Allow total access to everything except for Kibana users

Hello,

since I have a lot of services and different things writing documents to Elasticsearch I cannot give any kind of access restriction directly to Elasticsearch. Elasticsearch is not accessible to third party people.

The only interface between customers and Elasticsearch is Kibana. That is why I only want to give different restrictions to users that are accessing Elasticsearch through Kibana.

How do you do that?

Thank you

This is not possible. Users and roles are managed by the SG Elasticsearch plugin. Thus, you can’t implement access restrictions in Kibana when you do not configure any roles in Search Guard.

The only thing that comes to my mind would be to enable anonymous auth. This can be enabled in sg_config.yml. If this is active, all requests that do not carry any credentials are mapped automatically to the sg_anonymous role. You could then give this role full access to the cluster. However, this is of course far from being a secure solution …

From sg_config.yml:

For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to

find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated.

If none can be found the user will be authenticated as an “anonymous” user. This user has always the username “sg_anonymous”

and one role named “sg_anonymous_backendrole”.

If you enable anonymous authentication all HTTP authenticators will not challenge.

``

···

On Thursday, August 9, 2018 at 5:58:29 PM UTC+2, Sven Bienert wrote:

Hello,

since I have a lot of services and different things writing documents to Elasticsearch I cannot give any kind of access restriction directly to Elasticsearch. Elasticsearch is not accessible to third party people.

The only interface between customers and Elasticsearch is Kibana. That is why I only want to give different restrictions to users that are accessing Elasticsearch through Kibana.

How do you do that?

Thank you

Hello Jochen,

thanks for your answer. So with the Kibana plugin and anonymous auth enabled, would it be possible to login with no credentials and then access the whole Elasticsearch cluster?

I currently have a reverse proxy HTTP basic auth as authentication for Kibana. If I restrict access to Kibana with that authentication and pass the credentials to Searchguard, would that work?

We have Elasticsearch integrated in an Big Data application with other services like Hazelcast and ActiveMQ. Applications, services and direct access by people are writing to Elasticsearch. It is no option to modify each service and application to pass credentials to Elasticsearch. Elasticsearch is the data storage for our Big Data Management. That’s why restricting access or changing requests or any kind of other modifications are likely to break something inside the application. Kibana is used for visualizing and is planned to be exposed to customers but yeah as said they should only get access to the indexes containing their data.