Hi Team,
I am building DASH application that uses elasticsearch as data source. The elasticsearch cluster is secured with searchguard
and connected from dash using basic-auth
(elasticsearc-dsl python) . I would like to use SAML auth for my application and would like to create a multi-tenant by passing SAML values to elasticsearch to show only respective tenants data.
On front-end I can use pySAML and I need to pass the saml user details to query only allowed index for the user, any suggestion or idea to use searchguard would help.
Best,
Yash
srgbnd
October 28, 2020, 3:25pm
2
Use SAML for authentication, store the user credentials in a cookie, and pass the credentials in the request headers as HTTP basic auth.
You can look at the SAML implementation in the Search Guard Kibana plugin lib/auth/types/saml · v7.9.2-46.2.0 · search-guard / Search Guard Kibana Plugin · GitLab
Example of passing credentials as HTTP basic auth
curl -k -H "Authorization: Basic YWRtaW46YWRtaW4=" https://webapp.com:5601
@srgbnd , Thanks for your response.
From your example, I could see that credentials are passed to kibana, can I do the same with elasticsearch ? eg:
curl -k -H "Authorization: Basic YWRtaW46YWRtaW4=" https://elasticsearch:9200
srgbnd
October 29, 2020, 11:31am
4
Yes, you can do the same if you authenticating using the basic auth. Also, you can auth via SAML, just provide the JWT token.
$ curl -k -H "Authorization: bearer eyJhbGciOiJIUzUx..." https://localhost:9200
{
"name" : "sgssl-0.example.com",
"cluster_name" : "sgtest_docker",
"cluster_uuid" : "42gowC00TXCxIy42DZpsZQ",
"version" : {
"number" : "7.9.3",
...
}
Thanks @srgbnd ,
If I use proxy do I need to parse x-proxy-user
in authorization ?
$curl -k -H "Authorization: x-proxy-user <username> " https://localhost:9200
Summarizing my flow:
1] connect my dash with elasticsearch using basic auth like kibana
dash (elasticsearch-dsh py) ----- Basic Auth (Kibnan users) -----> elasticsearch
2] when user login, user saml or proxy credentials to elasticsearch ?
user ---> saml/proxy ---> Dash ((elasticsearch-dsh py) ) --------> (basic-auth) -----> elasticsearch
3] Or skip the basic auth and connect to elasticsearch when sam/proxy credentials are passed
user ---> saml/proxy ----> Dash (elasticsearch-dash py) ----> (Authz saml cred) ---> elasticsearch ?
system
Closed
November 19, 2020, 11:52am
6
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.