Hi,
First, some version info:
-
Search Guard version: 6.2.1-21 with no enterprise modules.
-
Elasticsearch version. 6.2.1
-
JVM version and operating system version. java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64. Oracle Linux 7.4 (same as Centos).
-
Kernel version: 4.1.12-112.16.4.el7uek.x86_64
Here’s ideally what I’d like to do:
-
Have all Kibana users authenticate with a password (certificate based authentication to Kibana is also acceptible)
-
Have all internal services (e.g Logstash) authenticate to Elasticsearch using certificates, this includes the Kibana Server itself.
Is this possible? The reason I ask is because although I seem to have successfully setup client certificate-based authentication (in addition to password based authentication), when I log into Kibana using password authentication, is seems that the Kibana Server itself does not have the correct permissions to query any indices. Please see the output below.
[2018-04-09T19:53:19,954][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=Searchguard Kibana Certificate, roles=, requestedTenant=null] [IndexType [index=alerts-2018.04.07, type=], IndexType [index=logstash-2018.02.27, type=], [Action [[indices:monitor/stats]]] [RolesChecked [sg_kibana_server]]
I was previously using purely password based authentication, and everything was working well. Once I switched to this hybrid arrangement, that’s when the problems started. The sg_kibana_server ‘role’ has not changed.
I’m a bit confused about what functions are performed and what permissions are needed for the the kibana server vs the end user. I’m also confused as to why the behaviour for certificate-based authentication seems to be different than for password based authentication.
It seems to me that when using purely password based authentication, the Kibana user and the Kibana server each authenticate to ES separately. However, for client certificate based authentication, it seems that the user somehow only gets the Kibana Server’s permissions, and none of their own. Why is this?
The documentation at the bottom of this (Installing the Search Guard Kibana Plugin | Security for Elasticsearch | Search Guard) page seems to indicate as much:
“If the certificate is an admin certificate, this means that all actions from all users will be allowed, regardless of other authorization settings. While this may be useful in cases where you need complete admin access, it isn’t always clear what these configuration settings actually do and what their implications are.”
Is it possible for you to shed some light on this and suggest a way forward? I’m thinking that it’s probably not possible for me to switch the Kibana-Server itself over to using a client certificate.
Many thanks!
Nick George