Client certificate-based authentication issues

Search Guard
1

Hi,

First, some version info:

  • Search Guard version: 6.2.1-21 with no enterprise modules.

  • Elasticsearch version. 6.2.1

  • JVM version and operating system version. java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64. Oracle Linux 7.4 (same as Centos).

  • Kernel version: 4.1.12-112.16.4.el7uek.x86_64

Here’s ideally what I’d like to do:

  • Have all Kibana users authenticate with a password (certificate based authentication to Kibana is also acceptible)

  • Have all internal services (e.g Logstash) authenticate to Elasticsearch using certificates, this includes the Kibana Server itself.

Is this possible? The reason I ask is because although I seem to have successfully setup client certificate-based authentication (in addition to password based authentication), when I log into Kibana using password authentication, is seems that the Kibana Server itself does not have the correct permissions to query any indices. Please see the output below.

[2018-04-09T19:53:19,954][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=Searchguard Kibana Certificate, roles=, requestedTenant=null] [IndexType [index=alerts-2018.04.07, type=], IndexType [index=logstash-2018.02.27, type=], [Action [[indices:monitor/stats]]] [RolesChecked [sg_kibana_server]]

I was previously using purely password based authentication, and everything was working well. Once I switched to this hybrid arrangement, that’s when the problems started. The sg_kibana_server ‘role’ has not changed.

I’m a bit confused about what functions are performed and what permissions are needed for the the kibana server vs the end user. I’m also confused as to why the behaviour for certificate-based authentication seems to be different than for password based authentication.

It seems to me that when using purely password based authentication, the Kibana user and the Kibana server each authenticate to ES separately. However, for client certificate based authentication, it seems that the user somehow only gets the Kibana Server’s permissions, and none of their own. Why is this?

The documentation at the bottom of this (Installing the Search Guard Kibana Plugin | Security for Elasticsearch | Search Guard) page seems to indicate as much:

“If the certificate is an admin certificate, this means that all actions from all users will be allowed, regardless of other authorization settings. While this may be useful in cases where you need complete admin access, it isn’t always clear what these configuration settings actually do and what their implications are.”

Is it possible for you to shed some light on this and suggest a way forward? I’m thinking that it’s probably not possible for me to switch the Kibana-Server itself over to using a client certificate.

Many thanks!

Nick George

2

This is unfortunately not under our control, but more of a Kibana issue.

See for example:

The relevant part is this:

"To summarize the issue here:

If PKI authentication is defined for the Kibana serverside user, via

elasticsearch.url: “https://node01:9200

elasticsearch.ssl.cert: /home/msimos/kibana-4.3.1-linux-x64/config/my.crt

elasticsearch.ssl.key: /home/msimos/kibana-4.3.1-linux-x64/config/my.key

elasticsearch.ssl.ca: /home/msimos/kibana-4.3.1-linux-x64/config/cacert.pem

The PKI information should be used only for requests to ES made by the kibana server user; it should not be used for end-user requests. Today, this PKI information is attached to all requests, which is the issue."

This means if you set these values, the certificate will be added to all requests, not just to the requests of the kibanaserver as it should be. This can lead to a potential security risk when people use an admin certificate here. That’s why we added a safeguard and put it in the docs.

If you want to use a client certificate, you need to set:

searchguard.allow_client_certificates: true

``

At the moment there is no real solution for the problem unless Kibana restricts the certificate to the kibanaserver user only. You can, in theory, configure HTTP Basic Auth first, and then Certificate based auth second. But that has the effect that if the HTTP Basic credentials are not valid, the Certificate based auth would always suceed and the user would be logged in as kibanaserver. Also nothing one really wants. We need to wait until this is fixed in Kibana.

···

On Tuesday, April 10, 2018 at 2:13:38 AM UTC+2, nick.george@countersight.co wrote:

Hi,

First, some version info:

  • Search Guard version: 6.2.1-21 with no enterprise modules.
  • Elasticsearch version. 6.2.1
  • JVM version and operating system version. java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64. Oracle Linux 7.4 (same as Centos).
  • Kernel version: 4.1.12-112.16.4.el7uek.x86_64

Here’s ideally what I’d like to do:

  • Have all Kibana users authenticate with a password (certificate based authentication to Kibana is also acceptible)
  • Have all internal services (e.g Logstash) authenticate to Elasticsearch using certificates, this includes the Kibana Server itself.

Is this possible? The reason I ask is because although I seem to have successfully setup client certificate-based authentication (in addition to password based authentication), when I log into Kibana using password authentication, is seems that the Kibana Server itself does not have the correct permissions to query any indices. Please see the output below.

[2018-04-09T19:53:19,954][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=Searchguard Kibana Certificate, roles=, requestedTenant=null] [IndexType [index=alerts-2018.04.07, type=], IndexType [index=logstash-2018.02.27, type=], [Action [[indices:monitor/stats]]] [RolesChecked [sg_kibana_server]]

I was previously using purely password based authentication, and everything was working well. Once I switched to this hybrid arrangement, that’s when the problems started. The sg_kibana_server ‘role’ has not changed.

I’m a bit confused about what functions are performed and what permissions are needed for the the kibana server vs the end user. I’m also confused as to why the behaviour for certificate-based authentication seems to be different than for password based authentication.

It seems to me that when using purely password based authentication, the Kibana user and the Kibana server each authenticate to ES separately. However, for client certificate based authentication, it seems that the user somehow only gets the Kibana Server’s permissions, and none of their own. Why is this?

The documentation at the bottom of this (https://docs.search-guard.com/latest/kibana-plugin-installation) page seems to indicate as much:

“If the certificate is an admin certificate, this means that all actions from all users will be allowed, regardless of other authorization settings. While this may be useful in cases where you need complete admin access, it isn’t always clear what these configuration settings actually do and what their implications are.”

Is it possible for you to shed some light on this and suggest a way forward? I’m thinking that it’s probably not possible for me to switch the Kibana-Server itself over to using a client certificate.

Many thanks!

Nick George

3

Hi Jochen,

Thank you for the very informative response, much appreciated. Now I can have a go at the Kibana devs, but given that this issue has been around for a number of years, I don’t like my chances of having it resolved any time soon.

Cheers,

Nick