Get logged in username by another plugin

Hello.

I develop a Kibana plugin. And I need to know currently logged in username. Is there a method/property available to get this information?

Best regards.

Have a look at lib/auth/routes_authinfo.js, we define an “authinfo” endpoint there which will return the user info in JSON if you have an authenticated user:

server.route({

method: ‘GET’,

path: ${API_ROOT}/v1/auth/authinfo,

handler: (request, reply) => {

}

})

···

On Tuesday, July 4, 2017 at 9:58:30 AM UTC+2, Sergey Bondarenko wrote:

Hello.

I develop a Kibana plugin. And I need to know currently logged in username. Is there a method/property available to get this information?

Best regards.

For usage example in an angular controller, have a look at public/apps/multitenancy/multitenancy.js. We fetch the user information, and extract and dislay username and roles there.

···

On Tuesday, July 4, 2017 at 10:22:41 AM UTC+2, Jochen Kressin wrote:

Have a look at lib/auth/routes_authinfo.js, we define an “authinfo” endpoint there which will return the user info in JSON if you have an authenticated user:

server.route({

method: ‘GET’,

path: ${API_ROOT}/v1/auth/authinfo,

handler: (request, reply) => {

}

})

On Tuesday, July 4, 2017 at 9:58:30 AM UTC+2, Sergey Bondarenko wrote:

Hello.

I develop a Kibana plugin. And I need to know currently logged in username. Is there a method/property available to get this information?

Best regards.

Just out of curiosity, what kind of plugin do you develop?

···

On Tuesday, July 4, 2017 at 10:24:06 AM UTC+2, Jochen Kressin wrote:

Have a look at lib/auth/routes_authinfo.js, we define an “authinfo” endpoint there which will return the user info in JSON if you have an authenticated user:

server.route({

method: ‘GET’,

path: ${API_ROOT}/v1/auth/authinfo,

handler: (request, reply) => {

}

})

On Tuesday, July 4, 2017 at 9:58:30 AM UTC+2, Sergey Bondarenko wrote:

Hello.

I develop a Kibana plugin. And I need to know currently logged in username. Is there a method/property available to get this information?

Best regards.

For usage example in an angular controller, have a look at public/apps/multitenancy/multitenancy.js. We fetch the user information, and extract and dislay username and roles there.

On Tuesday, July 4, 2017 at 10:22:41 AM UTC+2, Jochen Kressin wrote:

Hello, Jochen.

Thank you for your help. I have on more question, how can I get authorized?

Now, if I use this URL http://localhost:5601/searchguard/api/v1/auth/authinfo I get
{“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

``

And I get the same when I do http get from my plugin backend:

http.get(‘http://127.0.0.1:5601/searchguard/api/v1/auth/authinfo’, (res) => { console.log(res); JSON.stringify(res, null, 2); });

``

···

On Tuesday, July 4, 2017 at 10:24:06 AM UTC+2, Jochen Kressin wrote:

Have a look at lib/auth/routes_authinfo.js, we define an “authinfo” endpoint there which will return the user info in JSON if you have an authenticated user:

server.route({

method: ‘GET’,

path: ${API_ROOT}/v1/auth/authinfo,

handler: (request, reply) => {

}

})

On Tuesday, July 4, 2017 at 9:58:30 AM UTC+2, Sergey Bondarenko wrote:

Hello.

I develop a Kibana plugin. And I need to know currently logged in username. Is there a method/property available to get this information?

Best regards.

For usage example in an angular controller, have a look at public/apps/multitenancy/multitenancy.js. We fetch the user information, and extract and dislay username and roles there.

On Tuesday, July 4, 2017 at 10:22:41 AM UTC+2, Jochen Kressin wrote:

It responds with Unauthorized even if I use admin account:
$ curl -uadmin:admin -sS -i -XGET http://localhost:5601/searchguard/api/v1/auth/authinfo
HTTP/1.1 403 Forbidden
kbn-name: kibana
kbn-version: 5.4.2
content-type: application/json; charset=utf-8
cache-control: no-cache
content-length: 70
Connection: keep-alive

{“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

``

···

Date: Tue, 04 Jul 2017 10:21:25 GMT

On Tuesday, July 4, 2017 at 12:16:16 PM UTC+2, Sergey Bondarenko wrote:

Hello, Jochen.

Thank you for your help. I have on more question, how can I get authorized?

Now, if I use this URL [http://localhost:5601/searchguard/api/v1/auth/authinfo](http://localhost:5601/searchguard/api/v1/auth/authinfo) I get
{“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

``

And I get the same when I do http get from my plugin backend:

http.get(‘http://127.0.0.1:5601/searchguard/api/v1/auth/authinfo’, (res) => { console.log(res); JSON.stringify(res, null, 2); });

``

On Tuesday, July 4, 2017 at 10:24:06 AM UTC+2, Jochen Kressin wrote:

Have a look at lib/auth/routes_authinfo.js, we define an “authinfo” endpoint there which will return the user info in JSON if you have an authenticated user:

server.route({

method: ‘GET’,

path: ${API_ROOT}/v1/auth/authinfo,

handler: (request, reply) => {

}

})

On Tuesday, July 4, 2017 at 9:58:30 AM UTC+2, Sergey Bondarenko wrote:

Hello.

I develop a Kibana plugin. And I need to know currently logged in username. Is there a method/property available to get this information?

Best regards.

For usage example in an angular controller, have a look at public/apps/multitenancy/multitenancy.js. We fetch the user information, and extract and dislay username and roles there.

On Tuesday, July 4, 2017 at 10:22:41 AM UTC+2, Jochen Kressin wrote:

This will not work the way you do it:

Adding the Basic Auth credentials will only work if you query the authinfo endpoint on Elasticsearch directly:

curl -Ss -u admin:admin --insecure -XGET https://sgssl-0.example.com:9200/_searchguard/authinfo?pretty

The API on Kibana works by authenticating the user provided credentials against the authinfo endpoint on ES. And if successful, stores the credentials it in a cookie ‘searchguard_authenticarion’ (name is configurable). It will not accept any Basic Auth header.

Question is, do you want to authenticate the user yourself, of let the SG plugin to that? If you want to authenticate the user yourself, have a look at lib/auth/routes.js and the ${API_ROOT}/v1/auth/login endpoint, this is where the user gets authenticated.

···

On Tuesday, July 4, 2017 at 12:27:22 PM UTC+2, Sergey Bondarenko wrote:

It responds with Unauthorized even if I use admin account:
$ curl -uadmin:admin -sS -i -XGET http://localhost:5601/searchguard/api/v1/auth/authinfo
HTTP/1.1 403 Forbidden
kbn-name: kibana
kbn-version: 5.4.2
content-type: application/json; charset=utf-8
cache-control: no-cache
content-length: 70
Date: Tue, 04 Jul 2017 10:21:25 GMT
Connection: keep-alive

{“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

``

On Tuesday, July 4, 2017 at 12:16:16 PM UTC+2, Sergey Bondarenko wrote:

Hello, Jochen.

Thank you for your help. I have on more question, how can I get authorized?

Now, if I use this URL [http://localhost:5601/searchguard/api/v1/auth/authinfo](http://localhost:5601/searchguard/api/v1/auth/authinfo) I get
{“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

``

And I get the same when I do http get from my plugin backend:

http.get(‘http://127.0.0.1:5601/searchguard/api/v1/auth/authinfo’, (res) => { console.log(res); JSON.stringify(res, null, 2); });

``

On Tuesday, July 4, 2017 at 10:24:06 AM UTC+2, Jochen Kressin wrote:

Have a look at lib/auth/routes_authinfo.js, we define an “authinfo” endpoint there which will return the user info in JSON if you have an authenticated user:

server.route({

method: ‘GET’,

path: ${API_ROOT}/v1/auth/authinfo,

handler: (request, reply) => {

}

})

On Tuesday, July 4, 2017 at 9:58:30 AM UTC+2, Sergey Bondarenko wrote:

Hello.

I develop a Kibana plugin. And I need to know currently logged in username. Is there a method/property available to get this information?

Best regards.

For usage example in an angular controller, have a look at public/apps/multitenancy/multitenancy.js. We fetch the user information, and extract and dislay username and roles there.

On Tuesday, July 4, 2017 at 10:22:41 AM UTC+2, Jochen Kressin wrote:

I don’t want to authenticate the user. My goal is to have my plugin getting the currently logged in username and use it to create documents. By default, a user can see only documents in his scope, created by him. Admin can see all documents, plus he has “access control” functionality, where he can edit user scopes. Thus, we have a hybrid mode to control user access, usernames from Kibana/Search Guard, the scope control from my plugin.

···

On Tuesday, July 4, 2017 at 1:04:21 PM UTC+2, Jochen Kressin wrote:

This will not work the way you do it:

Adding the Basic Auth credentials will only work if you query the authinfo endpoint on Elasticsearch directly:

curl -Ss -u admin:admin --insecure -XGET https://sgssl-0.example.com:9200/_searchguard/authinfo?pretty

The API on Kibana works by authenticating the user provided credentials against the authinfo endpoint on ES. And if successful, stores the credentials it in a cookie ‘searchguard_authenticarion’ (name is configurable). It will not accept any Basic Auth header.

Question is, do you want to authenticate the user yourself, of let the SG plugin to that? If you want to authenticate the user yourself, have a look at lib/auth/routes.js and the ${API_ROOT}/v1/auth/login endpoint, this is where the user gets authenticated.

On Tuesday, July 4, 2017 at 12:27:22 PM UTC+2, Sergey Bondarenko wrote:

It responds with Unauthorized even if I use admin account:
$ curl -uadmin:admin -sS -i -XGET http://localhost:5601/searchguard/api/v1/auth/authinfo
HTTP/1.1 403 Forbidden
kbn-name: kibana
kbn-version: 5.4.2
content-type: application/json; charset=utf-8
cache-control: no-cache
content-length: 70
Date: Tue, 04 Jul 2017 10:21:25 GMT
Connection: keep-alive

{“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

``

On Tuesday, July 4, 2017 at 12:16:16 PM UTC+2, Sergey Bondarenko wrote:

Hello, Jochen.

Thank you for your help. I have on more question, how can I get authorized?

Now, if I use this URL [http://localhost:5601/searchguard/api/v1/auth/authinfo](http://localhost:5601/searchguard/api/v1/auth/authinfo) I get
{“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

``

And I get the same when I do http get from my plugin backend:

http.get(‘http://127.0.0.1:5601/searchguard/api/v1/auth/authinfo’, (res) => { console.log(res); JSON.stringify(res, null, 2); });

``

On Tuesday, July 4, 2017 at 10:24:06 AM UTC+2, Jochen Kressin wrote:

Have a look at lib/auth/routes_authinfo.js, we define an “authinfo” endpoint there which will return the user info in JSON if you have an authenticated user:

server.route({

method: ‘GET’,

path: ${API_ROOT}/v1/auth/authinfo,

handler: (request, reply) => {

}

})

On Tuesday, July 4, 2017 at 9:58:30 AM UTC+2, Sergey Bondarenko wrote:

Hello.

I develop a Kibana plugin. And I need to know currently logged in username. Is there a method/property available to get this information?

Best regards.

For usage example in an angular controller, have a look at public/apps/multitenancy/multitenancy.js. We fetch the user information, and extract and dislay username and roles there.

On Tuesday, July 4, 2017 at 10:22:41 AM UTC+2, Jochen Kressin wrote:

These documents are available only in my plugin.

···

On Tuesday, July 4, 2017 at 2:15:33 PM UTC+2, Sergey Bondarenko wrote:

I don’t want to authenticate the user. My goal is to have my plugin getting the currently logged in username and use it to create documents. By default, a user can see only documents in his scope, created by him. Admin can see all documents, plus he has “access control” functionality, where he can edit user scopes. Thus, we have a hybrid mode to control user access, usernames from Kibana/Search Guard, the scope control from my plugin.

On Tuesday, July 4, 2017 at 1:04:21 PM UTC+2, Jochen Kressin wrote:

This will not work the way you do it:

Adding the Basic Auth credentials will only work if you query the authinfo endpoint on Elasticsearch directly:

curl -Ss -u admin:admin --insecure -XGET https://sgssl-0.example.com:9200/_searchguard/authinfo?pretty

The API on Kibana works by authenticating the user provided credentials against the authinfo endpoint on ES. And if successful, stores the credentials it in a cookie ‘searchguard_authenticarion’ (name is configurable). It will not accept any Basic Auth header.

Question is, do you want to authenticate the user yourself, of let the SG plugin to that? If you want to authenticate the user yourself, have a look at lib/auth/routes.js and the ${API_ROOT}/v1/auth/login endpoint, this is where the user gets authenticated.

On Tuesday, July 4, 2017 at 12:27:22 PM UTC+2, Sergey Bondarenko wrote:

It responds with Unauthorized even if I use admin account:
$ curl -uadmin:admin -sS -i -XGET http://localhost:5601/searchguard/api/v1/auth/authinfo
HTTP/1.1 403 Forbidden
kbn-name: kibana
kbn-version: 5.4.2
content-type: application/json; charset=utf-8
cache-control: no-cache
content-length: 70
Date: Tue, 04 Jul 2017 10:21:25 GMT
Connection: keep-alive

{“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

``

On Tuesday, July 4, 2017 at 12:16:16 PM UTC+2, Sergey Bondarenko wrote:

Hello, Jochen.

Thank you for your help. I have on more question, how can I get authorized?

Now, if I use this URL [http://localhost:5601/searchguard/api/v1/auth/authinfo](http://localhost:5601/searchguard/api/v1/auth/authinfo) I get
{“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

``

And I get the same when I do http get from my plugin backend:

http.get(‘http://127.0.0.1:5601/searchguard/api/v1/auth/authinfo’, (res) => { console.log(res); JSON.stringify(res, null, 2); });

``

On Tuesday, July 4, 2017 at 10:24:06 AM UTC+2, Jochen Kressin wrote:

Have a look at lib/auth/routes_authinfo.js, we define an “authinfo” endpoint there which will return the user info in JSON if you have an authenticated user:

server.route({

method: ‘GET’,

path: ${API_ROOT}/v1/auth/authinfo,

handler: (request, reply) => {

}

})

On Tuesday, July 4, 2017 at 9:58:30 AM UTC+2, Sergey Bondarenko wrote:

Hello.

I develop a Kibana plugin. And I need to know currently logged in username. Is there a method/property available to get this information?

Best regards.

For usage example in an angular controller, have a look at public/apps/multitenancy/multitenancy.js. We fetch the user information, and extract and dislay username and roles there.

On Tuesday, July 4, 2017 at 10:22:41 AM UTC+2, Jochen Kressin wrote:

So I guess the answer depends on which layer you need the username - Angular or Node? Any code you can share?

···

On Tuesday, July 4, 2017 at 2:16:59 PM UTC+2, Sergey Bondarenko wrote:

These documents are available only in my plugin.

On Tuesday, July 4, 2017 at 2:15:33 PM UTC+2, Sergey Bondarenko wrote:

I don’t want to authenticate the user. My goal is to have my plugin getting the currently logged in username and use it to create documents. By default, a user can see only documents in his scope, created by him. Admin can see all documents, plus he has “access control” functionality, where he can edit user scopes. Thus, we have a hybrid mode to control user access, usernames from Kibana/Search Guard, the scope control from my plugin.

On Tuesday, July 4, 2017 at 1:04:21 PM UTC+2, Jochen Kressin wrote:

This will not work the way you do it:

Adding the Basic Auth credentials will only work if you query the authinfo endpoint on Elasticsearch directly:

curl -Ss -u admin:admin --insecure -XGET https://sgssl-0.example.com:9200/_searchguard/authinfo?pretty

The API on Kibana works by authenticating the user provided credentials against the authinfo endpoint on ES. And if successful, stores the credentials it in a cookie ‘searchguard_authenticarion’ (name is configurable). It will not accept any Basic Auth header.

Question is, do you want to authenticate the user yourself, of let the SG plugin to that? If you want to authenticate the user yourself, have a look at lib/auth/routes.js and the ${API_ROOT}/v1/auth/login endpoint, this is where the user gets authenticated.

On Tuesday, July 4, 2017 at 12:27:22 PM UTC+2, Sergey Bondarenko wrote:

It responds with Unauthorized even if I use admin account:
$ curl -uadmin:admin -sS -i -XGET http://localhost:5601/searchguard/api/v1/auth/authinfo
HTTP/1.1 403 Forbidden
kbn-name: kibana
kbn-version: 5.4.2
content-type: application/json; charset=utf-8
cache-control: no-cache
content-length: 70
Date: Tue, 04 Jul 2017 10:21:25 GMT
Connection: keep-alive

{“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

``

On Tuesday, July 4, 2017 at 12:16:16 PM UTC+2, Sergey Bondarenko wrote:

Hello, Jochen.

Thank you for your help. I have on more question, how can I get authorized?

Now, if I use this URL [http://localhost:5601/searchguard/api/v1/auth/authinfo](http://localhost:5601/searchguard/api/v1/auth/authinfo) I get
{“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

``

And I get the same when I do http get from my plugin backend:

http.get(‘http://127.0.0.1:5601/searchguard/api/v1/auth/authinfo’, (res) => { console.log(res); JSON.stringify(res, null, 2); });

``

On Tuesday, July 4, 2017 at 10:24:06 AM UTC+2, Jochen Kressin wrote:

Have a look at lib/auth/routes_authinfo.js, we define an “authinfo” endpoint there which will return the user info in JSON if you have an authenticated user:

server.route({

method: ‘GET’,

path: ${API_ROOT}/v1/auth/authinfo,

handler: (request, reply) => {

}

})

On Tuesday, July 4, 2017 at 9:58:30 AM UTC+2, Sergey Bondarenko wrote:

Hello.

I develop a Kibana plugin. And I need to know currently logged in username. Is there a method/property available to get this information?

Best regards.

For usage example in an angular controller, have a look at public/apps/multitenancy/multitenancy.js. We fetch the user information, and extract and dislay username and roles there.

On Tuesday, July 4, 2017 at 10:22:41 AM UTC+2, Jochen Kressin wrote:

I need it in Angular and maybe on Node level too.

···

On Tuesday, July 4, 2017 at 5:36:19 PM UTC+2, Jochen Kressin wrote:

So I guess the answer depends on which layer you need the username - Angular or Node? Any code you can share?

On Tuesday, July 4, 2017 at 2:16:59 PM UTC+2, Sergey Bondarenko wrote:

These documents are available only in my plugin.

On Tuesday, July 4, 2017 at 2:15:33 PM UTC+2, Sergey Bondarenko wrote:

I don’t want to authenticate the user. My goal is to have my plugin getting the currently logged in username and use it to create documents. By default, a user can see only documents in his scope, created by him. Admin can see all documents, plus he has “access control” functionality, where he can edit user scopes. Thus, we have a hybrid mode to control user access, usernames from Kibana/Search Guard, the scope control from my plugin.

On Tuesday, July 4, 2017 at 1:04:21 PM UTC+2, Jochen Kressin wrote:

This will not work the way you do it:

Adding the Basic Auth credentials will only work if you query the authinfo endpoint on Elasticsearch directly:

curl -Ss -u admin:admin --insecure -XGET https://sgssl-0.example.com:9200/_searchguard/authinfo?pretty

The API on Kibana works by authenticating the user provided credentials against the authinfo endpoint on ES. And if successful, stores the credentials it in a cookie ‘searchguard_authenticarion’ (name is configurable). It will not accept any Basic Auth header.

Question is, do you want to authenticate the user yourself, of let the SG plugin to that? If you want to authenticate the user yourself, have a look at lib/auth/routes.js and the ${API_ROOT}/v1/auth/login endpoint, this is where the user gets authenticated.

On Tuesday, July 4, 2017 at 12:27:22 PM UTC+2, Sergey Bondarenko wrote:

It responds with Unauthorized even if I use admin account:
$ curl -uadmin:admin -sS -i -XGET http://localhost:5601/searchguard/api/v1/auth/authinfo
HTTP/1.1 403 Forbidden
kbn-name: kibana
kbn-version: 5.4.2
content-type: application/json; charset=utf-8
cache-control: no-cache
content-length: 70
Date: Tue, 04 Jul 2017 10:21:25 GMT
Connection: keep-alive

{“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

``

On Tuesday, July 4, 2017 at 12:16:16 PM UTC+2, Sergey Bondarenko wrote:

Hello, Jochen.

Thank you for your help. I have on more question, how can I get authorized?

Now, if I use this URL [http://localhost:5601/searchguard/api/v1/auth/authinfo](http://localhost:5601/searchguard/api/v1/auth/authinfo) I get
{“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

``

And I get the same when I do http get from my plugin backend:

http.get(‘http://127.0.0.1:5601/searchguard/api/v1/auth/authinfo’, (res) => { console.log(res); JSON.stringify(res, null, 2); });

``

On Tuesday, July 4, 2017 at 10:24:06 AM UTC+2, Jochen Kressin wrote:

Have a look at lib/auth/routes_authinfo.js, we define an “authinfo” endpoint there which will return the user info in JSON if you have an authenticated user:

server.route({

method: ‘GET’,

path: ${API_ROOT}/v1/auth/authinfo,

handler: (request, reply) => {

}

})

On Tuesday, July 4, 2017 at 9:58:30 AM UTC+2, Sergey Bondarenko wrote:

Hello.

I develop a Kibana plugin. And I need to know currently logged in username. Is there a method/property available to get this information?

Best regards.

For usage example in an angular controller, have a look at public/apps/multitenancy/multitenancy.js. We fetch the user information, and extract and dislay username and roles there.

On Tuesday, July 4, 2017 at 10:22:41 AM UTC+2, Jochen Kressin wrote:

About the code, sure, this task is for Sentinl app https://github.com/sirensolutions/sentinl

···

On Tuesday, July 4, 2017 at 5:36:19 PM UTC+2, Jochen Kressin wrote:

So I guess the answer depends on which layer you need the username - Angular or Node? Any code you can share?

On Tuesday, July 4, 2017 at 2:16:59 PM UTC+2, Sergey Bondarenko wrote:

These documents are available only in my plugin.

On Tuesday, July 4, 2017 at 2:15:33 PM UTC+2, Sergey Bondarenko wrote:

I don’t want to authenticate the user. My goal is to have my plugin getting the currently logged in username and use it to create documents. By default, a user can see only documents in his scope, created by him. Admin can see all documents, plus he has “access control” functionality, where he can edit user scopes. Thus, we have a hybrid mode to control user access, usernames from Kibana/Search Guard, the scope control from my plugin.

On Tuesday, July 4, 2017 at 1:04:21 PM UTC+2, Jochen Kressin wrote:

This will not work the way you do it:

Adding the Basic Auth credentials will only work if you query the authinfo endpoint on Elasticsearch directly:

curl -Ss -u admin:admin --insecure -XGET https://sgssl-0.example.com:9200/_searchguard/authinfo?pretty

The API on Kibana works by authenticating the user provided credentials against the authinfo endpoint on ES. And if successful, stores the credentials it in a cookie ‘searchguard_authenticarion’ (name is configurable). It will not accept any Basic Auth header.

Question is, do you want to authenticate the user yourself, of let the SG plugin to that? If you want to authenticate the user yourself, have a look at lib/auth/routes.js and the ${API_ROOT}/v1/auth/login endpoint, this is where the user gets authenticated.

On Tuesday, July 4, 2017 at 12:27:22 PM UTC+2, Sergey Bondarenko wrote:

It responds with Unauthorized even if I use admin account:
$ curl -uadmin:admin -sS -i -XGET http://localhost:5601/searchguard/api/v1/auth/authinfo
HTTP/1.1 403 Forbidden
kbn-name: kibana
kbn-version: 5.4.2
content-type: application/json; charset=utf-8
cache-control: no-cache
content-length: 70
Date: Tue, 04 Jul 2017 10:21:25 GMT
Connection: keep-alive

{“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

``

On Tuesday, July 4, 2017 at 12:16:16 PM UTC+2, Sergey Bondarenko wrote:

Hello, Jochen.

Thank you for your help. I have on more question, how can I get authorized?

Now, if I use this URL [http://localhost:5601/searchguard/api/v1/auth/authinfo](http://localhost:5601/searchguard/api/v1/auth/authinfo) I get
{“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

``

And I get the same when I do http get from my plugin backend:

http.get(‘http://127.0.0.1:5601/searchguard/api/v1/auth/authinfo’, (res) => { console.log(res); JSON.stringify(res, null, 2); });

``

On Tuesday, July 4, 2017 at 10:24:06 AM UTC+2, Jochen Kressin wrote:

Have a look at lib/auth/routes_authinfo.js, we define an “authinfo” endpoint there which will return the user info in JSON if you have an authenticated user:

server.route({

method: ‘GET’,

path: ${API_ROOT}/v1/auth/authinfo,

handler: (request, reply) => {

}

})

On Tuesday, July 4, 2017 at 9:58:30 AM UTC+2, Sergey Bondarenko wrote:

Hello.

I develop a Kibana plugin. And I need to know currently logged in username. Is there a method/property available to get this information?

Best regards.

For usage example in an angular controller, have a look at public/apps/multitenancy/multitenancy.js. We fetch the user information, and extract and dislay username and roles there.

On Tuesday, July 4, 2017 at 10:22:41 AM UTC+2, Jochen Kressin wrote:

Oh, ok, I see, can you please contact me via email about this? jkressin@floragunn.com

···

On Tuesday, July 4, 2017 at 5:47:43 PM UTC+2, Sergey Bondarenko wrote:

About the code, sure, this task is for Sentinl app https://github.com/sirensolutions/sentinl

On Tuesday, July 4, 2017 at 5:36:19 PM UTC+2, Jochen Kressin wrote:

So I guess the answer depends on which layer you need the username - Angular or Node? Any code you can share?

On Tuesday, July 4, 2017 at 2:16:59 PM UTC+2, Sergey Bondarenko wrote:

These documents are available only in my plugin.

On Tuesday, July 4, 2017 at 2:15:33 PM UTC+2, Sergey Bondarenko wrote:

I don’t want to authenticate the user. My goal is to have my plugin getting the currently logged in username and use it to create documents. By default, a user can see only documents in his scope, created by him. Admin can see all documents, plus he has “access control” functionality, where he can edit user scopes. Thus, we have a hybrid mode to control user access, usernames from Kibana/Search Guard, the scope control from my plugin.

On Tuesday, July 4, 2017 at 1:04:21 PM UTC+2, Jochen Kressin wrote:

This will not work the way you do it:

Adding the Basic Auth credentials will only work if you query the authinfo endpoint on Elasticsearch directly:

curl -Ss -u admin:admin --insecure -XGET https://sgssl-0.example.com:9200/_searchguard/authinfo?pretty

The API on Kibana works by authenticating the user provided credentials against the authinfo endpoint on ES. And if successful, stores the credentials it in a cookie ‘searchguard_authenticarion’ (name is configurable). It will not accept any Basic Auth header.

Question is, do you want to authenticate the user yourself, of let the SG plugin to that? If you want to authenticate the user yourself, have a look at lib/auth/routes.js and the ${API_ROOT}/v1/auth/login endpoint, this is where the user gets authenticated.

On Tuesday, July 4, 2017 at 12:27:22 PM UTC+2, Sergey Bondarenko wrote:

It responds with Unauthorized even if I use admin account:
$ curl -uadmin:admin -sS -i -XGET http://localhost:5601/searchguard/api/v1/auth/authinfo
HTTP/1.1 403 Forbidden
kbn-name: kibana
kbn-version: 5.4.2
content-type: application/json; charset=utf-8
cache-control: no-cache
content-length: 70
Date: Tue, 04 Jul 2017 10:21:25 GMT
Connection: keep-alive

{“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

``

On Tuesday, July 4, 2017 at 12:16:16 PM UTC+2, Sergey Bondarenko wrote:

Hello, Jochen.

Thank you for your help. I have on more question, how can I get authorized?

Now, if I use this URL [http://localhost:5601/searchguard/api/v1/auth/authinfo](http://localhost:5601/searchguard/api/v1/auth/authinfo) I get
{“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

``

And I get the same when I do http get from my plugin backend:

http.get(‘http://127.0.0.1:5601/searchguard/api/v1/auth/authinfo’, (res) => { console.log(res); JSON.stringify(res, null, 2); });

``

On Tuesday, July 4, 2017 at 10:24:06 AM UTC+2, Jochen Kressin wrote:

Have a look at lib/auth/routes_authinfo.js, we define an “authinfo” endpoint there which will return the user info in JSON if you have an authenticated user:

server.route({

method: ‘GET’,

path: ${API_ROOT}/v1/auth/authinfo,

handler: (request, reply) => {

}

})

On Tuesday, July 4, 2017 at 9:58:30 AM UTC+2, Sergey Bondarenko wrote:

Hello.

I develop a Kibana plugin. And I need to know currently logged in username. Is there a method/property available to get this information?

Best regards.

For usage example in an angular controller, have a look at public/apps/multitenancy/multitenancy.js. We fetch the user information, and extract and dislay username and roles there.

On Tuesday, July 4, 2017 at 10:22:41 AM UTC+2, Jochen Kressin wrote:

Strange, this should normally work. Have a look at this Kibana plugin, which also uses the SG endpoints:

Especially this:

···

On Tuesday, July 4, 2017 at 5:52:08 PM UTC+2, Jochen Kressin wrote:

Oh, ok, I see, can you please contact me via email about this? jkressin@floragunn.com

On Tuesday, July 4, 2017 at 5:47:43 PM UTC+2, Sergey Bondarenko wrote:

About the code, sure, this task is for Sentinl app https://github.com/sirensolutions/sentinl

On Tuesday, July 4, 2017 at 5:36:19 PM UTC+2, Jochen Kressin wrote:

So I guess the answer depends on which layer you need the username - Angular or Node? Any code you can share?

On Tuesday, July 4, 2017 at 2:16:59 PM UTC+2, Sergey Bondarenko wrote:

These documents are available only in my plugin.

On Tuesday, July 4, 2017 at 2:15:33 PM UTC+2, Sergey Bondarenko wrote:

I don’t want to authenticate the user. My goal is to have my plugin getting the currently logged in username and use it to create documents. By default, a user can see only documents in his scope, created by him. Admin can see all documents, plus he has “access control” functionality, where he can edit user scopes. Thus, we have a hybrid mode to control user access, usernames from Kibana/Search Guard, the scope control from my plugin.

On Tuesday, July 4, 2017 at 1:04:21 PM UTC+2, Jochen Kressin wrote:

This will not work the way you do it:

Adding the Basic Auth credentials will only work if you query the authinfo endpoint on Elasticsearch directly:

curl -Ss -u admin:admin --insecure -XGET https://sgssl-0.example.com:9200/_searchguard/authinfo?pretty

The API on Kibana works by authenticating the user provided credentials against the authinfo endpoint on ES. And if successful, stores the credentials it in a cookie ‘searchguard_authenticarion’ (name is configurable). It will not accept any Basic Auth header.

Question is, do you want to authenticate the user yourself, of let the SG plugin to that? If you want to authenticate the user yourself, have a look at lib/auth/routes.js and the ${API_ROOT}/v1/auth/login endpoint, this is where the user gets authenticated.

On Tuesday, July 4, 2017 at 12:27:22 PM UTC+2, Sergey Bondarenko wrote:

It responds with Unauthorized even if I use admin account:
$ curl -uadmin:admin -sS -i -XGET http://localhost:5601/searchguard/api/v1/auth/authinfo
HTTP/1.1 403 Forbidden
kbn-name: kibana
kbn-version: 5.4.2
content-type: application/json; charset=utf-8
cache-control: no-cache
content-length: 70
Date: Tue, 04 Jul 2017 10:21:25 GMT
Connection: keep-alive

{“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

``

On Tuesday, July 4, 2017 at 12:16:16 PM UTC+2, Sergey Bondarenko wrote:

Hello, Jochen.

Thank you for your help. I have on more question, how can I get authorized?

Now, if I use this URL [http://localhost:5601/searchguard/api/v1/auth/authinfo](http://localhost:5601/searchguard/api/v1/auth/authinfo) I get
{“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

``

And I get the same when I do http get from my plugin backend:

http.get(‘http://127.0.0.1:5601/searchguard/api/v1/auth/authinfo’, (res) => { console.log(res); JSON.stringify(res, null, 2); });

``

On Tuesday, July 4, 2017 at 10:24:06 AM UTC+2, Jochen Kressin wrote:

Have a look at lib/auth/routes_authinfo.js, we define an “authinfo” endpoint there which will return the user info in JSON if you have an authenticated user:

server.route({

method: ‘GET’,

path: ${API_ROOT}/v1/auth/authinfo,

handler: (request, reply) => {

}

})

On Tuesday, July 4, 2017 at 9:58:30 AM UTC+2, Sergey Bondarenko wrote:

Hello.

I develop a Kibana plugin. And I need to know currently logged in username. Is there a method/property available to get this information?

Best regards.

For usage example in an angular controller, have a look at public/apps/multitenancy/multitenancy.js. We fetch the user information, and extract and dislay username and roles there.

On Tuesday, July 4, 2017 at 10:22:41 AM UTC+2, Jochen Kressin wrote: