用户:anonymous 无权对资源执行:es:ESHttpPost:
[英]User: anonymous is not authorized to perform: es:ESHttpPost on resource:
问题描述
I'm having this issue with my app.
我的应用程序遇到了这个问题。 my app is deployed to Heroku server, and i'm using Elasticsearch which is deployed on AWS.我的应用程序部署到 Heroku 服务器,我使用的是部署在 AWS 上的 Elasticsearch。 when i try to access locally to Elasticsearch - on aws domain - everyting works.当我尝试在本地访问 Elasticsearch - 在 aws 域上 - 一切正常。 but,when i try to access to my Heroku domain (both from postman) i get 503 error with this message :但是,当我尝试访问我的 Heroku 域(都来自邮递员)时,我收到 503 错误消息:
2017-12-21T13:36:52.982331+00:00 app[web.1]: statusCode: 403,
2017-12-21T13:36:52.982332+00:00 app[web.1]: response: '{"Message":"User: anonymous is not authorized to perform: es:ESHttpPost on resource: houngrymonkey"}',
my access policy is :我的访问政策是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-central-1:[ACCOUNT_ID]:domain/[ES_DOMAIN]/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "[heroku static ip]"
}
}
}
]
}
can anyone tell me what is my problem here?谁能告诉我我的问题是什么? thanks!谢谢!
2 个解决方案
解决方案1
4 2018-01-29 16:35:26
I've experienced the same issue with ES and lambda, it's not exactly your case, but maybe it'll be helpful.What actually I did to resolve the issue我在 ES 和 lambda 上遇到过同样的问题,这不完全是你的情况,但也许它会有所帮助。实际上我做了什么来解决这个问题
1) in lambda ( Node.js v6.10 ) I added the following code: 1) 在 lambda ( Node.js v6.10 ) 中,我添加了以下代码:
var creds = new AWS.EnvironmentCredentials('AWS');
....
// inside "post to ES"-method
var signer = new AWS.Signers.V4(req, 'es');
signer.addAuthorization(creds, new Date());
....
// post request to ES goes here
With those lines my exception changed from "User: anonymous..." to "User: arn:aws:sts::xxxx:assumed-role/yyyy/zzzzz" That was exactly the case.通过这些行,我的异常从"User: anonymous..."更改为"User: arn:aws:sts::xxxx:assumed-role/yyyy/zzzzz"情况正是如此。
2) I've updated ES policy in the following way 2)我已经通过以下方式更新了 ES 政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:sts::xxxx:assumed-role/yyyy/zzzzz" (which was in exception)
},
"Action": "es:*",
"Resource": "arn:aws:es:[region]:[account-id]:domain/[es-domain]/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:[region]:[account-id]:domain/[es-domain]/*"
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"1.2.3.4/32",
....
]
}
}
}
]
}
Hope that will help.希望这会有所帮助。
解决方案2
1 2020-09-01 02:42:25
More solutions to the error mentioned in title are described here : 此处描述了针对标题中提到的错误的更多解决方案:
If you are using a client that doesn't support request signing (such as a browser), consider the following:如果您使用的是不支持请求签名的客户端(例如浏览器),请考虑以下事项:
- Use an IP-based access policy.使用基于 IP 的访问策略。 IP-based policies allow unsigned requests to an Amazon ES domain.基于 IP 的策略允许对 Amazon ES 域的未签名请求。
- Be sure that the IP addresses specified in the access policy use CIDR notation.确保访问策略中指定的 IP 地址使用 CIDR 表示法。 Access policies use CIDR notation when checking IP address against the access policy.根据访问策略检查 IP 地址时,访问策略使用 CIDR 表示法。
- Verify that the IP addresses specified in the access policy are the same ones used to access your Elasticsearch cluster.验证访问策略中指定的 IP 地址是否与用于访问您的 Elasticsearch 集群的 IP 地址相同。 You can get the public IP address of your local computer at https://checkip.amazonaws.com/ .您可以在https://checkip.amazonaws.com/获取本地计算机的公共 IP 地址。
Note: If you're receiving an authorization error, check to see if you are using a public or private IP address.注意:如果您收到授权错误,请检查您使用的是公共 IP 地址还是私有 IP 地址。 IP-based access policies can't be applied to Amazon ES domains that reside within a virtual private cloud (VPC).基于 IP 的访问策略不能应用于驻留在 Virtual Private Cloud (VPC) 中的 Amazon ES 域。 This is because security groups already enforce IP-based access policies.这是因为安全组已经实施了基于 IP 的访问策略。 For public access, IP-based policies are still available.对于公共访问,仍然可以使用基于 IP 的策略。 For more information, see About access policies on VPC domains.有关更多信息,请参阅关于 VPC 域上的访问策略。
If you are using a client that supports request signing, check the following:如果您使用支持请求签名的客户端,请检查以下内容:
Be sure that your requests are correctly signed.
确保您的请求已正确签名。 AWS uses the Signature Version 4 signing process to add authentication information to AWS requests. AWS 使用签名版本 4 签名过程向 AWS 请求添加身份验证信息。 Requests from clients that aren't compatible with Signature Version 4 are rejected with a "User: anonymous is not authorized" error.来自与签名版本 4 不兼容的客户端的请求会因“用户:匿名未授权”错误而被拒绝。 For examples of correctly signed requests to Amazon ES, see Making and signing Amazon ES requests.有关向 Amazon ES 正确签署请求的示例,请参阅创建和签署 Amazon ES 请求。Verify that the correct Amazon Resource Name (ARN) is specified in the access policy.
验证访问策略中是否指定了正确的 Amazon 资源名称 (ARN)。
If your Amazon ES domain resides within a VPC, configure an open access policy with or without a proxy server.如果您的 Amazon ES 域驻留在 VPC 中,请配置开放访问策略,无论是否使用代理服务器。 Then, use security groups to control access.然后,使用安全组来控制访问。 For more information, see About access policies on VPC domains.有关更多信息,请参阅关于 VPC 域上的访问策略。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.