The documentation states that the syntax for the “/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml” file to use an RSA public key is as follows:
jwt_auth_domain:
...
config:
signing_key: |-
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQK...
-----END PUBLIC KEY-----
...
When however I try to run securityadmin.sh, i receive the following error:
ERR: Seems ../securityconfig/config.yml is not in Open Distro Security 7 format: com.fasterxml.jackson.dataformat.yaml.snakeyaml.error.MarkedYAMLException: while scanning a simple key
in 'reader', line 132, column 1:
-----BEGIN PUBLI
^
My JWT auth configuration in "/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml " is as follows:
is my a redaction of my valid RSA public key for the purposes of this comment.
When I add a BASE64 encoded secret in lieu of of the RSA key (example below), it takes fine but I need to use RS256.
config:
signing_key: "secret_key"
Is there an error in my Syntax? I’ve been head scratching for hours but cannot get the config.yml file to take with an RSA key. I tried putting the key on one line with “\n” as line breaks although the error persisted. Any help/advice would be greatly appreciated!
Right, So i’ve solved my own issue which was embarrassingly simple
I’ll share my troubleshooting to resolution for anybody else has this issue:
Turns out my indentation was incorrect in the .yml file. By amending to the following, the securityadmin.sh script completed without error, in the console:
There was however then an error in the elasticsearch.log file which is:
Error creating JWT authenticator: io.jsonwebtoken.io.DecodingException: Illegal base64 character: '
'. JWT authentication will not work
io.jsonwebtoken.io.DecodingException: Illegal base64 character: '
'
at io.jsonwebtoken.io.Base64.ctoi(Base64.java:206) ~[jjwt-api-0.10.5.jar:?]
at io.jsonwebtoken.io.Base64.decodeFast(Base64.java:255) ~[jjwt-api-0.10.5.jar:?]
at io.jsonwebtoken.io.Base64Decoder.decode(Base64Decoder.java:21) ~[jjwt-api-0.10.5.jar:?]
at io.jsonwebtoken.io.Base64Decoder.decode(Base64Decoder.java:8) ~[jjwt-api-0.10.5.jar:?]
at io.jsonwebtoken.io.ExceptionPropagatingDecoder.decode(ExceptionPropagatingDecoder.java:21) ~[jjwt-api-0.10.5.jar:?]
at com.amazon.dlic.auth.http.jwt.HTTPJwtAuthenticator.<init>(HTTPJwtAuthenticator.java:76) [opendistro_security_advanced_modules-1.2.0.0.jar:1.2.0.0]
at jdk.internal.reflect.GeneratedConstructorAccessor66.newInstance(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]
at com.amazon.opendistroforelasticsearch.security.support.ReflectionHelper.instantiateAAA(ReflectionHelper.java:259) [opendistro_security-1.2.0.0.jar:1.2.0.0]
at com.amazon.opendistroforelasticsearch.security.securityconf.DynamicConfigModelV7.newInstance(DynamicConfigModelV7.java:334) [opendistro_security-1.2.0.0.jar:1.2.0.0]
at com.amazon.opendistroforelasticsearch.security.securityconf.DynamicConfigModelV7.buildAAA(DynamicConfigModelV7.java:251) [opendistro_security-1.2.0.0.jar:1.2.0.0]
at com.amazon.opendistroforelasticsearch.security.securityconf.DynamicConfigModelV7.<init>(DynamicConfigModelV7.java:60) [opendistro_security-1.2.0.0.jar:1.2.0.0]
at com.amazon.opendistroforelasticsearch.security.securityconf.DynamicConfigFactory.onChange(DynamicConfigFactory.java:165) [opendistro_security-1.2.0.0.jar:1.2.0.0]
at com.amazon.opendistroforelasticsearch.security.configuration.ConfigurationRepository.notifyAboutChanges(ConfigurationRepository.java:308) [opendistro_security-1.2.0.0.jar:1.2.0.0]
at com.amazon.opendistroforelasticsearch.security.configuration.ConfigurationRepository.reloadConfiguration0(ConfigurationRepository.java:297) [opendistro_security-1.2.0.0.jar:1.2.0.0]
at com.amazon.opendistroforelasticsearch.security.configuration.ConfigurationRepository.reloadConfiguration(ConfigurationRepository.java:280) [opendistro_security-1.2.0.0.jar:1.2.0.0]
at com.amazon.opendistroforelasticsearch.security.action.configupdate.TransportConfigUpdateAction.nodeOperation(TransportConfigUpdateAction.java:126) [opendistro_security-1.2.0.0.jar:1.2.0.0]
at com.amazon.opendistroforelasticsearch.security.action.configupdate.TransportConfigUpdateAction.nodeOperation(TransportConfigUpdateAction.java:58) [opendistro_security-1.2.0.0.jar:1.2.0.0]
at org.elasticsearch.action.support.nodes.TransportNodesAction.nodeOperation(TransportNodesAction.java:129) [elasticsearch-7.2.0.jar:7.2.0]
at org.elasticsearch.action.support.nodes.TransportNodesAction$NodeTransportHandler.messageReceived(TransportNodesAction.java:246) [elasticsearch-7.2.0.jar:7.2.0]
at org.elasticsearch.action.support.nodes.TransportNodesAction$NodeTransportHandler.messageReceived(TransportNodesAction.java:242) [elasticsearch-7.2.0.jar:7.2.0]
at com.amazon.opendistro.elasticsearch.performanceanalyzer.transport.PerformanceAnalyzerTransportRequestHandler.messageReceived(PerformanceAnalyzerTransportRequestHandler.java:43) [opendistro_performance_analyzer-1.2.0.0.jar:1.2.0.0]
at com.amazon.opendistroforelasticsearch.security.ssl.transport.OpenDistroSecuritySSLRequestHandler.messageReceivedDecorate(OpenDistroSecuritySSLRequestHandler.java:164) [opendistro_security-1.2.0.0.jar:1.2.0.0]
at com.amazon.opendistroforelasticsearch.security.transport.OpenDistroSecurityRequestHandler.messageReceivedDecorate(OpenDistroSecurityRequestHandler.java:163) [opendistro_security-1.2.0.0.jar:1.2.0.0]
at com.amazon.opendistroforelasticsearch.security.ssl.transport.OpenDistroSecuritySSLRequestHandler.messageReceived(OpenDistroSecuritySSLRequestHandler.java:86) [opendistro_security-1.2.0.0.jar:1.2.0.0]
at com.amazon.opendistroforelasticsearch.security.OpenDistroSecurityPlugin$7$1.messageReceived(OpenDistroSecurityPlugin.java:623) [opendistro_security-1.2.0.0.jar:1.2.0.0]
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:63) [elasticsearch-7.2.0.jar:7.2.0]
at org.elasticsearch.transport.TransportService$7.doRun(TransportService.java:703) [elasticsearch-7.2.0.jar:7.2.0]
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:758) [elasticsearch-7.2.0.jar:7.2.0]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-7.2.0.jar:7.2.0]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at java.lang.Thread.run(Thread.java:835) [?:?]
I was able to resolve this by removing the line breaks from the cert, for example:
jwt_auth_domain:
description: "Authenticate via Json Web Token"
http_enabled: true
transport_enabled: false
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: |-
-----BEGIN PUBLIC KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-----END PUBLIC KEY-----
jwt_header: "Authorization"
jwt_url_parameter: "jwtToken"
roles_key: null
subject_key: null
authentication_backend:
type: noop
Afte making this amendment to the config.yml and rerunning the securityadmin.sh script, JWT authentication is working
I was having similar issues and found that I also need to format the key on a single line to get it work. But I also didn’t realize that there is a difference between the public key and public cert. I was pasting in the public cert PEM data instead of the public key PEM data. I had to use and openssl command to extract the public key from the public cert and once I did that everything starting working. In my case I was starting out with a PFX file that I am using for SSL and found that I can use the same cert for JWT as well, just had to extract the right parts.
-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt6GjgJTJUztz7ATm3+vYPGnnotQ5hFX57OL1UkLoqVKr+sfS6DxCl9f4/2L818TLYbtn0h9GnUOf/8XJLQpWy+B6uK3X0vVMJyzYqIaRrhUStZTXUnxOwSCzEk2sq7MT2akStA4QwtsJ9b6YbkWq4Tp0ml0kWYsqIDELnza7YJRjmDR/AFPbqiFdCANFpUtuq/heiVux9vZb881dYUmkcYtC3voH2J+KYAoCmljOtg33ioeVBLkrhzGW/7u2XJ+ELTrk7ZrXrDxpQmYaL3aojMv60BFI+WoY4xFjrTai2D1fao32I6sOcITyY6K74HCo+Fyx6cc6UiJEO5bDGrfFNQIDAQAB-----END PUBLIC KEY-----
