookup" filter functionality >> curl -XPUT 'admin:admin1@localhost:9200/tokens' >> >> # create document in 'tokens' index >> curl -XPUT 'admin:admin1@localhost:9200/tokens/tokens/1' -d ' >> { >> "group" : "1", >> "tokens" : ["token1", "token2" ] >> }' >> >> # search with a terms lookup filter on the "customer" index, referring to >> the 'tokens' index. >> >> curl -XGET 'admin:admin1@localhost:9200/customer/external/_search' -d ' >> { >> "query": { >> "filtered": { >> "query": { >> "match_all": {} >> }, >> "filter": { >> "terms": { >> "token": { >> "index": "tokens", >> "type": "tokens", >> "id": "1", >> "path": "tokens" >> } >> } >> } >> } >> } >> }' >> >> >> => org.elasticsearch.shield.authz.AuthorizationException: action >> [indices:data/read/get] is unauthorized for user [__es_system_user] >> > -- Please update your bookmarks! We have moved to https://discuss.elastic.co/ --- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/c5f81132-4cf7-4cfd-9f69-c3f47bb0b1d6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
