Basic realm="Authorization Required" after successful authentication

Hi,

I’m experiencing a strange behaviour when using Search guard on elasticsearch and kibana. I’m using

  • Elasticsearch 5.5.0 with SearchGuard plugin 5.5.0-16

  • Kibana 5.5.0 with SearchGuard plugin 5.5.0-4

To start exploring the searchguard capabilities, I followed the instructions and installed the provided demo (auto signed certificat and default users/password/roles) :

  • run plugins/search-guard-5/tools/install_demo_configuration.sh

  • start elasticsearch

  • run sgadmin_demo.sh

  • run kibana

When I connect to elasticsearch, I am asked to enter user/password, and everything works as expected : receiving right errors when authenticated user hasn’t got rights for certain actions, etc…

When I connect to kibana, I am redirected to the SearchGuard login page. I enter the user/password (kibanaro/kibanaro or admin/admin), and for now all is ok.

But then comes my problem, I’m again asked to enter user/password with the browser built-in authentication popup. And there, I cannot authenticate with any password (admin/admin nor kibanaro/kibanaro nor kibanaserver/kibanaserver)

I used tcpdump and wireshark to see what’s going on, and I could see that :

from login page : a POST to http://localhost:5601/api/v1/auth/login returns OK

Then a GET to http://localhost:5601/ returns OK and kibana redirects to the default route

Finally the GET to http://localhost:5601/app/kibana returns an HTTP 401 with header Basic realm=“Authorization Required”

Is there anything I missed ?

Here are the related informations :

-> sgconfig directory content which is exactlly what is procided by the plugin installation : attached file sgconfig.zip

-> result of a find_all query on the search_guard index : attached file searchguard.json

-> the elasticsearch conf :

######## Start Search Guard Demo Configuration ########

searchguard.ssl.transport.keystore_filepath: keystore.jks

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: keystore.jks

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

cluster.name: searchguard_demo

network.host: 0.0.0.0

######## End Search Guard Demo Configuration ########

-> the kibana conf :

searchguard.multitenancy.enabled: true

elasticsearch.requestHeadersWhitelist: [“sg_tenant”]

elasticsearch.username: “kibanaserver”

elasticsearch.password: “kibanaserver”

elasticsearch.url: “https://localhost:9200

elasticsearch.ssl.verificationMode: none

Any help would be appreciate.

Pierre

sgconfig.zip (9.13 KB)

searchguard.json (11.8 KB)

I attach also the tcpdump wireskark export.

search_guard_tcpdump.pcap (60.1 KB)

···

Le jeudi 12 octobre 2017 14:56:07 UTC+2, Pierre de Soyres a écrit :

Hi,

I’m experiencing a strange behaviour when using Search guard on elasticsearch and kibana. I’m using

  • Elasticsearch 5.5.0 with SearchGuard plugin 5.5.0-16
  • Kibana 5.5.0 with SearchGuard plugin 5.5.0-4

To start exploring the searchguard capabilities, I followed the instructions and installed the provided demo (auto signed certificat and default users/password/roles) :

  • run plugins/search-guard-5/tools/install_demo_configuration.sh
  • start elasticsearch
  • run sgadmin_demo.sh
  • run kibana

When I connect to elasticsearch, I am asked to enter user/password, and everything works as expected : receiving right errors when authenticated user hasn’t got rights for certain actions, etc…

When I connect to kibana, I am redirected to the SearchGuard login page. I enter the user/password (kibanaro/kibanaro or admin/admin), and for now all is ok.

But then comes my problem, I’m again asked to enter user/password with the browser built-in authentication popup. And there, I cannot authenticate with any password (admin/admin nor kibanaro/kibanaro nor kibanaserver/kibanaserver)

I used tcpdump and wireshark to see what’s going on, and I could see that :

from login page : a POST to http://localhost:5601/api/v1/auth/login returns OK

Then a GET to http://localhost:5601/ returns OK and kibana redirects to the default route

Finally the GET to http://localhost:5601/app/kibana returns an HTTP 401 with header Basic realm=“Authorization Required”

Is there anything I missed ?

Here are the related informations :

-> sgconfig directory content which is exactlly what is procided by the plugin installation : attached file sgconfig.zip

-> result of a find_all query on the search_guard index : attached file searchguard.json

-> the elasticsearch conf :

######## Start Search Guard Demo Configuration ########

searchguard.ssl.transport.keystore_filepath: keystore.jks

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: keystore.jks

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

cluster.name: searchguard_demo

network.host: 0.0.0.0

######## End Search Guard Demo Configuration ########

-> the kibana conf :

searchguard.multitenancy.enabled: true

elasticsearch.requestHeadersWhitelist: [“sg_tenant”]

elasticsearch.username: “kibanaserver”

elasticsearch.password: “kibanaserver”

elasticsearch.url: “https://localhost:9200

elasticsearch.ssl.verificationMode: none

Any help would be appreciate.

Pierre

The problem here is this line kibana.yml:

elasticsearch.requestHeadersWhitelist: [“sg_tenant”]

The whitelist if Kibana contains the “Authorization” header by default. However, if one manually changes the white list, “Authorization” is not added by default again, so you need to manually add it like:

elasticsearch.requestHeadersWhitelist: [“Authorization”, “sg_tenant”]

then it should work. Sorry if the docs are not clear enough here, we’ll fix this.

···

On Thursday, October 12, 2017 at 2:58:47 PM UTC+2, Pierre de Soyres wrote:

I attach also the tcpdump wireskark export.

Le jeudi 12 octobre 2017 14:56:07 UTC+2, Pierre de Soyres a écrit :

Hi,

I’m experiencing a strange behaviour when using Search guard on elasticsearch and kibana. I’m using

  • Elasticsearch 5.5.0 with SearchGuard plugin 5.5.0-16
  • Kibana 5.5.0 with SearchGuard plugin 5.5.0-4

To start exploring the searchguard capabilities, I followed the instructions and installed the provided demo (auto signed certificat and default users/password/roles) :

  • run plugins/search-guard-5/tools/install_demo_configuration.sh
  • start elasticsearch
  • run sgadmin_demo.sh
  • run kibana

When I connect to elasticsearch, I am asked to enter user/password, and everything works as expected : receiving right errors when authenticated user hasn’t got rights for certain actions, etc…

When I connect to kibana, I am redirected to the SearchGuard login page. I enter the user/password (kibanaro/kibanaro or admin/admin), and for now all is ok.

But then comes my problem, I’m again asked to enter user/password with the browser built-in authentication popup. And there, I cannot authenticate with any password (admin/admin nor kibanaro/kibanaro nor kibanaserver/kibanaserver)

I used tcpdump and wireshark to see what’s going on, and I could see that :

from login page : a POST to http://localhost:5601/api/v1/auth/login returns OK

Then a GET to http://localhost:5601/ returns OK and kibana redirects to the default route

Finally the GET to http://localhost:5601/app/kibana returns an HTTP 401 with header Basic realm=“Authorization Required”

Is there anything I missed ?

Here are the related informations :

-> sgconfig directory content which is exactlly what is procided by the plugin installation : attached file sgconfig.zip

-> result of a find_all query on the search_guard index : attached file searchguard.json

-> the elasticsearch conf :

######## Start Search Guard Demo Configuration ########

searchguard.ssl.transport.keystore_filepath: keystore.jks

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: keystore.jks

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

cluster.name: searchguard_demo

network.host: 0.0.0.0

######## End Search Guard Demo Configuration ########

-> the kibana conf :

searchguard.multitenancy.enabled: true

elasticsearch.requestHeadersWhitelist: [“sg_tenant”]

elasticsearch.username: “kibanaserver”

elasticsearch.password: “kibanaserver”

elasticsearch.url: “https://localhost:9200

elasticsearch.ssl.verificationMode: none

Any help would be appreciate.

Pierre

I confirm that it works when adding “Authorization” to the requestHeadersWhitelist.

Thank you for helping.

Pierre

···

2017-10-13 15:43 GMT+02:00 Jochen Kressin jkressin@floragunn.com:

The problem here is this line kibana.yml:

elasticsearch.requestHeadersWhitelist: [“sg_tenant”]

The whitelist if Kibana contains the “Authorization” header by default. However, if one manually changes the white list, “Authorization” is not added by default again, so you need to manually add it like:

elasticsearch.requestHeadersWhitelist: [“Authorization”, “sg_tenant”]

then it should work. Sorry if the docs are not clear enough here, we’ll fix this.

On Thursday, October 12, 2017 at 2:58:47 PM UTC+2, Pierre de Soyres wrote:

I attach also the tcpdump wireskark export.

Le jeudi 12 octobre 2017 14:56:07 UTC+2, Pierre de Soyres a écrit :

Hi,

I’m experiencing a strange behaviour when using Search guard on elasticsearch and kibana. I’m using

  • Elasticsearch 5.5.0 with SearchGuard plugin 5.5.0-16
  • Kibana 5.5.0 with SearchGuard plugin 5.5.0-4

To start exploring the searchguard capabilities, I followed the instructions and installed the provided demo (auto signed certificat and default users/password/roles) :

  • run plugins/search-guard-5/tools/install_demo_configuration.sh
  • start elasticsearch
  • run sgadmin_demo.sh
  • run kibana

When I connect to elasticsearch, I am asked to enter user/password, and everything works as expected : receiving right errors when authenticated user hasn’t got rights for certain actions, etc…

When I connect to kibana, I am redirected to the SearchGuard login page. I enter the user/password (kibanaro/kibanaro or admin/admin), and for now all is ok.

But then comes my problem, I’m again asked to enter user/password with the browser built-in authentication popup. And there, I cannot authenticate with any password (admin/admin nor kibanaro/kibanaro nor kibanaserver/kibanaserver)

I used tcpdump and wireshark to see what’s going on, and I could see that :

from login page : a POST to http://localhost:5601/api/v1/auth/login returns OK

Then a GET to http://localhost:5601/ returns OK and kibana redirects to the default route

Finally the GET to http://localhost:5601/app/kibana returns an HTTP 401 with header Basic realm=“Authorization Required”

Is there anything I missed ?

Here are the related informations :

-> sgconfig directory content which is exactlly what is procided by the plugin installation : attached file sgconfig.zip

-> result of a find_all query on the search_guard index : attached file searchguard.json

-> the elasticsearch conf :

######## Start Search Guard Demo Configuration ########

searchguard.ssl.transport.keystore_filepath: keystore.jks

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: keystore.jks

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

cluster.name: searchguard_demo

network.host: 0.0.0.0

######## End Search Guard Demo Configuration ########

-> the kibana conf :

searchguard.multitenancy.enabled: true

elasticsearch.requestHeadersWhitelist: [“sg_tenant”]

elasticsearch.username: “kibanaserver”

elasticsearch.password: “kibanaserver”

elasticsearch.url: “https://localhost:9200

elasticsearch.ssl.verificationMode: none

Any help would be appreciate.

Pierre

You received this message because you are subscribed to a topic in the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/19HekgPSVsE/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8ff9dd2e-7f53-480b-a075-218696a1e8c0%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

hey,

I am facing same issues n i dont know what to do.

as you have mentioned i updated elasticsearch.requestHeadersWhitelist: [“Authorization”, “sg_tenant”] in kibana.yml

still on every login i am redirected to the same kibana dashboard.

and when i curl the same it says 401 Authorization Required.

can you please help me with this.