Searchguard version:
7.9.1-45.1.0
Elasticsearch version:
7.9.1
Server OS version:
RHEL 7
Kibana version (if relevant):
7.9.1
Describe the issue:
The first time a user visits kibana through a link to a saved visualization or dashboard, they are redirected to SSO (Keycloak), then once authenticated they are directed to the kibana home page instead of the link that they had clicked originally
Alternatively, if a user has already authenticated with SSO for Kibana, the link will take them directly to where they intended to go.
Expected behavior:
After authentication, user should be directed to the link they were trying to get to
Provide configuration:
elasticsearch/config/elasticsearch.yml
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
THIS FILE IS MANAGED BY CHEF, DO NOT EDIT MANUALLY, YOUR CHANGES WILL BE OVERWRITTEN!
Please see the documentation for further information on configuration options:
https://www.elastic.co/guide/en/elasticsearch/reference/current/settings.html
cluster.initial_master_nodes:
- cleared for privacy
cluster.name: ingest-test
node.name: _es-data0
bootstrap.memory_lock: true
node.data: true
node.master: true
node.ingest: true
network.host: 0.0.0.0
transport.host: 0.0.0.0
http.compression: true
reindex.remote.whitelist: ā:443"
path.data: ā/grid/hot/0/elasticsearch/ā
path.logs: ā/var/log/elasticsearch/es-data0ā
http.cors.enabled: true
http.cors.allow-origin: "ā
http.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE
http.cors.allow-headers: X-Requested-With,X-Auth-Token,Content-Type,Content-Length
http.detailed_errors.enabled: true
cluster.routing.allocation.disk.watermark.low: 80%
cluster.routing.allocation.disk.watermark.high: 85%
cluster.routing.allocation.disk.watermark.flood_stage: 99%
search.max_buckets: 5500
thread_pool.write.queue_size: 10000
xpack.ilm.enabled: true
indices.lifecycle.poll_interval: 30m
indices.breaker.fielddata.limit: 1%
indices.breaker.fielddata.overhead: ā1.03ā
indices.breaker.request.limit: 60%
indices.breaker.request.overhead: ā1ā
indices.breaker.total.limit: 95%
network.breaker.inflight_requests.limit: 85%
network.breaker.inflight_requests.overhead: ā2ā
indices.breaker.total.use_real_memory: false
cluster.fault_detection.follower_check.interval: 1s
cluster.fault_detection.follower_check.timeout: 20s
cluster.fault_detection.follower_check.retry_count: ā5ā
cluster.fault_detection.leader_check.interval: 3s
cluster.fault_detection.leader_check.timeout: 20s
cluster.fault_detection.leader_check.retry_count: ā5ā
cluster.publish.timeout: 45s
cluster.follower_lag.timeout: 90s
cluster.election.duration: 5s
cluster.election.initial_timeout: 500ms
cluster.info.update.timeout: 25s
cluster.remote.initial_connect_timeout: 45s
discovery.zen.join_retry_attempts: ā10ā
discovery.zen.ping.unicast.concurrent_connects: ā25ā
transport.connections_per_node.bulk: ā6ā
transport.connections_per_node.reg: ā12ā
transport.connections_per_node.ping: ā2ā
transport.connections_per_node.state: ā3ā
xpack.ml.enabled: false
xpack.monitoring.enabled: true
xpack.security.enabled: false
xpack.sql.enabled: true
xpack.watcher.enabled: false
searchguard.disabled: false
searchguard.ssl.http.enabled: true
searchguard.ssl.transport.enforce_hostname_verification: false
discovery.zen.ping.unicast.hosts: - cleared for privacy
discovery.zen.minimum_master_nodes: 2
searchguard.enterprise_modules_enabled: true
searchguard.ssl.transport.keystore_filepath: server.jks
searchguard.ssl.transport.keystore_password:
searchguard.ssl.transport.truststore_filepath: rootCA.jks
searchguard.ssl.transport.truststore_password:
searchguard.ssl.http.keystore_filepath: server.jks
searchguard.ssl.http.keystore_password:
searchguard.ssl.http.truststore_filepath: rootCA.jks
searchguard.ssl.http.truststore_password:
searchguard.authcz.admin_dn: - CN=cleared for privacy
searchguard.nodes_dn: - CN= cleared for privacy
bootstrap.system_call_filter: false
node.attr.zone: BZ21
node.attr.rack_id: ā005ā
node.attr.box_type: prod
http.port: 9200
transport.tcp.port: 9300
node.processors: 48
searchguard.audit.type: log4j
searchguard.audit.config.log4j.logger_name: sgaudit
#searchguard.audit.config.log4j.level: INFO
searchguard.audit.config.log4j.level: TRACE
searchguard.unsupported.restapi.allow_sgconfig_modification: true
searchguard.restapi.roles_enabled: [āsg_super_adminā, āsg_all_accessā]
searchguard.unsupported.restore.sgindex.enabled: true
searchguard.enable_snapshot_restore_privilege: true
kibana.yml:
#base Kibana settings
elasticsearch.requestTimeout: 90000
elasticsearch.shardTimeout: 55000
elasticsearch.ssl.verificationMode: none
elasticsearch.hosts: [āhttps://<es_ip>:9200ā]
elasticsearch.username: ākibanaserverā
elasticsearch.password: ākibanaserverā
server.basePath: ā/kibanaā
server.host: ā0.0.0.0ā
server.port: 5601
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/server.crt
server.ssl.key: /etc/kibana/server.key
#elasticsearch.requestHeadersWhitelist: [ āAuthorizationā, āsgtenantā, āheimdall_jwtā, āx-forwarded-forā, āx-forwarded-serverā, āx-forwarded-byā, āX-Opaque-Idā]
elasticsearch.requestHeadersWhitelist: [ āAuthorizationā, āsgtenantā, āheimdall_jwtā, āx-forwarded-forā, āx-forwarded-serverā, āx-forwarded-byā]
#configurable Kibana features
logging.verbose: true
elasticsearch.logQueries: true
console.enabled: false
#xpack.graph.enabled: true
xpack.grokdebugger.enabled: true
xpack.searchprofiler.enabled: true
xpack.security.enabled: false
xpack.apm.ui.enabled: false
xpack.infra.enabled: false
xpack.ml.enabled: false
xpack.spaces.enabled: false
xpack.monitoring.enabled: true
xpack.securitySolution.enabled: false
xpack.uptime.enabled: false
xpack reporting configurations
xpack.reporting.encryptionKey: ā12345678910ā
xpack.reporting.kibanaApp: /kibana/app/kibana
xpack.reporting.kibanaServer.protocol: https
xpack.reporting.roles.allow: [ākibana-userā,ākibana-adminsā]
#searchguard openid-keycloak settings.
searchguard.multitenancy.tenants.enable_private: false
searchguard.auth.type: āopenidā
searchguard.openid.connect_url: āhttps://keycloak.<our_keycloak_url>.com/auth/realms/.well-known/openid-configurationā
searchguard.openid.client_id: āpi-searchguardā
searchguard.openid.client_secret: āā
searchguard.openid.base_redirect_url: āhttps://.comā
server.rewriteBasePath: false
searchguard.accountinfo.enabled: true
searchguard.openid.scope: roles
searchguard.openid.root_ca: ā/etc/kibana/root_ca.pemā
searchguard.openid.verify_hostnames: false
searchguard.readonly_mode.roles: [ākibana_dashboard_only_userā]
searchguard.cookie.ttl: 28800000
searchguard.session.ttl: 28800000
searchguard.session.keepalive: true
#Other kibana settings
telemetry.enabled: false
csp.warnLegacyBrowsers: true