Am 24.01.2018 um 07:23 schrieb Johnson C <cheng.qiaosheng@gmail.com>:
Finnaly, I logined by jwt, if you want to use jwt in kibana, you need to disable basic_auth:
elasticsearch.requestHeadersWhitelist: [ authorization, Authorization, jwtheader, jwtparam ]
searchguard.basicauth.enabled: false
searchguard.jwt.enabled: true
searchguard.jwt.url_param: jwtparam
searchguard.jwt.header: jwtheader
But I got another odd problem:
If i logined by admin:
{"message":"no permissions for [indices:data/read/search] and User [name=admin, roles=[sg_all_access], requestedTenant=null]: [security_exception] no permissions for [indices:data/read/search] and User [name=admin, roles=[sg_all_access], requestedTenant=null]","statusCode":403,"error":"Forbidden"}
If i logined by kibanaserver:
Error: Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:data/read/search] and User [name=kibanaserver, roles=[sg_all_access], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:data/read/search] and User [name=kibanaserver, roles=[sg_all_access], requestedTenant=null]"},"status":403}
at
http://localhost:5601/bundles/kibana.bundle.js?v=16350:61:650116
at Function.Promise.try (
http://localhost:5601/bundles/commons.bundle.js?v=16350:56:19076
)
at
http://localhost:5601/bundles/commons.bundle.js?v=16350:56:18464
at Array.map (<anonymous>)
at Function.Promise.map (
http://localhost:5601/bundles/commons.bundle.js?v=16350:56:18422
)
at callResponseHandlers (
http://localhost:5601/bundles/kibana.bundle.js?v=16350:61:649694
)
at
http://localhost:5601/bundles/kibana.bundle.js?v=16350:61:639054
at processQueue (
http://localhost:5601/bundles/commons.bundle.js?v=16350:35:132456
)
at
http://localhost:5601/bundles/commons.bundle.js?v=16350:35:133349
at Scope.$digest (
http://localhost:5601/bundles/commons.bundle.js?v=16350:35:144239\)
On Wednesday, January 24, 2018 at 10:52:32 AM UTC+8, Johnson C wrote:
After enable error log in ES, it turns out signature not right
TLS help | Security for Elasticsearch | Search Guard
Add the following lines in config/log4j2.properties and restart your node:
logger.searchguard.name
= com.floragunn
logger.searchguard.level = debug
This will already print out a lot if helpful information in your log file. If this information is not sufficient, you can also set the log level to trace.
On Wednesday, January 24, 2018 at 10:22:55 AM UTC+8, Johnson C wrote:
After changing Bearer to Baisc, I got this error:
Authentication finally failed for {"alg"
I think this is the header of this jwt token, but why?
ES don't support jwt authorization?
On Wednesday, January 24, 2018 at 10:17:52 AM UTC+8, Johnson C wrote:
Login by Authorization header to ES, I got this error.
[2018-01-24T10:15:12,353][WARN ][c.f.s.h.HTTPBasicAuthenticator] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2018-01-24T10:15:12,353][WARN ][c.f.s.a.BackendRegistry ] Authentication finally failed for null
On Tuesday, January 23, 2018 at 4:01:38 PM UTC+8, Johnson C wrote:
When asking questions, please provide the following information:
* Search Guard and Elasticsearch version
* Installed and used enterprise modules, if any
* JVM version and operating system version
* Search Guard configuration files
* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins, if any
Version Info:
Elasticsearch version:6.1.1-20.1, Search Guard Version: 6.1.1; Kibana: 6.1.1;
JVM version: 1.8.0_131, Win 10;
Problem:
With some help form this group, finally I enabled the jwt_auth_domain.
But i still can't login kibana through jwt, below is my configuration.
elasticsearch.yml:
######## Start Search Guard Demo Configuration ########
***
######## End Search Guard Demo Configuration ########
searchguard.cache.ttl_minutes: 0
kibana.yml:
elasticsearch.requestHeadersWhitelist: [ authorization, Authorization, jwtheader, jwtparam ]
searchguard.jwt.enabled: true
searchguard.jwt.url_param: jwtparam
searchguard.jwt.header: jwtheader
sg_config.yml:
jwt_auth_domain:
enabled: true
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: "key..."
jwt_header: "jwtheader"
jwt_url_parameter: "Authorization"
roles_key: null
subject_key: null
authentication_backend:
type: noop
Login failed for both ElasticSearch and Kibana, here is three method which I've tried.
1. https://localhost:9200/?authorization=<token>
2. http://localhost:5601/?jwtparam=<token>
3. http://localhost:5601 with header
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/bd8f6913-00ea-4576-a2f9-89395d27853d%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.