I have a proxy layer that does all ssl and basic authentication (for http) already, and therefore would like to turn off said features in search-guard. I’ve tried setting the various auth_domains to false in the sg_config.yml, but can’t seem to get the authentication to turn off. Whats the right way to do this?
Below is my sg_config.yml:
This is the main configuration file where the authentication and authorization
backends as well as the http authenticators and other settings will be defined.
···
The authentication works like that:
If there are no authenticators (authc) defined a implicit one will be created.
This will authenticate against the internal user database and use HTTP Basic.
If more than one is configured the first one which succeeds wins. If all fail then the request will be unauthenticated
and a respective exception is thrown and/or the HTTP status is set to 401.
After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
the roles from a given backend for the authenticated user.
For HTTP is possible to allow anonymous authentication. If that is allowed then the http authenticators try to
find user credentials in the HTTP request and if such where found then the user gets regularly authenticated.
If none can be found the user will be authenticated as an “anonymous” user. This user has always the username “sg_anonymous”
and one role named “sg_anonymous_backendrole”. If you enable anonymous authentication for all http authenticators will not challenge.
Notice: If you define more than one authenticator make sure to put non-challenging authenticators like “proxy” or “clientcert”
at the beginning and the challenging one at the end. If you configure more than one challenging authenticator you have to deal with
the “challenge” flag. Because its not possible to challenge a client with two different authentication methods (for example
Kerberos and Basic) only one can have challenge: true. All others need to have challenge: false and that means
they look into the request and if they found no credentials they will not challenge. You can cope with this situation
with pre-authentication. That is submitting credentials for non-challenging authenticators within the first request
(Thats especially easy for Basic authentication).
Default value of the challenge flag is true.
HTTP
basic (challenging)
proxy (not challenging, needs xff)
kerberos (challenging) NOT FREE FOR COMMERCIAL
clientcert (not challenging, needs https)
Authc
internal
noop
ldap NOT FREE FOR COMMERCIAL USE
Authz
ldap NOT FREE FOR COMMERCIAL USE
noop
searchguard:
dynamic:
http:
anonymous_auth_enabled: true
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
#internalProxies: ‘.*’ # trust all internal proxies, regex pattern
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
#trustedProxies: ‘.*’ # trust all external proxies, regex pattern
see Pattern (Java Platform SE 7 ) for regex help
more information about XFF X-Forwarded-For - Wikipedia
and here RFC 7239 - Forwarded HTTP Extension
and Apache Tomcat 8 Configuration Reference (8.0.53) - The Valve Component
authc:
kerberos_auth_domain:
enabled: false
order: 4
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
Acceptor (Server) Principal name, must be present in acceptor_keytab_path file
acceptor_principal: ‘HTTP/localhost’
If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
enabled: false
order: 2
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
enabled: true
order: 1
http_authenticator:
type: proxy
challenge: false
config:
user_header: “X-Company-Staff-User”
roles_header: “x-proxy-roles”
authentication_backend:
type: noop
clientcert_auth_domain:
enabled: false
order: 0
http_authenticator:
type: clientcert
challenge: false
authentication_backend:
type: noop
ldap:
enabled: false
order: 3
http_authenticator:
type: basic
challenge: false
authentication_backend:
LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
enable ldaps
enable_ssl: false
enable start tls, enable_ssl should be false
enable_start_tls: false
send client certificate
enable_ssl_client_auth: false
verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: ‘ou=people,dc=example,dc=com’
Filter to search for users (currently in the whole subtree beneath userbase)
{0} is substituted with the username
usersearch: ‘(uid={0})’
Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
enabled: false
authorization_backend:
LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
enable ldaps
enable_ssl: false
enable start tls, enable_ssl should be false
enable_start_tls: false
send client certificate
enable_ssl_client_auth: false
verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: ‘ou=groups,dc=example,dc=com’
Filter to search for roles (currently in the whole subtree beneath rolebase)
{0} is substituted with the DN of the user
{1} is substituted with the username
{2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(uniqueMember={0})’
Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
Roles as an attribute of the user entry
userrolename: memberOf
The attribute in a role entry containing the name of that role
rolename: cn
Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true
userbase: ‘ou=people,dc=example,dc=com’
Filter to search for users (currently in the whole subtree beneath userbase)
{0} is substituted with the username
usersearch: ‘(uid={0})’
roles_from_another_ldap:
enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here …
Basically, I’ve turned proxy_auth_domain on and anonymous_auth on, but im still finding that searchguard is 401-ing my requests.
On Wednesday, July 6, 2016 at 3:18:57 PM UTC-7, Max Furman wrote:
I have a proxy layer that does all ssl and basic authentication (for http) already, and therefore would like to turn off said features in search-guard. I’ve tried setting the various auth_domains to false in the sg_config.yml, but can’t seem to get the authentication to turn off. Whats the right way to do this?
After making sure that the configs are the same on each server in the cluster I am now getting:
[2016-07-06 23:53:25,931][WARN ][gateway ] [nextkibana01-ops] [logstash-2016.07.06][3]: failed to list shard for shard_store on node [VNO0GIHuTsC9Yd1syMxXaQ]
FailedNodeException[total failure in fetching]; nested: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]];
at org.elasticsearch.gateway.AsyncShardFetch$1.onFailure(AsyncShardFetch.java:277)
at org.elasticsearch.action.support.TransportAction$1.onFailure(TransportAction.java:95)
at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:135)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:85)
at org.elasticsearch.indices.store.TransportNodesListShardStoreMetaData.list(TransportNodesListShardStoreMetaData.java:88)
at org.elasticsearch.gateway.AsyncShardFetch.asyncFetch(AsyncShardFetch.java:267)
at org.elasticsearch.gateway.AsyncShardFetch.fetchData(AsyncShardFetch.java:117)
at org.elasticsearch.gateway.GatewayAllocator$InternalReplicaShardAllocator.fetchData(GatewayAllocator.java:183)
at org.elasticsearch.gateway.ReplicaShardAllocator.processExistingRecoveries(ReplicaShardAllocator.java:77)
at org.elasticsearch.gateway.GatewayAllocator.allocateUnassigned(GatewayAllocator.java:122)
at org.elasticsearch.cluster.routing.allocation.allocator.ShardsAllocators.allocateUnassigned(ShardsAllocators.java:70)
at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:258)
at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:221)
at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:207)
at org.elasticsearch.cluster.routing.RoutingService$2.execute(RoutingService.java:154)
at org.elasticsearch.cluster.ClusterStateUpdateTask.execute(ClusterStateUpdateTask.java:45)
at org.elasticsearch.cluster.service.InternalClusterService.runTasksForExecutor(InternalClusterService.java:468)
at org.elasticsearch.cluster.service.InternalClusterService$UpdateTask.run(InternalClusterService.java:772)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:231)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:194)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]]
So, now I would like to figure out how to give any authenticated user access to everything. So that searchguard is not doing any role checking.
···
On Wednesday, July 6, 2016 at 4:04:01 PM UTC-7, Max Furman wrote:
Below is my sg_config.yml:
This is the main configuration file where the authentication and authorization
backends as well as the http authenticators and other settings will be defined.
The authentication works like that:
If there are no authenticators (authc) defined a implicit one will be created.
This will authenticate against the internal user database and use HTTP Basic.
If more than one is configured the first one which succeeds wins. If all fail then the request will be unauthenticated
and a respective exception is thrown and/or the HTTP status is set to 401.
After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
the roles from a given backend for the authenticated user.
For HTTP is possible to allow anonymous authentication. If that is allowed then the http authenticators try to
find user credentials in the HTTP request and if such where found then the user gets regularly authenticated.
If none can be found the user will be authenticated as an “anonymous” user. This user has always the username “sg_anonymous”
and one role named “sg_anonymous_backendrole”. If you enable anonymous authentication for all http authenticators will not challenge.
Notice: If you define more than one authenticator make sure to put non-challenging authenticators like “proxy” or “clientcert”
at the beginning and the challenging one at the end. If you configure more than one challenging authenticator you have to deal with
the “challenge” flag. Because its not possible to challenge a client with two different authentication methods (for example
Kerberos and Basic) only one can have challenge: true. All others need to have challenge: false and that means
they look into the request and if they found no credentials they will not challenge. You can cope with this situation
with pre-authentication. That is submitting credentials for non-challenging authenticators within the first request
(Thats especially easy for Basic authentication).
Default value of the challenge flag is true.
HTTP
basic (challenging)
proxy (not challenging, needs xff)
kerberos (challenging) NOT FREE FOR COMMERCIAL
clientcert (not challenging, needs https)
Authc
internal
noop
ldap NOT FREE FOR COMMERCIAL USE
Authz
ldap NOT FREE FOR COMMERCIAL USE
noop
searchguard:
dynamic:
http:
anonymous_auth_enabled: true
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
#internalProxies: ‘.*’ # trust all internal proxies, regex pattern
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
#trustedProxies: ‘.*’ # trust all external proxies, regex pattern
see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
and here https://tools.ietf.org/html/rfc7239
and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
kerberos_auth_domain:
enabled: false
order: 4
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
Acceptor (Server) Principal name, must be present in acceptor_keytab_path file
acceptor_principal: ‘HTTP/localhost’
If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
enabled: false
order: 2
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
enabled: true
order: 1
http_authenticator:
type: proxy
challenge: false
config:
user_header: “X-Company-Staff-User”
roles_header: “x-proxy-roles”
authentication_backend:
type: noop
clientcert_auth_domain:
enabled: false
order: 0
http_authenticator:
type: clientcert
challenge: false
authentication_backend:
type: noop
ldap:
enabled: false
order: 3
http_authenticator:
type: basic
challenge: false
authentication_backend:
LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
enable ldaps
enable_ssl: false
enable start tls, enable_ssl should be false
enable_start_tls: false
send client certificate
enable_ssl_client_auth: false
verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: ‘ou=people,dc=example,dc=com’
Filter to search for users (currently in the whole subtree beneath userbase)
{0} is substituted with the username
usersearch: ‘(uid={0})’
Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
enabled: false
authorization_backend:
LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
enable ldaps
enable_ssl: false
enable start tls, enable_ssl should be false
enable_start_tls: false
send client certificate
enable_ssl_client_auth: false
verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: ‘ou=groups,dc=example,dc=com’
Filter to search for roles (currently in the whole subtree beneath rolebase)
{0} is substituted with the DN of the user
{1} is substituted with the username
{2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(uniqueMember={0})’
Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
Roles as an attribute of the user entry
userrolename: memberOf
The attribute in a role entry containing the name of that role
rolename: cn
Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true
userbase: ‘ou=people,dc=example,dc=com’
Filter to search for users (currently in the whole subtree beneath userbase)
{0} is substituted with the username
usersearch: ‘(uid={0})’
roles_from_another_ldap:
enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here …
Basically, I’ve turned proxy_auth_domain on and anonymous_auth on, but im still finding that searchguard is 401-ing my requests.
On Wednesday, July 6, 2016 at 3:18:57 PM UTC-7, Max Furman wrote:
I have a proxy layer that does all ssl and basic authentication (for http) already, and therefore would like to turn off said features in search-guard. I’ve tried setting the various auth_domains to false in the sg_config.yml, but can’t seem to get the authentication to turn off. Whats the right way to do this?
In an old version of searchguard I was able to set
searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.AlwaysSucceedAuthenticationBackend
How can I get the same behavior with search-guard-2? I’ve been fumbling around with the sg_config.yml flipping various flags, but I dont feel like Im getting any closer.
···
On Wednesday, July 6, 2016 at 5:08:31 PM UTC-7, Max Furman wrote:
After making sure that the configs are the same on each server in the cluster I am now getting:
[2016-07-06 23:53:25,931][WARN ][gateway ] [nextkibana01-ops] [logstash-2016.07.06][3]: failed to list shard for shard_store on node [VNO0GIHuTsC9Yd1syMxXaQ]
FailedNodeException[total failure in fetching]; nested: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]];
at org.elasticsearch.gateway.AsyncShardFetch$1.onFailure(AsyncShardFetch.java:277)
at org.elasticsearch.action.support.TransportAction$1.onFailure(TransportAction.java:95)
at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:135)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:85)
at org.elasticsearch.indices.store.TransportNodesListShardStoreMetaData.list(TransportNodesListShardStoreMetaData.java:88)
at org.elasticsearch.gateway.AsyncShardFetch.asyncFetch(AsyncShardFetch.java:267)
at org.elasticsearch.gateway.AsyncShardFetch.fetchData(AsyncShardFetch.java:117)
at org.elasticsearch.gateway.GatewayAllocator$InternalReplicaShardAllocator.fetchData(GatewayAllocator.java:183)
at org.elasticsearch.gateway.ReplicaShardAllocator.processExistingRecoveries(ReplicaShardAllocator.java:77)
at org.elasticsearch.gateway.GatewayAllocator.allocateUnassigned(GatewayAllocator.java:122)
at org.elasticsearch.cluster.routing.allocation.allocator.ShardsAllocators.allocateUnassigned(ShardsAllocators.java:70)
at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:258)
at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:221)
at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:207)
at org.elasticsearch.cluster.routing.RoutingService$2.execute(RoutingService.java:154)
at org.elasticsearch.cluster.ClusterStateUpdateTask.execute(ClusterStateUpdateTask.java:45)
at org.elasticsearch.cluster.service.InternalClusterService.runTasksForExecutor(InternalClusterService.java:468)
at org.elasticsearch.cluster.service.InternalClusterService$UpdateTask.run(InternalClusterService.java:772)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:231)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:194)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]]
So, now I would like to figure out how to give any authenticated user access to everything. So that searchguard is not doing any role checking.
On Wednesday, July 6, 2016 at 4:04:01 PM UTC-7, Max Furman wrote:
Below is my sg_config.yml:
This is the main configuration file where the authentication and authorization
backends as well as the http authenticators and other settings will be defined.
The authentication works like that:
If there are no authenticators (authc) defined a implicit one will be created.
This will authenticate against the internal user database and use HTTP Basic.
If more than one is configured the first one which succeeds wins. If all fail then the request will be unauthenticated
and a respective exception is thrown and/or the HTTP status is set to 401.
After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
the roles from a given backend for the authenticated user.
For HTTP is possible to allow anonymous authentication. If that is allowed then the http authenticators try to
find user credentials in the HTTP request and if such where found then the user gets regularly authenticated.
If none can be found the user will be authenticated as an “anonymous” user. This user has always the username “sg_anonymous”
and one role named “sg_anonymous_backendrole”. If you enable anonymous authentication for all http authenticators will not challenge.
Notice: If you define more than one authenticator make sure to put non-challenging authenticators like “proxy” or “clientcert”
at the beginning and the challenging one at the end. If you configure more than one challenging authenticator you have to deal with
the “challenge” flag. Because its not possible to challenge a client with two different authentication methods (for example
Kerberos and Basic) only one can have challenge: true. All others need to have challenge: false and that means
they look into the request and if they found no credentials they will not challenge. You can cope with this situation
with pre-authentication. That is submitting credentials for non-challenging authenticators within the first request
(Thats especially easy for Basic authentication).
Default value of the challenge flag is true.
HTTP
basic (challenging)
proxy (not challenging, needs xff)
kerberos (challenging) NOT FREE FOR COMMERCIAL
clientcert (not challenging, needs https)
Authc
internal
noop
ldap NOT FREE FOR COMMERCIAL USE
Authz
ldap NOT FREE FOR COMMERCIAL USE
noop
searchguard:
dynamic:
http:
anonymous_auth_enabled: true
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
#internalProxies: ‘.*’ # trust all internal proxies, regex pattern
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
#trustedProxies: ‘.*’ # trust all external proxies, regex pattern
see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
and here https://tools.ietf.org/html/rfc7239
and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
kerberos_auth_domain:
enabled: false
order: 4
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
Acceptor (Server) Principal name, must be present in acceptor_keytab_path file
acceptor_principal: ‘HTTP/localhost’
If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
enabled: false
order: 2
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
enabled: true
order: 1
http_authenticator:
type: proxy
challenge: false
config:
user_header: “X-Company-Staff-User”
roles_header: “x-proxy-roles”
authentication_backend:
type: noop
clientcert_auth_domain:
enabled: false
order: 0
http_authenticator:
type: clientcert
challenge: false
authentication_backend:
type: noop
ldap:
enabled: false
order: 3
http_authenticator:
type: basic
challenge: false
authentication_backend:
LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
enable ldaps
enable_ssl: false
enable start tls, enable_ssl should be false
enable_start_tls: false
send client certificate
enable_ssl_client_auth: false
verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: ‘ou=people,dc=example,dc=com’
Filter to search for users (currently in the whole subtree beneath userbase)
{0} is substituted with the username
usersearch: ‘(uid={0})’
Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
enabled: false
authorization_backend:
LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
enable ldaps
enable_ssl: false
enable start tls, enable_ssl should be false
enable_start_tls: false
send client certificate
enable_ssl_client_auth: false
verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: ‘ou=groups,dc=example,dc=com’
Filter to search for roles (currently in the whole subtree beneath rolebase)
{0} is substituted with the DN of the user
{1} is substituted with the username
{2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(uniqueMember={0})’
Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
Roles as an attribute of the user entry
userrolename: memberOf
The attribute in a role entry containing the name of that role
rolename: cn
Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true
userbase: ‘ou=people,dc=example,dc=com’
Filter to search for users (currently in the whole subtree beneath userbase)
{0} is substituted with the username
usersearch: ‘(uid={0})’
roles_from_another_ldap:
enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here …
Basically, I’ve turned proxy_auth_domain on and anonymous_auth on, but im still finding that searchguard is 401-ing my requests.
On Wednesday, July 6, 2016 at 3:18:57 PM UTC-7, Max Furman wrote:
I have a proxy layer that does all ssl and basic authentication (for http) already, and therefore would like to turn off said features in search-guard. I’ve tried setting the various auth_domains to false in the sg_config.yml, but can’t seem to get the authentication to turn off. Whats the right way to do this?
"noop" is what you looking for
The internal:cluster/nodes/indices/shard/store problem is fixed in Search Guard 2.3.3.2, pls update
···
Am 07.07.2016 um 03:48 schrieb Max Furman <mx.furman@gmail.com>:
In an old version of searchguard I was able to set
searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.AlwaysSucceedAuthenticationBackend
How can I get the same behavior with search-guard-2? I've been fumbling around with the sg_config.yml flipping various flags, but I dont feel like Im getting any closer.
On Wednesday, July 6, 2016 at 5:08:31 PM UTC-7, Max Furman wrote:
After making sure that the configs are the same on each server in the cluster I am now getting:[2016-07-06 23:53:25,931][WARN ][gateway ] [nextkibana01-ops] [logstash-2016.07.06][3]: failed to list shard for shard_store on node [VNO0GIHuTsC9Yd1syMxXaQ]
FailedNodeException[total failure in fetching]; nested: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]];
at org.elasticsearch.gateway.AsyncShardFetch$1.onFailure(AsyncShardFetch.java:277)
at org.elasticsearch.action.support.TransportAction$1.onFailure(TransportAction.java:95)
at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:135)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:85)
at org.elasticsearch.indices.store.TransportNodesListShardStoreMetaData.list(TransportNodesListShardStoreMetaData.java:88)
at org.elasticsearch.gateway.AsyncShardFetch.asyncFetch(AsyncShardFetch.java:267)
at org.elasticsearch.gateway.AsyncShardFetch.fetchData(AsyncShardFetch.java:117)
at org.elasticsearch.gateway.GatewayAllocator$InternalReplicaShardAllocator.fetchData(GatewayAllocator.java:183)
at org.elasticsearch.gateway.ReplicaShardAllocator.processExistingRecoveries(ReplicaShardAllocator.java:77)
at org.elasticsearch.gateway.GatewayAllocator.allocateUnassigned(GatewayAllocator.java:122)
at org.elasticsearch.cluster.routing.allocation.allocator.ShardsAllocators.allocateUnassigned(ShardsAllocators.java:70)
at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:258)
at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:221)
at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:207)
at org.elasticsearch.cluster.routing.RoutingService$2.execute(RoutingService.java:154)
at org.elasticsearch.cluster.ClusterStateUpdateTask.execute(ClusterStateUpdateTask.java:45)
at org.elasticsearch.cluster.service.InternalClusterService.runTasksForExecutor(InternalClusterService.java:468)
at org.elasticsearch.cluster.service.InternalClusterService$UpdateTask.run(InternalClusterService.java:772)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:231)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:194)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]]So, now I would like to figure out how to give any authenticated user access to everything. So that searchguard is not doing any role checking.
On Wednesday, July 6, 2016 at 4:04:01 PM UTC-7, Max Furman wrote:
Below is my sg_config.yml:# This is the main configuration file where the authentication and authorization
# backends as well as the http authenticators and other settings will be defined.
#
# The authentication works like that:
#
# If there are no authenticators (authc) defined a implicit one will be created.
# This will authenticate against the internal user database and use HTTP Basic.
#
# If more than one is configured the first one which succeeds wins. If all fail then the request will be unauthenticated
# and a respective exception is thrown and/or the HTTP status is set to 401.
#
# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
# the roles from a given backend for the authenticated user.
#
# For HTTP is possible to allow anonymous authentication. If that is allowed then the http authenticators try to
# find user credentials in the HTTP request and if such where found then the user gets regularly authenticated.
# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "sg_anonymous"
# and one role named "sg_anonymous_backendrole". If you enable anonymous authentication for all http authenticators will not challenge.
#
#
# Notice: If you define more than one authenticator make sure to put non-challenging authenticators like "proxy" or "clientcert"
# at the beginning and the challenging one at the end. If you configure more than one challenging authenticator you have to deal with
# the "challenge" flag. Because its not possible to challenge a client with two different authentication methods (for example
# Kerberos and Basic) only one can have challenge: true. All others need to have challenge: false and that means
# they look into the request and if they found no credentials they will not challenge. You can cope with this situation
# with pre-authentication. That is submitting credentials for non-challenging authenticators within the first request
# (Thats especially easy for Basic authentication).
# Default value of the challenge flag is true.
#
#
#
# HTTP
# basic (challenging)
# proxy (not challenging, needs xff)
# kerberos (challenging) NOT FREE FOR COMMERCIAL
# clientcert (not challenging, needs https)# Authc
# internal
# noop
# ldap NOT FREE FOR COMMERCIAL USE# Authz
# ldap NOT FREE FOR COMMERCIAL USE
# noopsearchguard:
dynamic:
http:
anonymous_auth_enabled: true
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
#internalProxies: '.*' # trust all internal proxies, regex pattern
remoteIpHeader: 'x-forwarded-for'
proxiesHeader: 'x-forwarded-by'
#trustedProxies: '.*' # trust all external proxies, regex pattern
###### see Pattern (Java Platform SE 7 ) for regex help
###### more information about XFF X-Forwarded-For - Wikipedia
###### and here RFC 7239 - Forwarded HTTP Extension
###### and Apache Tomcat 8 Configuration Reference (8.0.53) - The Valve Component
authc:
kerberos_auth_domain:
enabled: false
order: 4
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# Acceptor (Server) Principal name, must be present in acceptor_keytab_path file
acceptor_principal: 'HTTP/localhost'
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
enabled: false
order: 2
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
enabled: true
order: 1
http_authenticator:
type: proxy
challenge: false
config:
user_header: "X-Company-Staff-User"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
clientcert_auth_domain:
enabled: false
order: 0
http_authenticator:
type: clientcert
challenge: false
authentication_backend:
type: noop
ldap:
enabled: false
order: 3
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: 'ou=groups,dc=example,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(uniqueMember={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: memberOf
# The attribute in a role entry containing the name of that role
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: trueuserbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'roles_from_another_ldap:
enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here ...Basically, I've turned proxy_auth_domain on and anonymous_auth on, but im still finding that searchguard is 401-ing my requests.
On Wednesday, July 6, 2016 at 3:18:57 PM UTC-7, Max Furman wrote:
I have a proxy layer that does all ssl and basic authentication (for http) already, and therefore would like to turn off said features in search-guard. I've tried setting the various auth_domains to false in the sg_config.yml, but can't seem to get the authentication to turn off. Whats the right way to do this?
--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9998e1f5-9dd4-457d-b334-232f83122e34%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.
Sorry, I’m not sure I understand where I’m supposed to add the “noop”. I’ve tried adding the following to my elasticsearch.yml
searchguard.authentication.authentication_backend.impl: noop
but, once I configure the backend_registry using the sgadmin.sh tool, any http request that I make fails w/
[com.floragunn.searchguard.auth.BackendRegistry] Unexpected exception com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[user-name not found]
If you could provide an example of what field and where I should be setting to “noop” that would be really helpful. I see “noop” frequently in the sg_config.yml, but again, im not sure which key needs to be set to noop in order to get the behavior that I am interested in. Again, that behavior is to succeed all http requests w/out doing any verification.
Also, I appreciate the note on 2.3.3.2, just upgraded.
···
On Wednesday, July 6, 2016 at 11:34:03 PM UTC-7, SG wrote:
“noop” is what you looking for
The internal:cluster/nodes/indices/shard/store problem is fixed in Search Guard 2.3.3.2, pls update
Am 07.07.2016 um 03:48 schrieb Max Furman mx.f...@gmail.com:
In an old version of searchguard I was able to set
searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.AlwaysSucceedAuthenticationBackend
How can I get the same behavior with search-guard-2? I’ve been fumbling around with the sg_config.yml flipping various flags, but I dont feel like Im getting any closer.
On Wednesday, July 6, 2016 at 5:08:31 PM UTC-7, Max Furman wrote:
After making sure that the configs are the same on each server in the cluster I am now getting:
[2016-07-06 23:53:25,931][WARN ][gateway ] [nextkibana01-ops] [logstash-2016.07.06][3]: failed to list shard for shard_store on node [VNO0GIHuTsC9Yd1syMxXaQ]
FailedNodeException[total failure in fetching]; nested: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]];
at org.elasticsearch.gateway.AsyncShardFetch$1.onFailure(AsyncShardFetch.java:277)
at org.elasticsearch.action.support.TransportAction$1.onFailure(TransportAction.java:95)
at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:135)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:85)
at org.elasticsearch.indices.store.TransportNodesListShardStoreMetaData.list(TransportNodesListShardStoreMetaData.java:88)
at org.elasticsearch.gateway.AsyncShardFetch.asyncFetch(AsyncShardFetch.java:267)
at org.elasticsearch.gateway.AsyncShardFetch.fetchData(AsyncShardFetch.java:117)
at org.elasticsearch.gateway.GatewayAllocator$InternalReplicaShardAllocator.fetchData(GatewayAllocator.java:183)
at org.elasticsearch.gateway.ReplicaShardAllocator.processExistingRecoveries(ReplicaShardAllocator.java:77)
at org.elasticsearch.gateway.GatewayAllocator.allocateUnassigned(GatewayAllocator.java:122)
at org.elasticsearch.cluster.routing.allocation.allocator.ShardsAllocators.allocateUnassigned(ShardsAllocators.java:70)
at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:258)
at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:221)
at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:207)
at org.elasticsearch.cluster.routing.RoutingService$2.execute(RoutingService.java:154)
at org.elasticsearch.cluster.ClusterStateUpdateTask.execute(ClusterStateUpdateTask.java:45)
at org.elasticsearch.cluster.service.InternalClusterService.runTasksForExecutor(InternalClusterService.java:468)
at org.elasticsearch.cluster.service.InternalClusterService$UpdateTask.run(InternalClusterService.java:772)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:231)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:194)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]]
So, now I would like to figure out how to give any authenticated user access to everything. So that searchguard is not doing any role checking.
On Wednesday, July 6, 2016 at 4:04:01 PM UTC-7, Max Furman wrote:
Below is my sg_config.yml:
This is the main configuration file where the authentication and authorization
backends as well as the http authenticators and other settings will be defined.
The authentication works like that:
If there are no authenticators (authc) defined a implicit one will be created.
This will authenticate against the internal user database and use HTTP Basic.
If more than one is configured the first one which succeeds wins. If all fail then the request will be unauthenticated
and a respective exception is thrown and/or the HTTP status is set to 401.
After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
the roles from a given backend for the authenticated user.
For HTTP is possible to allow anonymous authentication. If that is allowed then the http authenticators try to
find user credentials in the HTTP request and if such where found then the user gets regularly authenticated.
If none can be found the user will be authenticated as an “anonymous” user. This user has always the username “sg_anonymous”
and one role named “sg_anonymous_backendrole”. If you enable anonymous authentication for all http authenticators will not challenge.
Notice: If you define more than one authenticator make sure to put non-challenging authenticators like “proxy” or “clientcert”
at the beginning and the challenging one at the end. If you configure more than one challenging authenticator you have to deal with
the “challenge” flag. Because its not possible to challenge a client with two different authentication methods (for example
Kerberos and Basic) only one can have challenge: true. All others need to have challenge: false and that means
they look into the request and if they found no credentials they will not challenge. You can cope with this situation
with pre-authentication. That is submitting credentials for non-challenging authenticators within the first request
(Thats especially easy for Basic authentication).
Default value of the challenge flag is true.
HTTP
basic (challenging)
proxy (not challenging, needs xff)
kerberos (challenging) NOT FREE FOR COMMERCIAL
clientcert (not challenging, needs https)
Authc
internal
noop
ldap NOT FREE FOR COMMERCIAL USE
Authz
ldap NOT FREE FOR COMMERCIAL USE
noop
searchguard:
dynamic:
http:
anonymous_auth_enabled: true
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
#internalProxies: '.*' # trust all internal proxies, regex pattern
remoteIpHeader: 'x-forwarded-for'
proxiesHeader: 'x-forwarded-by'
#trustedProxies: '.*' # trust all external proxies, regex pattern
###### see [https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html](https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html) for regex help
###### more information about XFF [https://en.wikipedia.org/wiki/X-Forwarded-For](https://en.wikipedia.org/wiki/X-Forwarded-For)
###### and here [https://tools.ietf.org/html/rfc7239](https://tools.ietf.org/html/rfc7239)
###### and [https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve](https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve)
authc:
kerberos_auth_domain:
enabled: false
order: 4
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# Acceptor (Server) Principal name, must be present in acceptor_keytab_path file
acceptor_principal: 'HTTP/localhost'
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
enabled: false
order: 2
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
enabled: true
order: 1
http_authenticator:
type: proxy
challenge: false
config:
user_header: "X-Company-Staff-User"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
clientcert_auth_domain:
enabled: false
order: 0
http_authenticator:
type: clientcert
challenge: false
authentication_backend:
type: noop
ldap:
enabled: false
order: 3
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: 'ou=groups,dc=example,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(uniqueMember={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: memberOf
# The attribute in a role entry containing the name of that role
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
roles_from_another_ldap:
enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here ...
Basically, I’ve turned proxy_auth_domain on and anonymous_auth on, but im still finding that searchguard is 401-ing my requests.
On Wednesday, July 6, 2016 at 3:18:57 PM UTC-7, Max Furman wrote:
I have a proxy layer that does all ssl and basic authentication (for http) already, and therefore would like to turn off said features in search-guard. I’ve tried setting the various auth_domains to false in the sg_config.yml, but can’t seem to get the authentication to turn off. Whats the right way to do this?
–
You received this message because you are subscribed to the Google Groups “Search Guard” group.To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9998e1f5-9dd4-457d-b334-232f83122e34%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
If I remove the search-guard-2 plugin I get the desired behavior. I assumed that I needed to have both search-guard-ssl and search-guard-2 plugins installed, but based on my needs I think I only need search-guard-ssl.
Still, it would be good to know how to completely disable search-guard-2 from doing any verification when it is installed.
···
On Thursday, July 7, 2016 at 12:05:53 PM UTC-7, Max Furman wrote:
Sorry, I’m not sure I understand where I’m supposed to add the “noop”. I’ve tried adding the following to my elasticsearch.yml
searchguard.authentication.authentication_backend.impl: noop
but, once I configure the backend_registry using the sgadmin.sh tool, any http request that I make fails w/
[com.floragunn.searchguard.auth.BackendRegistry] Unexpected exception com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[user-name not found]
If you could provide an example of what field and where I should be setting to “noop” that would be really helpful. I see “noop” frequently in the sg_config.yml, but again, im not sure which key needs to be set to noop in order to get the behavior that I am interested in. Again, that behavior is to succeed all http requests w/out doing any verification.
Also, I appreciate the note on 2.3.3.2, just upgraded.
On Wednesday, July 6, 2016 at 11:34:03 PM UTC-7, SG wrote:
“noop” is what you looking for
The internal:cluster/nodes/indices/shard/store problem is fixed in Search Guard 2.3.3.2, pls update
Am 07.07.2016 um 03:48 schrieb Max Furman mx.f...@gmail.com:
In an old version of searchguard I was able to set
searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.AlwaysSucceedAuthenticationBackend
How can I get the same behavior with search-guard-2? I’ve been fumbling around with the sg_config.yml flipping various flags, but I dont feel like Im getting any closer.
On Wednesday, July 6, 2016 at 5:08:31 PM UTC-7, Max Furman wrote:
After making sure that the configs are the same on each server in the cluster I am now getting:
[2016-07-06 23:53:25,931][WARN ][gateway ] [nextkibana01-ops] [logstash-2016.07.06][3]: failed to list shard for shard_store on node [VNO0GIHuTsC9Yd1syMxXaQ]
FailedNodeException[total failure in fetching]; nested: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]];
at org.elasticsearch.gateway.AsyncShardFetch$1.onFailure(AsyncShardFetch.java:277)
at org.elasticsearch.action.support.TransportAction$1.onFailure(TransportAction.java:95)
at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:135)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:85)
at org.elasticsearch.indices.store.TransportNodesListShardStoreMetaData.list(TransportNodesListShardStoreMetaData.java:88)
at org.elasticsearch.gateway.AsyncShardFetch.asyncFetch(AsyncShardFetch.java:267)
at org.elasticsearch.gateway.AsyncShardFetch.fetchData(AsyncShardFetch.java:117)
at org.elasticsearch.gateway.GatewayAllocator$InternalReplicaShardAllocator.fetchData(GatewayAllocator.java:183)
at org.elasticsearch.gateway.ReplicaShardAllocator.processExistingRecoveries(ReplicaShardAllocator.java:77)
at org.elasticsearch.gateway.GatewayAllocator.allocateUnassigned(GatewayAllocator.java:122)
at org.elasticsearch.cluster.routing.allocation.allocator.ShardsAllocators.allocateUnassigned(ShardsAllocators.java:70)
at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:258)
at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:221)
at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:207)
at org.elasticsearch.cluster.routing.RoutingService$2.execute(RoutingService.java:154)
at org.elasticsearch.cluster.ClusterStateUpdateTask.execute(ClusterStateUpdateTask.java:45)
at org.elasticsearch.cluster.service.InternalClusterService.runTasksForExecutor(InternalClusterService.java:468)
at org.elasticsearch.cluster.service.InternalClusterService$UpdateTask.run(InternalClusterService.java:772)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:231)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:194)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]]
So, now I would like to figure out how to give any authenticated user access to everything. So that searchguard is not doing any role checking.
On Wednesday, July 6, 2016 at 4:04:01 PM UTC-7, Max Furman wrote:
Below is my sg_config.yml:
This is the main configuration file where the authentication and authorization
backends as well as the http authenticators and other settings will be defined.
The authentication works like that:
If there are no authenticators (authc) defined a implicit one will be created.
This will authenticate against the internal user database and use HTTP Basic.
If more than one is configured the first one which succeeds wins. If all fail then the request will be unauthenticated
and a respective exception is thrown and/or the HTTP status is set to 401.
After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
the roles from a given backend for the authenticated user.
For HTTP is possible to allow anonymous authentication. If that is allowed then the http authenticators try to
find user credentials in the HTTP request and if such where found then the user gets regularly authenticated.
If none can be found the user will be authenticated as an “anonymous” user. This user has always the username “sg_anonymous”
and one role named “sg_anonymous_backendrole”. If you enable anonymous authentication for all http authenticators will not challenge.
Notice: If you define more than one authenticator make sure to put non-challenging authenticators like “proxy” or “clientcert”
at the beginning and the challenging one at the end. If you configure more than one challenging authenticator you have to deal with
the “challenge” flag. Because its not possible to challenge a client with two different authentication methods (for example
Kerberos and Basic) only one can have challenge: true. All others need to have challenge: false and that means
they look into the request and if they found no credentials they will not challenge. You can cope with this situation
with pre-authentication. That is submitting credentials for non-challenging authenticators within the first request
(Thats especially easy for Basic authentication).
Default value of the challenge flag is true.
HTTP
basic (challenging)
proxy (not challenging, needs xff)
kerberos (challenging) NOT FREE FOR COMMERCIAL
clientcert (not challenging, needs https)
Authc
internal
noop
ldap NOT FREE FOR COMMERCIAL USE
Authz
ldap NOT FREE FOR COMMERCIAL USE
noop
searchguard:
dynamic:
http:
anonymous_auth_enabled: true
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
#internalProxies: '.*' # trust all internal proxies, regex pattern
remoteIpHeader: 'x-forwarded-for'
proxiesHeader: 'x-forwarded-by'
#trustedProxies: '.*' # trust all external proxies, regex pattern
###### see [https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html](https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html) for regex help
###### more information about XFF [https://en.wikipedia.org/wiki/X-Forwarded-For](https://en.wikipedia.org/wiki/X-Forwarded-For)
###### and here [https://tools.ietf.org/html/rfc7239](https://tools.ietf.org/html/rfc7239)
###### and [https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve](https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve)
authc:
kerberos_auth_domain:
enabled: false
order: 4
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# Acceptor (Server) Principal name, must be present in acceptor_keytab_path file
acceptor_principal: 'HTTP/localhost'
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
enabled: false
order: 2
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
enabled: true
order: 1
http_authenticator:
type: proxy
challenge: false
config:
user_header: "X-Company-Staff-User"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
clientcert_auth_domain:
enabled: false
order: 0
http_authenticator:
type: clientcert
challenge: false
authentication_backend:
type: noop
ldap:
enabled: false
order: 3
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: 'ou=groups,dc=example,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(uniqueMember={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: memberOf
# The attribute in a role entry containing the name of that role
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
roles_from_another_ldap:
enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here ...
Basically, I’ve turned proxy_auth_domain on and anonymous_auth on, but im still finding that searchguard is 401-ing my requests.
On Wednesday, July 6, 2016 at 3:18:57 PM UTC-7, Max Furman wrote:
I have a proxy layer that does all ssl and basic authentication (for http) already, and therefore would like to turn off said features in search-guard. I’ve tried setting the various auth_domains to false in the sg_config.yml, but can’t seem to get the authentication to turn off. Whats the right way to do this?
–
You received this message because you are subscribed to the Google Groups “Search Guard” group.To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9998e1f5-9dd4-457d-b334-232f83122e34%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
If you just need SSL without any kind of authentication or authorization then SG SSL is all you have to install. For that you not need to run sgadmin tool.
But if you also need role based authentication or authorization then you have to install *both* pluginsand you need to run sgadmin tool.
···
Am 07.07.2016 um 23:18 schrieb Max Furman <mx.furman@gmail.com>:
If I remove the search-guard-2 plugin I get the desired behavior. I assumed that I needed to have both search-guard-ssl and search-guard-2 plugins installed, but based on my needs I think I only need search-guard-ssl.
Still, it would be good to know how to completely disable search-guard-2 from doing any verification when it is installed.
On Thursday, July 7, 2016 at 12:05:53 PM UTC-7, Max Furman wrote:
Sorry, I'm not sure I understand where I'm supposed to add the "noop". I've tried adding the following to my elasticsearch.ymlsearchguard.authentication.authentication_backend.impl: noop
but, once I configure the backend_registry using the sgadmin.sh tool, any http request that I make fails w/
[com.floragunn.searchguard.auth.BackendRegistry] Unexpected exception com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[user-name not found]If you could provide an example of what field and where I should be setting to "noop" that would be really helpful. I see "noop" frequently in the sg_config.yml, but again, im not sure which key needs to be set to noop in order to get the behavior that I am interested in. Again, that behavior is to succeed all http requests w/out doing any verification.
Also, I appreciate the note on 2.3.3.2, just upgraded.
On Wednesday, July 6, 2016 at 11:34:03 PM UTC-7, SG wrote:
"noop" is what you looking forThe internal:cluster/nodes/indices/shard/store problem is fixed in Search Guard 2.3.3.2, pls update
> Am 07.07.2016 um 03:48 schrieb Max Furman <mx.f...@gmail.com>:
>
> In an old version of searchguard I was able to set
>
> searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.AlwaysSucceedAuthenticationBackend
>
> How can I get the same behavior with search-guard-2? I've been fumbling around with the sg_config.yml flipping various flags, but I dont feel like Im getting any closer.
>
> On Wednesday, July 6, 2016 at 5:08:31 PM UTC-7, Max Furman wrote:
> After making sure that the configs are the same on each server in the cluster I am now getting:
>
> [2016-07-06 23:53:25,931][WARN ][gateway ] [nextkibana01-ops] [logstash-2016.07.06][3]: failed to list shard for shard_store on node [VNO0GIHuTsC9Yd1syMxXaQ]
> FailedNodeException[total failure in fetching]; nested: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]];
> at org.elasticsearch.gateway.AsyncShardFetch$1.onFailure(AsyncShardFetch.java:277)
> at org.elasticsearch.action.support.TransportAction$1.onFailure(TransportAction.java:95)
> at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:135)
> at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
> at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)
> at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:85)
> at org.elasticsearch.indices.store.TransportNodesListShardStoreMetaData.list(TransportNodesListShardStoreMetaData.java:88)
> at org.elasticsearch.gateway.AsyncShardFetch.asyncFetch(AsyncShardFetch.java:267)
> at org.elasticsearch.gateway.AsyncShardFetch.fetchData(AsyncShardFetch.java:117)
> at org.elasticsearch.gateway.GatewayAllocator$InternalReplicaShardAllocator.fetchData(GatewayAllocator.java:183)
> at org.elasticsearch.gateway.ReplicaShardAllocator.processExistingRecoveries(ReplicaShardAllocator.java:77)
> at org.elasticsearch.gateway.GatewayAllocator.allocateUnassigned(GatewayAllocator.java:122)
> at org.elasticsearch.cluster.routing.allocation.allocator.ShardsAllocators.allocateUnassigned(ShardsAllocators.java:70)
> at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:258)
> at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:221)
> at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:207)
> at org.elasticsearch.cluster.routing.RoutingService$2.execute(RoutingService.java:154)
> at org.elasticsearch.cluster.ClusterStateUpdateTask.execute(ClusterStateUpdateTask.java:45)
> at org.elasticsearch.cluster.service.InternalClusterService.runTasksForExecutor(InternalClusterService.java:468)
> at org.elasticsearch.cluster.service.InternalClusterService$UpdateTask.run(InternalClusterService.java:772)
> at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:231)
> at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:194)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]]
>
> So, now I would like to figure out how to give any authenticated user access to everything. So that searchguard is not doing any role checking.
>
> On Wednesday, July 6, 2016 at 4:04:01 PM UTC-7, Max Furman wrote:
> Below is my sg_config.yml:
>
> # This is the main configuration file where the authentication and authorization
> # backends as well as the http authenticators and other settings will be defined.
> #
> # The authentication works like that:
> #
> # If there are no authenticators (authc) defined a implicit one will be created.
> # This will authenticate against the internal user database and use HTTP Basic.
> #
> # If more than one is configured the first one which succeeds wins. If all fail then the request will be unauthenticated
> # and a respective exception is thrown and/or the HTTP status is set to 401.
> #
> # After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
> # the roles from a given backend for the authenticated user.
> #
> # For HTTP is possible to allow anonymous authentication. If that is allowed then the http authenticators try to
> # find user credentials in the HTTP request and if such where found then the user gets regularly authenticated.
> # If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "sg_anonymous"
> # and one role named "sg_anonymous_backendrole". If you enable anonymous authentication for all http authenticators will not challenge.
> #
> #
> # Notice: If you define more than one authenticator make sure to put non-challenging authenticators like "proxy" or "clientcert"
> # at the beginning and the challenging one at the end. If you configure more than one challenging authenticator you have to deal with
> # the "challenge" flag. Because its not possible to challenge a client with two different authentication methods (for example
> # Kerberos and Basic) only one can have challenge: true. All others need to have challenge: false and that means
> # they look into the request and if they found no credentials they will not challenge. You can cope with this situation
> # with pre-authentication. That is submitting credentials for non-challenging authenticators within the first request
> # (Thats especially easy for Basic authentication).
> # Default value of the challenge flag is true.
> #
> #
> #
> # HTTP
> # basic (challenging)
> # proxy (not challenging, needs xff)
> # kerberos (challenging) NOT FREE FOR COMMERCIAL
> # clientcert (not challenging, needs https)
>
> # Authc
> # internal
> # noop
> # ldap NOT FREE FOR COMMERCIAL USE
>
> # Authz
> # ldap NOT FREE FOR COMMERCIAL USE
> # noop
>
> searchguard:
> dynamic:
> http:
> anonymous_auth_enabled: true
> xff:
> enabled: false
> internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
> #internalProxies: '.*' # trust all internal proxies, regex pattern
> remoteIpHeader: 'x-forwarded-for'
> proxiesHeader: 'x-forwarded-by'
> #trustedProxies: '.*' # trust all external proxies, regex pattern
> ###### see Pattern (Java Platform SE 7 ) for regex help
> ###### more information about XFF X-Forwarded-For - Wikipedia
> ###### and here RFC 7239 - Forwarded HTTP Extension
> ###### and Apache Tomcat 8 Configuration Reference (8.0.53) - The Valve Component
> authc:
> kerberos_auth_domain:
> enabled: false
> order: 4
> http_authenticator:
> type: kerberos # NOT FREE FOR COMMERCIAL USE
> challenge: true
> config:
> # If true a lot of kerberos/security related debugging output will be logged to standard out
> krb_debug: false
> # Acceptor (Server) Principal name, must be present in acceptor_keytab_path file
> acceptor_principal: 'HTTP/localhost'
> # If true then the realm will be stripped from the user name
> strip_realm_from_principal: true
> authentication_backend:
> type: noop
> basic_internal_auth_domain:
> enabled: false
> order: 2
> http_authenticator:
> type: basic
> challenge: true
> authentication_backend:
> type: intern
> proxy_auth_domain:
> enabled: true
> order: 1
> http_authenticator:
> type: proxy
> challenge: false
> config:
> user_header: "X-Company-Staff-User"
> roles_header: "x-proxy-roles"
> authentication_backend:
> type: noop
> clientcert_auth_domain:
> enabled: false
> order: 0
> http_authenticator:
> type: clientcert
> challenge: false
> authentication_backend:
> type: noop
> ldap:
> enabled: false
> order: 3
> http_authenticator:
> type: basic
> challenge: false
> authentication_backend:
> # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
> type: ldap # NOT FREE FOR COMMERCIAL USE
> config:
> # enable ldaps
> enable_ssl: false
> # enable start tls, enable_ssl should be false
> enable_start_tls: false
> # send client certificate
> enable_ssl_client_auth: false
> # verify ldap hostname
> verify_hostnames: true
> hosts:
> - localhost:8389
> bind_dn: null
> password: null
> userbase: 'ou=people,dc=example,dc=com'
> # Filter to search for users (currently in the whole subtree beneath userbase)
> # {0} is substituted with the username
> usersearch: '(uid={0})'
> # Use this attribute from the user as username (if not set then DN is used)
> username_attribute: null
> authz:
> roles_from_myldap:
> enabled: false
> authorization_backend:
> # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
> type: ldap # NOT FREE FOR COMMERCIAL USE
> config:
> # enable ldaps
> enable_ssl: false
> # enable start tls, enable_ssl should be false
> enable_start_tls: false
> # send client certificate
> enable_ssl_client_auth: false
> # verify ldap hostname
> verify_hostnames: true
> hosts:
> - localhost:8389
> bind_dn: null
> password: null
> rolebase: 'ou=groups,dc=example,dc=com'
> # Filter to search for roles (currently in the whole subtree beneath rolebase)
> # {0} is substituted with the DN of the user
> # {1} is substituted with the username
> # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
> rolesearch: '(uniqueMember={0})'
> # Specify the name of the attribute which value should be substituted with {2} above
> userroleattribute: null
> # Roles as an attribute of the user entry
> userrolename: memberOf
> # The attribute in a role entry containing the name of that role
> rolename: cn
> # Resolve nested roles transitive (roles which are members of other roles and so on ...)
> resolve_nested_roles: true
>
> userbase: 'ou=people,dc=example,dc=com'
> # Filter to search for users (currently in the whole subtree beneath userbase)
> # {0} is substituted with the username
> usersearch: '(uid={0})'
>
> roles_from_another_ldap:
> enabled: false
> authorization_backend:
> type: ldap # NOT FREE FOR COMMERCIAL USE
> #config goes here ...
>
> Basically, I've turned proxy_auth_domain on and anonymous_auth on, but im still finding that searchguard is 401-ing my requests.
>
> On Wednesday, July 6, 2016 at 3:18:57 PM UTC-7, Max Furman wrote:
>
> I have a proxy layer that does all ssl and basic authentication (for http) already, and therefore would like to turn off said features in search-guard. I've tried setting the various auth_domains to false in the sg_config.yml, but can't seem to get the authentication to turn off. Whats the right way to do this?
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9998e1f5-9dd4-457d-b334-232f83122e34%40googlegroups.com\.
> For more options, visit https://groups.google.com/d/optout\.--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8e631530-c074-4db4-b63f-573fda617b2d%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.