Creating generic user

Search Guard
1

Hello,
I’m trying to figure out how I can have a generic read only user pass through for kibana. I’ve added the following that I got from the latest commits for SG-2-2.3.2.0-beta2

sg_roles.yml:

sg_users:

indices:

‘*’:

‘*’:

  • READ

sg_roles_mapping.yml

sg_public:

users:

  • ‘*’

I even tried ensuring the sg_* name was the same in both files, but I keep getting blocked when I try to log in to kibana with an undefined user. Along with trying to simply curl the ES cluster. Not sure if i’m doing this wrong, but i’m stuck and any help would be appreciated.

2

Ahh nevermind. See I have to edit the sg_config and enable the domain_proxy section. Though, kibana keeps making me do basic auth after I’ve logged in using google sso. Even though I can just pass it a random user/pass combo.

3

can you share you configs?

···

Am 17.05.2016 um 00:08 schrieb djtecha <djtecha@gmail.com>:

Ahh nevermind. See I have to edit the sg_config and enable the domain_proxy section. Though, kibana keeps making me do basic auth after I've logged in using google sso. Even though I can just pass it a random user/pass combo.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/310ba11f-713b-4498-94e6-c0d3fbe39a2f%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

4

sg_config:

searchguard:

dynamic:

http:

xff:

enabled: false

internalProxies: 192.168.0.10|192.168.0.11

remoteIpHeader: “x-forwarded-for”

proxiesHeader: “x-forwarded-by”

trustedProxies: “proxy1|proxy2”

authenticator:

type: com.floragunn.searchguard.http.HTTPBasicAuthenticator

authcz:

authentication_domain_basic_internal:

enabled: true

order: 0

authentication_backend:

type: com.floragunn.searchguard.auth.internal.InternalAuthenticationBackend

authorization_backend:

type: com.floragunn.searchguard.auth.internal.NoOpAuthorizationBackend

#authentication_ldap:

#enabled: true

#order: 1

#authentication_backend:

#type: com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend

#config:

#host: [“”,“”]

#authorization_backend:

#type: com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend

authentication_domain_proxy:

enabled: true

order: 1

authentication_backend:

type: com.floragunn.searchguard.auth.internal.NoOpAuthenticationBackend

authorization_backend:

type: com.floragunn.searchguard.auth.internal.NoOpAuthorizationBackend

sg_roles.yml

sg_public:

cluster:

  • CLUSTER_ALL

indices:

‘*’:

‘*’:

  • ALL

sg_roles_mapping.yml

sg_public**:**

users:

  • ‘*’

That should let any user see all indices regardless of if they have a login.

···

On Tuesday, May 17, 2016 at 6:12:39 AM UTC-7, SG wrote:

can you share you configs?

Am 17.05.2016 um 00:08 schrieb djtecha djt...@gmail.com:

Ahh nevermind. See I have to edit the sg_config and enable the domain_proxy section. Though, kibana keeps making me do basic auth after I’ve logged in using google sso. Even though I can just pass it a random user/pass combo.


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/310ba11f-713b-4498-94e6-c0d3fbe39a2f%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

5

i suggest

searchguard:
  dynamic:
    http:
      anonymous_auth_enabled: true
      xff:
        enabled: false
        internalProxies: 192\.168\.0\.10|192\.168\.0\.11
        remoteIpHeader: "x-forwarded-for"
        proxiesHeader: "x-forwarded-by"
        trustedProxies: "proxy1|proxy2"
      authenticator:
        type: basic
    authcz:
      authentication_domain_proxy:
        enabled: true
        order: 1
        authentication_backend:
          type: intern
        authorization_backend:
          type: noop

···

Am 18.05.2016 um 18:40 schrieb djtecha <djtecha@gmail.com>:

sg_config:
searchguard:
  dynamic:
    http:
      xff:
        enabled: false
        internalProxies: 192\.168\.0\.10|192\.168\.0\.11
        remoteIpHeader: "x-forwarded-for"
        proxiesHeader: "x-forwarded-by"
        trustedProxies: "proxy1|proxy2"
      authenticator:
        type: com.floragunn.searchguard.http.HTTPBasicAuthenticator
    authcz:
      authentication_domain_basic_internal:
        enabled: true
        order: 0
        authentication_backend:
          type: com.floragunn.searchguard.auth.internal.InternalAuthenticationBackend
        authorization_backend:
          type: com.floragunn.searchguard.auth.internal.NoOpAuthorizationBackend
      #authentication_ldap:
        #enabled: true
        #order: 1
        #authentication_backend:
          #type: com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend
          #config:
            #host: ["",""]
        #authorization_backend:
          #type: com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend
      authentication_domain_proxy:
        enabled: true
        order: 1
        authentication_backend:
          type: com.floragunn.searchguard.auth.internal.NoOpAuthenticationBackend
        authorization_backend:
          type: com.floragunn.searchguard.auth.internal.NoOpAuthorizationBackend

sg_roles.yml
sg_public:
  cluster:
    - CLUSTER_ALL
  indices:
    '*':
      '*':
        - ALL

sg_roles_mapping.yml
sg_public:
  users:
    - '*'

That should let any user see all indices regardless of if they have a login.

On Tuesday, May 17, 2016 at 6:12:39 AM UTC-7, SG wrote:
can you share you configs?

> Am 17.05.2016 um 00:08 schrieb djtecha <djt...@gmail.com>:
>
> Ahh nevermind. See I have to edit the sg_config and enable the domain_proxy section. Though, kibana keeps making me do basic auth after I've logged in using google sso. Even though I can just pass it a random user/pass combo.
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/310ba11f-713b-4498-94e6-c0d3fbe39a2f%40googlegroups.com\.
> For more options, visit https://groups.google.com/d/optout\.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/64ad6081-106e-44c8-b4fc-1969b3f4c61c%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.