Elastic Search + Kibana + Search Guard + Kerberos +LDAP

Hello !
I have some troubles with setup Elastic Search + Kibana + Search Guard + Kerberos

After setup:

I see kerberos work fine.

Access to https://servername:9200/ via kerberos,

But Kibana http://servername:5601 - show me 1 error on page - “Authentication Exception”

sg_config.yml:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: intern

kerberos_auth_domain:

enabled: true

order: 1

http_authenticator:

type: kerberos

challenge: true

config:

krb_debug: true

strip_realm_from_principal: true

authentication_backend:

type: noop

authz:

roles_from_myldap:

enabled: true

authorization_backend:

type: ldap

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: true

hosts:

  • ‘DC_name:389’

  • ‘DC_name:389’

bind_dn: ‘… …’

password: ‘password’

rolebase: ‘…’

rolesearch: ‘(member={0})’

userroleattribute: null

userrolename: disabled

rolename: cn

kibana.yml

server.port: 5601

server.host: “0.0.0.0”

elasticsearch.url: “https://servername:9200

searchguard.basicauth.enabled: false

elasticsearch.username: “kibanaserver”

elasticsearch.password: “kibanaserver”

elasticsearch.yml

searchguard.ssl.transport.keystore_filepath: keystore.jks

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.kerberos.krb5_filepath: ‘/etc/krb5.conf’

searchguard.kerberos.acceptor_keytab_filepath: userH.keytab

searchguard.ssl.http.keystore_filepath: keystore.jks

searchguard.kerberos.acceptor_principal: ‘HTTP/servername’

searchguard.ssl.http.truststore_filepath: truststore.jks

The question is which Search Guard role and thus which permissions your Kerberos authenticated user has. For Kibana users, Search Guard ships with the role “sg_kibana”. Please make sure your user is assigned to that role. You can check by querying the authinfo endpoint, which prints infos about the currently logged in user:

https://:9200/_searchguard/authinfo

If this is the case, please have a look at the ES logfile when the AuthenticationException happens. It should print out a log statement regarding the missing privilege(s). You can also post the log file here for further analysis.

···

On Thursday, October 5, 2017 at 3:50:17 PM UTC+2, Sergey Emcev wrote:

Hello !
I have some troubles with setup Elastic Search + Kibana + Search Guard + Kerberos

After setup:

https://github.com/floragunncom/search-guard-auth-http-kerberos

I see kerberos work fine.

Access to https://servername:9200/ via kerberos,

But Kibana http://servername:5601 - show me 1 error on page - “Authentication Exception”

sg_config.yml:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: intern

kerberos_auth_domain:

enabled: true

order: 1

http_authenticator:

type: kerberos

challenge: true

config:

krb_debug: true

strip_realm_from_principal: true

authentication_backend:

type: noop

authz:

roles_from_myldap:

enabled: true

authorization_backend:

type: ldap

config:

enable_ssl: false

enable_start_tls: false

enable_ssl_client_auth: false

verify_hostnames: true

hosts:

  • ‘DC_name:389’
  • ‘DC_name:389’

bind_dn: ‘… …’

password: ‘password’

rolebase: ‘…’

rolesearch: ‘(member={0})’

userroleattribute: null

userrolename: disabled

rolename: cn

kibana.yml

server.port: 5601

server.host: “0.0.0.0”

elasticsearch.url: “https://servername:9200

searchguard.basicauth.enabled: false

elasticsearch.username: “kibanaserver”

elasticsearch.password: “kibanaserver”

elasticsearch.yml

searchguard.ssl.transport.keystore_filepath: keystore.jks

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.kerberos.krb5_filepath: ‘/etc/krb5.conf’

searchguard.kerberos.acceptor_keytab_filepath: userH.keytab

searchguard.ssl.http.keystore_filepath: keystore.jks

searchguard.kerberos.acceptor_principal: ‘HTTP/servername’

searchguard.ssl.http.truststore_filepath: truststore.jks