Connect DASH (python) with Elasticsearch

Hi Team,

I am building DASH application that uses elasticsearch as data source. The elasticsearch cluster is secured with searchguard and connected from dash using basic-auth (elasticsearc-dsl python) . I would like to use SAML auth for my application and would like to create a multi-tenant by passing SAML values to elasticsearch to show only respective tenants data.

On front-end I can use pySAML and I need to pass the saml user details to query only allowed index for the user, any suggestion or idea to use searchguard would help.

Best,
Yash

Use SAML for authentication, store the user credentials in a cookie, and pass the credentials in the request headers as HTTP basic auth.

You can look at the SAML implementation in the Search Guard Kibana plugin https://git.floragunn.com/search-guard/search-guard-kibana-plugin/-/tree/v7.9.2-46.2.0/lib/auth/types/saml

Example of passing credentials as HTTP basic auth

curl -k -H "Authorization: Basic YWRtaW46YWRtaW4=" https://webapp.com:5601

@srgbnd, Thanks for your response.

From your example, I could see that credentials are passed to kibana, can I do the same with elasticsearch ? eg:

curl -k -H "Authorization: Basic YWRtaW46YWRtaW4=" https://elasticsearch:9200

Yes, you can do the same if you authenticating using the basic auth. Also, you can auth via SAML, just provide the JWT token.

$ curl -k -H "Authorization: bearer eyJhbGciOiJIUzUx..." https://localhost:9200
{
  "name" : "sgssl-0.example.com",
  "cluster_name" : "sgtest_docker",
  "cluster_uuid" : "42gowC00TXCxIy42DZpsZQ",
  "version" : {
    "number" : "7.9.3",
  ...
}

Thanks @srgbnd,

If I use proxy do I need to parse x-proxy-user in authorization ?

$curl -k -H "Authorization: x-proxy-user <username> " https://localhost:9200 

Summarizing my flow:

1] connect my dash with elasticsearch using basic auth like kibana

 dash (elasticsearch-dsh py) ----- Basic Auth (Kibnan users) -----> elasticsearch 

2] when user login, user saml or proxy credentials to elasticsearch ?

 user ---> saml/proxy ---> Dash ((elasticsearch-dsh py) ) --------> (basic-auth) -----> elasticsearch 

3] Or skip the basic auth and connect to elasticsearch when sam/proxy credentials are passed

user ---> saml/proxy ----> Dash (elasticsearch-dash py) ----> (Authz  saml cred) ---> elasticsearch ?

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.