弹性搜索中的Active

Question

我正在尝试使用AD身份验证。我可以成功登录，但我没有授权执行任何查询奇迹。每次我以惊奇的方式执行查询时，我都会得到以下的error.Below细节

{
   "error": "AuthorizationException[action [indices:data/read/search] is unauthorized for user [shivang.Mittal]]",
   "status": 403
}

elasticsearch.yml (C:\ES\elasticsearch-1.4.4\config)

 shield:
   authc:
     realms:
       active_directory:
         type: active_directory
         domain_name: tavant.in
         url: "LDAP://DODC1.tavant.in:389"
         user_dn_templates:
          - "cn={0}, dc=tavant, dc=in"
         group_search:
          base_dn: "dc=tavant,dc=in"
         files:
           role_mapping: "C:/ES/elasticsearch-1.4.4/config/shield/role_mapping.yml"

role_mapping.yml (C:\ES\elasticsearch-1.4.4\config\shield)。在Node(C:\ES\elasticsearch-1.4.4\data\elasticsearch\nodes\0)中复制相同的文件

admin:
  - "cn=users, dc=tavant,dc=in"

roles.yml

admin:
  cluster: all
  indices:
    '*': all

更新

根据Jaymode的建议，我添加了shield.auth: debug。下面是日志(我认为这是有用的)

    [2015-04-27 11:54:12][DEBUG][shield.authc.ldap.support] [Talisman] the roles [[]], are mapped from these [active_directory] groups [[CN=Users,CN=Builtin,DC=tavant,DC=in, CN=Domain Users,CN=Users,DC=tavant,DC=in, 
    [2015-04-27 11:54:14,935][DEBUG][shield.authc.activedirectory] [Talisman] authenticated user [shivang.Mittal], with roles [[]]
    [2015-04-27 11:54:16,447][ERROR][marvel.agent.exporter    ] [Talisman] error adding the marvel template to [[0:0:0:0:0:0:0:0]:9200] response code [401 Unauthorized]. content: [{"error":"AuthenticationException[missing authentication token for REST request [/_template/marvel]]","status":401}]
    [2015-04-27 11:54:16,447][ERROR][marvel.agent.exporter    ] [Talisman] failed to verify/upload the marvel template to [[0:0:0:0:0:0:0:0]:9200]:
    Server returned HTTP response code: 401 for URL: http://[0:0:0:0:0:0:0:0]:9200/_template/marvel
[2015-04-27 11:54:16,447][ERROR][marvel.agent.exporter    ] [Talisman] failed to verify/upload the marvel template to [[0:0:0:0:0:0:0:0]:9200]:
Server returned HTTP response code: 401 for URL: http://[0:0:0:0:0:0:0:0]:9200/_template/marvel

Answer 1

编辑2：基于日志消息，您可能希望使用以下映射

admin:
  - "CN=Users,CN=Builtin,DC=tavant,DC=in"

编辑：我想我看到你的问题了。在您的role_mapping.yml中有：

admin:
  - "cn=users, dc=tavant,dc=tavant"

最有可能的是：

admin:
  - "cn=users,dc=tavant,dc=in"

我想知道用于角色映射的DN是否正确并正在检索。如果设置了调试日志，将记录为用户找到的组列表。要启用调试日志记录，请编辑C:\ES\elasticsearch-1.4.4\config\logging.yml文件：

...
logger:
    # Add the line below
    shield.authc: DEBUG
...

日志行将如下所示：the roles [], are mapped from these [active_directory] groups [ list of group DNs here ] for realm [active_directory/active_directory]

在这一行中，您将找到检索到的组DNs的实际列表。此外，您的领域配置可以简化为以下内容：

shield:
  authc:
    realms:
      active_directory:
        type: active_directory
        domain_name: tavant.in
        url: "LDAP://DODC1.tavant.in:389"

实际上，其他设置似乎只是指定未指定的默认值。