authentication failed through jwt

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version

  • Installed and used enterprise modules, if any

  • JVM version and operating system version

  • Search Guard configuration files

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any

Version Info:

Elasticsearch version:6.1.1-20.1, Search Guard Version: 6.1.1; Kibana: 6.1.1;

JVM version: 1.8.0_131, Win 10;

Problem:

With some help form this group, finally I enabled the jwt_auth_domain.

But i still can’t login kibana through jwt, below is my configuration.

elasticsearch.yml:

######## Start Search Guard Demo Configuration ########

···

######## End Search Guard Demo Configuration ########

searchguard.cache.ttl_minutes: 0

kibana.yml:

elasticsearch.requestHeadersWhitelist: [ authorization, Authorization, jwtheader, jwtparam ]

searchguard.jwt.enabled: true

searchguard.jwt.url_param: jwtparam

searchguard.jwt.header: jwtheader

sg_config.yml:

jwt_auth_domain:

    enabled: true

    http_enabled: true

    transport_enabled: true

    order: 0

    http_authenticator:

      type: jwt

      challenge: false

      config:

        signing_key: "key..."

        jwt_header: "jwtheader"

        jwt_url_parameter: "Authorization"

        roles_key: null

        subject_key: null

    authentication_backend:

      type: noop

Login failed for both ElasticSearch and Kibana, here is three method which I’ve tried.

  1. https://localhost:9200/?authorization=

  2. http://localhost:5601/?jwtparam=

  3. http://localhost:5601 with header

Login by Authorization header to ES, I got this error.

[2018-01-24T10:15:12,353][WARN ][c.f.s.h.HTTPBasicAuthenticator] No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’

[2018-01-24T10:15:12,353][WARN ][c.f.s.a.BackendRegistry ] Authentication finally failed for null

···

On Tuesday, January 23, 2018 at 4:01:38 PM UTC+8, Johnson C wrote:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Version Info:

Elasticsearch version:6.1.1-20.1, Search Guard Version: 6.1.1; Kibana: 6.1.1;

JVM version: 1.8.0_131, Win 10;

Problem:

With some help form this group, finally I enabled the jwt_auth_domain.

But i still can’t login kibana through jwt, below is my configuration.

elasticsearch.yml:

######## Start Search Guard Demo Configuration ########


######## End Search Guard Demo Configuration ########

searchguard.cache.ttl_minutes: 0

kibana.yml:

elasticsearch.requestHeadersWhitelist: [ authorization, Authorization, jwtheader, jwtparam ]

searchguard.jwt.enabled: true

searchguard.jwt.url_param: jwtparam

searchguard.jwt.header: jwtheader

sg_config.yml:

jwt_auth_domain:

    enabled: true
    http_enabled: true
    transport_enabled: true
    order: 0
    http_authenticator:
      type: jwt
      challenge: false
      config:
        signing_key: "key..."
        jwt_header: "jwtheader"
        jwt_url_parameter: "Authorization"
        roles_key: null
        subject_key: null
    authentication_backend:
      type: noop

Login failed for both ElasticSearch and Kibana, here is three method which I’ve tried.

  1. https://localhost:9200/?authorization=
  1. http://localhost:5601/?jwtparam=
  1. http://localhost:5601 with header

After changing Bearer to Baisc, I got this error:
Authentication finally failed for {“alg”

I think this is the header of this jwt token, but why?

ES don’t support jwt authorization?

···

On Wednesday, January 24, 2018 at 10:17:52 AM UTC+8, Johnson C wrote:

Login by Authorization header to ES, I got this error.

[2018-01-24T10:15:12,353][WARN ][c.f.s.h.HTTPBasicAuthenticator] No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’

[2018-01-24T10:15:12,353][WARN ][c.f.s.a.BackendRegistry ] Authentication finally failed for null

On Tuesday, January 23, 2018 at 4:01:38 PM UTC+8, Johnson C wrote:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Version Info:

Elasticsearch version:6.1.1-20.1, Search Guard Version: 6.1.1; Kibana: 6.1.1;

JVM version: 1.8.0_131, Win 10;

Problem:

With some help form this group, finally I enabled the jwt_auth_domain.

But i still can’t login kibana through jwt, below is my configuration.

elasticsearch.yml:

######## Start Search Guard Demo Configuration ########


######## End Search Guard Demo Configuration ########

searchguard.cache.ttl_minutes: 0

kibana.yml:

elasticsearch.requestHeadersWhitelist: [ authorization, Authorization, jwtheader, jwtparam ]

searchguard.jwt.enabled: true

searchguard.jwt.url_param: jwtparam

searchguard.jwt.header: jwtheader

sg_config.yml:

jwt_auth_domain:

    enabled: true
    http_enabled: true
    transport_enabled: true
    order: 0
    http_authenticator:
      type: jwt
      challenge: false
      config:
        signing_key: "key..."
        jwt_header: "jwtheader"
        jwt_url_parameter: "Authorization"
        roles_key: null
        subject_key: null
    authentication_backend:
      type: noop

Login failed for both ElasticSearch and Kibana, here is three method which I’ve tried.

  1. https://localhost:9200/?authorization=
  1. http://localhost:5601/?jwtparam=
  1. http://localhost:5601 with header

After enable error log in ES, it turns out signature not right

Add the following lines in config/log4j2.properties and restart your node:

logger.searchguard.name = com.floragunn
logger.searchguard.level = debug

This will already print out a lot if helpful information in your log file. If this information is not sufficient, you can also set the log level to trace.

···

On Wednesday, January 24, 2018 at 10:22:55 AM UTC+8, Johnson C wrote:

After changing Bearer to Baisc, I got this error:
Authentication finally failed for {“alg”

I think this is the header of this jwt token, but why?

ES don’t support jwt authorization?

On Wednesday, January 24, 2018 at 10:17:52 AM UTC+8, Johnson C wrote:

Login by Authorization header to ES, I got this error.

[2018-01-24T10:15:12,353][WARN ][c.f.s.h.HTTPBasicAuthenticator] No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’

[2018-01-24T10:15:12,353][WARN ][c.f.s.a.BackendRegistry ] Authentication finally failed for null

On Tuesday, January 23, 2018 at 4:01:38 PM UTC+8, Johnson C wrote:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Version Info:

Elasticsearch version:6.1.1-20.1, Search Guard Version: 6.1.1; Kibana: 6.1.1;

JVM version: 1.8.0_131, Win 10;

Problem:

With some help form this group, finally I enabled the jwt_auth_domain.

But i still can’t login kibana through jwt, below is my configuration.

elasticsearch.yml:

######## Start Search Guard Demo Configuration ########


######## End Search Guard Demo Configuration ########

searchguard.cache.ttl_minutes: 0

kibana.yml:

elasticsearch.requestHeadersWhitelist: [ authorization, Authorization, jwtheader, jwtparam ]

searchguard.jwt.enabled: true

searchguard.jwt.url_param: jwtparam

searchguard.jwt.header: jwtheader

sg_config.yml:

jwt_auth_domain:

    enabled: true
    http_enabled: true
    transport_enabled: true
    order: 0
    http_authenticator:
      type: jwt
      challenge: false
      config:
        signing_key: "key..."
        jwt_header: "jwtheader"
        jwt_url_parameter: "Authorization"
        roles_key: null
        subject_key: null
    authentication_backend:
      type: noop

Login failed for both ElasticSearch and Kibana, here is three method which I’ve tried.

  1. https://localhost:9200/?authorization=
  1. http://localhost:5601/?jwtparam=
  1. http://localhost:5601 with header

Finnaly, I logined by jwt, if you want to use jwt in kibana, you need to disable basic_auth:
elasticsearch.requestHeadersWhitelist: [ authorization, Authorization, jwtheader, jwtparam ]

searchguard.basicauth.enabled: false

searchguard.jwt.enabled: true

searchguard.jwt.url_param: jwtparam

searchguard.jwt.header: jwtheader

But I got another odd problem:

If i logined by admin:

{"message":"no permissions for [indices:data/read/search] and User [name=admin, roles=[sg_all_access], requestedTenant=null]: [security_exception] no permissions for [indices:data/read/search] and User [name=admin, roles=[sg_all_access], requestedTenant=null]","statusCode":403,"error":"Forbidden"}

If i logined by kibanaserver:
    Error: Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:data/read/search] and User [name=kibanaserver, roles=[sg_all_access], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:data/read/search] and User [name=kibanaserver, roles=[sg_all_access], requestedTenant=null]"},"status":403}
at http://localhost:5601/bundles/kibana.bundle.js?v=16350:61:650116
at Function.Promise.try (http://localhost:5601/bundles/commons.bundle.js?v=16350:56:19076)
at http://localhost:5601/bundles/commons.bundle.js?v=16350:56:18464
at Array.map (<anonymous>)
at Function.Promise.map (http://localhost:5601/bundles/commons.bundle.js?v=16350:56:18422)
at callResponseHandlers (http://localhost:5601/bundles/kibana.bundle.js?v=16350:61:649694)
at http://localhost:5601/bundles/kibana.bundle.js?v=16350:61:639054
at processQueue (http://localhost:5601/bundles/commons.bundle.js?v=16350:35:132456)
at http://localhost:5601/bundles/commons.bundle.js?v=16350:35:133349
at Scope.$digest (http://localhost:5601/bundles/commons.bundle.js?v=16350:35:144239)


···

On Wednesday, January 24, 2018 at 10:52:32 AM UTC+8, Johnson C wrote:

After enable error log in ES, it turns out signature not right

http://docs.search-guard.com/latest/troubleshooting-tls

Add the following lines in config/log4j2.properties and restart your node:

[logger.searchguard.name](http://logger.searchguard.name) = com.floragunn
logger.searchguard.level = debug

This will already print out a lot if helpful information in your log file. If this information is not sufficient, you can also set the log level to trace.

On Wednesday, January 24, 2018 at 10:22:55 AM UTC+8, Johnson C wrote:

After changing Bearer to Baisc, I got this error:
Authentication finally failed for {“alg”

I think this is the header of this jwt token, but why?

ES don’t support jwt authorization?

On Wednesday, January 24, 2018 at 10:17:52 AM UTC+8, Johnson C wrote:

Login by Authorization header to ES, I got this error.

[2018-01-24T10:15:12,353][WARN ][c.f.s.h.HTTPBasicAuthenticator] No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’

[2018-01-24T10:15:12,353][WARN ][c.f.s.a.BackendRegistry ] Authentication finally failed for null

On Tuesday, January 23, 2018 at 4:01:38 PM UTC+8, Johnson C wrote:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Version Info:

Elasticsearch version:6.1.1-20.1, Search Guard Version: 6.1.1; Kibana: 6.1.1;

JVM version: 1.8.0_131, Win 10;

Problem:

With some help form this group, finally I enabled the jwt_auth_domain.

But i still can’t login kibana through jwt, below is my configuration.

elasticsearch.yml:

######## Start Search Guard Demo Configuration ########


######## End Search Guard Demo Configuration ########

searchguard.cache.ttl_minutes: 0

kibana.yml:

elasticsearch.requestHeadersWhitelist: [ authorization, Authorization, jwtheader, jwtparam ]

searchguard.jwt.enabled: true

searchguard.jwt.url_param: jwtparam

searchguard.jwt.header: jwtheader

sg_config.yml:

jwt_auth_domain:

    enabled: true
    http_enabled: true
    transport_enabled: true
    order: 0
    http_authenticator:
      type: jwt
      challenge: false
      config:
        signing_key: "key..."
        jwt_header: "jwtheader"
        jwt_url_parameter: "Authorization"
        roles_key: null
        subject_key: null
    authentication_backend:
      type: noop

Login failed for both ElasticSearch and Kibana, here is three method which I’ve tried.

  1. https://localhost:9200/?authorization=
  1. http://localhost:5601/?jwtparam=
  1. http://localhost:5601 with header

i guess you got confused with backendroles and search guard roles.

User [name=admin, roles=[sg_all_access] -> sg_all_access is a backendrole here, not a search guard role.

see http://docs.search-guard.com/latest/mapping-users-roles#map-users-backend-roles-and-hosts-to-search-guard-roles and http://docs.search-guard.com/latest/role-mapping-modes#mode-backendroles_only

···

Am 24.01.2018 um 07:23 schrieb Johnson C <cheng.qiaosheng@gmail.com>:

Finnaly, I logined by jwt, if you want to use jwt in kibana, you need to disable basic_auth:
elasticsearch.requestHeadersWhitelist: [ authorization, Authorization, jwtheader, jwtparam ]
searchguard.basicauth.enabled: false
searchguard.jwt.enabled: true
searchguard.jwt.url_param: jwtparam
searchguard.jwt.header: jwtheader

But I got another odd problem:

If i logined by admin:
{"message":"no permissions for [indices:data/read/search] and User [name=admin, roles=[sg_all_access], requestedTenant=null]: [security_exception] no permissions for [indices:data/read/search] and User [name=admin, roles=[sg_all_access], requestedTenant=null]","statusCode":403,"error":"Forbidden"}

If i logined by kibanaserver:
Error: Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:data/read/search] and User [name=kibanaserver, roles=[sg_all_access], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:data/read/search] and User [name=kibanaserver, roles=[sg_all_access], requestedTenant=null]"},"status":403}
    at
http://localhost:5601/bundles/kibana.bundle.js?v=16350:61:650116

    at Function.Promise.try (
http://localhost:5601/bundles/commons.bundle.js?v=16350:56:19076
)
    at
http://localhost:5601/bundles/commons.bundle.js?v=16350:56:18464

    at Array.map (<anonymous>)
    at Function.Promise.map (
http://localhost:5601/bundles/commons.bundle.js?v=16350:56:18422
)
    at callResponseHandlers (
http://localhost:5601/bundles/kibana.bundle.js?v=16350:61:649694
)
    at
http://localhost:5601/bundles/kibana.bundle.js?v=16350:61:639054

    at processQueue (
http://localhost:5601/bundles/commons.bundle.js?v=16350:35:132456
)
    at
http://localhost:5601/bundles/commons.bundle.js?v=16350:35:133349

    at Scope.$digest (
http://localhost:5601/bundles/commons.bundle.js?v=16350:35:144239)

On Wednesday, January 24, 2018 at 10:52:32 AM UTC+8, Johnson C wrote:
After enable error log in ES, it turns out signature not right

http://docs.search-guard.com/latest/troubleshooting-tls
Add the following lines in config/log4j2.properties and restart your node:

logger.searchguard.name
= com.floragunn
logger.searchguard.level = debug

This will already print out a lot if helpful information in your log file. If this information is not sufficient, you can also set the log level to trace.

On Wednesday, January 24, 2018 at 10:22:55 AM UTC+8, Johnson C wrote:
After changing Bearer to Baisc, I got this error:
Authentication finally failed for {"alg"
I think this is the header of this jwt token, but why?
ES don't support jwt authorization?

On Wednesday, January 24, 2018 at 10:17:52 AM UTC+8, Johnson C wrote:
Login by Authorization header to ES, I got this error.

[2018-01-24T10:15:12,353][WARN ][c.f.s.h.HTTPBasicAuthenticator] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2018-01-24T10:15:12,353][WARN ][c.f.s.a.BackendRegistry ] Authentication finally failed for null

On Tuesday, January 23, 2018 at 4:01:38 PM UTC+8, Johnson C wrote:
When asking questions, please provide the following information:

* Search Guard and Elasticsearch version
* Installed and used enterprise modules, if any
* JVM version and operating system version
* Search Guard configuration files
* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins, if any

Version Info:
Elasticsearch version:6.1.1-20.1, Search Guard Version: 6.1.1; Kibana: 6.1.1;
JVM version: 1.8.0_131, Win 10;

Problem:

With some help form this group, finally I enabled the jwt_auth_domain.
But i still can't login kibana through jwt, below is my configuration.

elasticsearch.yml:
######## Start Search Guard Demo Configuration ########
***
######## End Search Guard Demo Configuration ########
searchguard.cache.ttl_minutes: 0

kibana.yml:
elasticsearch.requestHeadersWhitelist: [ authorization, Authorization, jwtheader, jwtparam ]
searchguard.jwt.enabled: true
searchguard.jwt.url_param: jwtparam
searchguard.jwt.header: jwtheader

sg_config.yml:
jwt_auth_domain:
        enabled: true
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: "key..."
            jwt_header: "jwtheader"
            jwt_url_parameter: "Authorization"
            roles_key: null
            subject_key: null
        authentication_backend:
          type: noop

Login failed for both ElasticSearch and Kibana, here is three method which I've tried.

1. https://localhost:9200/?authorization=<token>

2. http://localhost:5601/?jwtparam=<token>

3. http://localhost:5601 with header

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/bd8f6913-00ea-4576-a2f9-89395d27853d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.