Connect DASH (python) with Elasticsearch

Search Guard
1

Hi Team,

I am building DASH application that uses elasticsearch as data source. The elasticsearch cluster is secured with searchguard and connected from dash using basic-auth (elasticsearc-dsl python) . I would like to use SAML auth for my application and would like to create a multi-tenant by passing SAML values to elasticsearch to show only respective tenants data.

On front-end I can use pySAML and I need to pass the saml user details to query only allowed index for the user, any suggestion or idea to use searchguard would help.

Best,
Yash

2

Use SAML for authentication, store the user credentials in a cookie, and pass the credentials in the request headers as HTTP basic auth.

You can look at the SAML implementation in the Search Guard Kibana plugin lib/auth/types/saml · v7.9.2-46.2.0 · search-guard / Search Guard Kibana Plugin · GitLab

Example of passing credentials as HTTP basic auth

curl -k -H "Authorization: Basic YWRtaW46YWRtaW4=" https://webapp.com:5601
3

@srgbnd, Thanks for your response.

From your example, I could see that credentials are passed to kibana, can I do the same with elasticsearch ? eg:

curl -k -H "Authorization: Basic YWRtaW46YWRtaW4=" https://elasticsearch:9200
4

Yes, you can do the same if you authenticating using the basic auth. Also, you can auth via SAML, just provide the JWT token.

$ curl -k -H "Authorization: bearer eyJhbGciOiJIUzUx..." https://localhost:9200
{
  "name" : "sgssl-0.example.com",
  "cluster_name" : "sgtest_docker",
  "cluster_uuid" : "42gowC00TXCxIy42DZpsZQ",
  "version" : {
    "number" : "7.9.3",
  ...
}
5

Thanks @srgbnd,

If I use proxy do I need to parse x-proxy-user in authorization ?

$curl -k -H "Authorization: x-proxy-user <username> " https://localhost:9200

Summarizing my flow:

1] connect my dash with elasticsearch using basic auth like kibana

 dash (elasticsearch-dsh py) ----- Basic Auth (Kibnan users) -----> elasticsearch

2] when user login, user saml or proxy credentials to elasticsearch ?

 user ---> saml/proxy ---> Dash ((elasticsearch-dsh py) ) --------> (basic-auth) -----> elasticsearch

3] Or skip the basic auth and connect to elasticsearch when sam/proxy credentials are passed

user ---> saml/proxy ----> Dash (elasticsearch-dash py) ----> (Authz  saml cred) ---> elasticsearch ?
6

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.