Creating generic user

Daniel_Kasen · May 16, 2016, 8:18pm

Hello,
I’m trying to figure out how I can have a generic read only user pass through for kibana. I’ve added the following that I got from the latest commits for SG-2-2.3.2.0-beta2

sg_roles.yml:

sg_users:

indices:

‘*’:

READ

sg_roles_mapping.yml

sg_public:

users:

‘*’

I even tried ensuring the sg_* name was the same in both files, but I keep getting blocked when I try to log in to kibana with an undefined user. Along with trying to simply curl the ES cluster. Not sure if i’m doing this wrong, but i’m stuck and any help would be appreciated.

Daniel_Kasen · May 16, 2016, 10:08pm

Ahh nevermind. See I have to edit the sg_config and enable the domain_proxy section. Though, kibana keeps making me do basic auth after I’ve logged in using google sso. Even though I can just pass it a random user/pass combo.

searchguard_google_group · May 17, 2016, 1:12pm

can you share you configs?

···

Am 17.05.2016 um 00:08 schrieb djtecha <djtecha@gmail.com>:

Ahh nevermind. See I have to edit the sg_config and enable the domain_proxy section. Though, kibana keeps making me do basic auth after I've logged in using google sso. Even though I can just pass it a random user/pass combo.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/310ba11f-713b-4498-94e6-c0d3fbe39a2f%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

Daniel_Kasen · May 18, 2016, 4:40pm

sg_config:

searchguard:

dynamic:

http:

xff:

enabled: false

internalProxies: 192.168.0.10|192.168.0.11

remoteIpHeader: “x-forwarded-for”

proxiesHeader: “x-forwarded-by”

trustedProxies: “proxy1|proxy2”

authenticator:

type: com.floragunn.searchguard.http.HTTPBasicAuthenticator

authcz:

authentication_domain_basic_internal:

enabled: true

order: 0

authentication_backend:

type: com.floragunn.searchguard.auth.internal.InternalAuthenticationBackend

authorization_backend:

type: com.floragunn.searchguard.auth.internal.NoOpAuthorizationBackend

#authentication_ldap:

#enabled: true

#order: 1

#authentication_backend:

#type: com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend

#config:

#host: [“”,“”]

#authorization_backend:

#type: com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend

authentication_domain_proxy:

enabled: true

order: 1

authentication_backend:

type: com.floragunn.searchguard.auth.internal.NoOpAuthenticationBackend

authorization_backend:

type: com.floragunn.searchguard.auth.internal.NoOpAuthorizationBackend

sg_roles.yml

sg_public:

cluster:

CLUSTER_ALL

indices:

‘*’:

ALL

sg_roles_mapping.yml

sg_public**:**

users:

‘*’

That should let any user see all indices regardless of if they have a login.

···

On Tuesday, May 17, 2016 at 6:12:39 AM UTC-7, SG wrote:

can you share you configs?

Am 17.05.2016 um 00:08 schrieb djtecha djt...@gmail.com:

Ahh nevermind. See I have to edit the sg_config and enable the domain_proxy section. Though, kibana keeps making me do basic auth after I’ve logged in using google sso. Even though I can just pass it a random user/pass combo.

–
You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/310ba11f-713b-4498-94e6-c0d3fbe39a2f%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

searchguard_google_group · May 19, 2016, 3:33pm

i suggest

searchguard:
  dynamic:
    http:
      anonymous_auth_enabled: true
      xff:
        enabled: false
        internalProxies: 192\.168\.0\.10|192\.168\.0\.11
        remoteIpHeader: "x-forwarded-for"
        proxiesHeader: "x-forwarded-by"
        trustedProxies: "proxy1|proxy2"
      authenticator:
        type: basic
    authcz:
      authentication_domain_proxy:
        enabled: true
        order: 1
        authentication_backend:
          type: intern
        authorization_backend:
          type: noop

···

Am 18.05.2016 um 18:40 schrieb djtecha <djtecha@gmail.com>:

sg_config:
searchguard:
  dynamic:
    http:
      xff:
        enabled: false
        internalProxies: 192\.168\.0\.10|192\.168\.0\.11
        remoteIpHeader: "x-forwarded-for"
        proxiesHeader: "x-forwarded-by"
        trustedProxies: "proxy1|proxy2"
      authenticator:
        type: com.floragunn.searchguard.http.HTTPBasicAuthenticator
    authcz:
      authentication_domain_basic_internal:
        enabled: true
        order: 0
        authentication_backend:
          type: com.floragunn.searchguard.auth.internal.InternalAuthenticationBackend
        authorization_backend:
          type: com.floragunn.searchguard.auth.internal.NoOpAuthorizationBackend
      #authentication_ldap:
        #enabled: true
        #order: 1
        #authentication_backend:
          #type: com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend
          #config:
            #host: ["",""]
        #authorization_backend:
          #type: com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend
      authentication_domain_proxy:
        enabled: true
        order: 1
        authentication_backend:
          type: com.floragunn.searchguard.auth.internal.NoOpAuthenticationBackend
        authorization_backend:
          type: com.floragunn.searchguard.auth.internal.NoOpAuthorizationBackend

sg_roles.yml
sg_public:
  cluster:
    - CLUSTER_ALL
  indices:
    '*':
      '*':
        - ALL

sg_roles_mapping.yml
sg_public:
  users:
    - '*'

That should let any user see all indices regardless of if they have a login.

On Tuesday, May 17, 2016 at 6:12:39 AM UTC-7, SG wrote:
can you share you configs?

> Am 17.05.2016 um 00:08 schrieb djtecha <djt...@gmail.com>:
>
> Ahh nevermind. See I have to edit the sg_config and enable the domain_proxy section. Though, kibana keeps making me do basic auth after I've logged in using google sso. Even though I can just pass it a random user/pass combo.
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/310ba11f-713b-4498-94e6-c0d3fbe39a2f%40googlegroups.com\.
> For more options, visit https://groups.google.com/d/optout\.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/64ad6081-106e-44c8-b4fc-1969b3f4c61c%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

Topic		Replies	Views
6.2.3 Demo anonymous auth not functioning Search Guard	4	441	May 7, 2018
SG Anonymous authentication Search Guard	9	1082	November 8, 2019
Kibana: Anonymous access, but having the chance of authenticating Search Guard	4	431	March 27, 2018
Problems with proxy users/roles Search Guard	29	2024	February 6, 2018
Search Guard authentication feature in community version Search Guard	4	997	May 1, 2019

Creating generic user

Related Topics