how to turn off all http basic authentication or BackendRegistry authentication done by searchguard

I have a proxy layer that does all ssl and basic authentication (for http) already, and therefore would like to turn off said features in search-guard. I’ve tried setting the various auth_domains to false in the sg_config.yml, but can’t seem to get the authentication to turn off. Whats the right way to do this?

Below is my sg_config.yml:

This is the main configuration file where the authentication and authorization

backends as well as the http authenticators and other settings will be defined.

···

The authentication works like that:

If there are no authenticators (authc) defined a implicit one will be created.

This will authenticate against the internal user database and use HTTP Basic.

If more than one is configured the first one which succeeds wins. If all fail then the request will be unauthenticated

and a respective exception is thrown and/or the HTTP status is set to 401.

After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect

the roles from a given backend for the authenticated user.

For HTTP is possible to allow anonymous authentication. If that is allowed then the http authenticators try to

find user credentials in the HTTP request and if such where found then the user gets regularly authenticated.

If none can be found the user will be authenticated as an “anonymous” user. This user has always the username “sg_anonymous”

and one role named “sg_anonymous_backendrole”. If you enable anonymous authentication for all http authenticators will not challenge.

Notice: If you define more than one authenticator make sure to put non-challenging authenticators like “proxy” or “clientcert”

at the beginning and the challenging one at the end. If you configure more than one challenging authenticator you have to deal with

the “challenge” flag. Because its not possible to challenge a client with two different authentication methods (for example

Kerberos and Basic) only one can have challenge: true. All others need to have challenge: false and that means

they look into the request and if they found no credentials they will not challenge. You can cope with this situation

with pre-authentication. That is submitting credentials for non-challenging authenticators within the first request

(Thats especially easy for Basic authentication).

Default value of the challenge flag is true.

HTTP

basic (challenging)

proxy (not challenging, needs xff)

kerberos (challenging) NOT FREE FOR COMMERCIAL

clientcert (not challenging, needs https)

Authc

internal

noop

ldap NOT FREE FOR COMMERCIAL USE

Authz

ldap NOT FREE FOR COMMERCIAL USE

noop

searchguard:

dynamic:

http:

anonymous_auth_enabled: true

xff:

enabled: false

internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern

#internalProxies: ‘.*’ # trust all internal proxies, regex pattern

remoteIpHeader: ‘x-forwarded-for’

proxiesHeader: ‘x-forwarded-by’

#trustedProxies: ‘.*’ # trust all external proxies, regex pattern

see Pattern (Java Platform SE 7 ) for regex help
more information about XFF X-Forwarded-For - Wikipedia
and here RFC 7239 - Forwarded HTTP Extension
and Apache Tomcat 8 Configuration Reference (8.0.53) - The Valve Component

authc:

kerberos_auth_domain:

enabled: false

order: 4

http_authenticator:

type: kerberos # NOT FREE FOR COMMERCIAL USE

challenge: true

config:

If true a lot of kerberos/security related debugging output will be logged to standard out

krb_debug: false

Acceptor (Server) Principal name, must be present in acceptor_keytab_path file

acceptor_principal: ‘HTTP/localhost’

If true then the realm will be stripped from the user name

strip_realm_from_principal: true

authentication_backend:

type: noop

basic_internal_auth_domain:

enabled: false

order: 2

http_authenticator:

type: basic

challenge: true

authentication_backend:

type: intern

proxy_auth_domain:

enabled: true

order: 1

http_authenticator:

type: proxy

challenge: false

config:

user_header: “X-Company-Staff-User”

roles_header: “x-proxy-roles”

authentication_backend:

type: noop

clientcert_auth_domain:

enabled: false

order: 0

http_authenticator:

type: clientcert

challenge: false

authentication_backend:

type: noop

ldap:

enabled: false

order: 3

http_authenticator:

type: basic

challenge: false

authentication_backend:

LDAP authentication backend (authenticate users against a LDAP or Active Directory)

type: ldap # NOT FREE FOR COMMERCIAL USE

config:

enable ldaps

enable_ssl: false

enable start tls, enable_ssl should be false

enable_start_tls: false

send client certificate

enable_ssl_client_auth: false

verify ldap hostname

verify_hostnames: true

hosts:

  • localhost:8389

bind_dn: null

password: null

userbase: ‘ou=people,dc=example,dc=com’

Filter to search for users (currently in the whole subtree beneath userbase)

{0} is substituted with the username

usersearch: ‘(uid={0})’

Use this attribute from the user as username (if not set then DN is used)

username_attribute: null

authz:

roles_from_myldap:

enabled: false

authorization_backend:

LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)

type: ldap # NOT FREE FOR COMMERCIAL USE

config:

enable ldaps

enable_ssl: false

enable start tls, enable_ssl should be false

enable_start_tls: false

send client certificate

enable_ssl_client_auth: false

verify ldap hostname

verify_hostnames: true

hosts:

  • localhost:8389

bind_dn: null

password: null

rolebase: ‘ou=groups,dc=example,dc=com’

Filter to search for roles (currently in the whole subtree beneath rolebase)

{0} is substituted with the DN of the user

{1} is substituted with the username

{2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute

rolesearch: ‘(uniqueMember={0})’

Specify the name of the attribute which value should be substituted with {2} above

userroleattribute: null

Roles as an attribute of the user entry

userrolename: memberOf

The attribute in a role entry containing the name of that role

rolename: cn

Resolve nested roles transitive (roles which are members of other roles and so on …)

resolve_nested_roles: true

userbase: ‘ou=people,dc=example,dc=com’

Filter to search for users (currently in the whole subtree beneath userbase)

{0} is substituted with the username

usersearch: ‘(uid={0})’

roles_from_another_ldap:

enabled: false

authorization_backend:

type: ldap # NOT FREE FOR COMMERCIAL USE

#config goes here …

Basically, I’ve turned proxy_auth_domain on and anonymous_auth on, but im still finding that searchguard is 401-ing my requests.

On Wednesday, July 6, 2016 at 3:18:57 PM UTC-7, Max Furman wrote:

I have a proxy layer that does all ssl and basic authentication (for http) already, and therefore would like to turn off said features in search-guard. I’ve tried setting the various auth_domains to false in the sg_config.yml, but can’t seem to get the authentication to turn off. Whats the right way to do this?

After making sure that the configs are the same on each server in the cluster I am now getting:

[2016-07-06 23:53:25,931][WARN ][gateway ] [nextkibana01-ops] [logstash-2016.07.06][3]: failed to list shard for shard_store on node [VNO0GIHuTsC9Yd1syMxXaQ]

FailedNodeException[total failure in fetching]; nested: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]];

at org.elasticsearch.gateway.AsyncShardFetch$1.onFailure(AsyncShardFetch.java:277)

at org.elasticsearch.action.support.TransportAction$1.onFailure(TransportAction.java:95)

at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:135)

at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)

at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)

at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:85)

at org.elasticsearch.indices.store.TransportNodesListShardStoreMetaData.list(TransportNodesListShardStoreMetaData.java:88)

at org.elasticsearch.gateway.AsyncShardFetch.asyncFetch(AsyncShardFetch.java:267)

at org.elasticsearch.gateway.AsyncShardFetch.fetchData(AsyncShardFetch.java:117)

at org.elasticsearch.gateway.GatewayAllocator$InternalReplicaShardAllocator.fetchData(GatewayAllocator.java:183)

at org.elasticsearch.gateway.ReplicaShardAllocator.processExistingRecoveries(ReplicaShardAllocator.java:77)

at org.elasticsearch.gateway.GatewayAllocator.allocateUnassigned(GatewayAllocator.java:122)

at org.elasticsearch.cluster.routing.allocation.allocator.ShardsAllocators.allocateUnassigned(ShardsAllocators.java:70)

at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:258)

at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:221)

at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:207)

at org.elasticsearch.cluster.routing.RoutingService$2.execute(RoutingService.java:154)

at org.elasticsearch.cluster.ClusterStateUpdateTask.execute(ClusterStateUpdateTask.java:45)

at org.elasticsearch.cluster.service.InternalClusterService.runTasksForExecutor(InternalClusterService.java:468)

at org.elasticsearch.cluster.service.InternalClusterService$UpdateTask.run(InternalClusterService.java:772)

at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:231)

at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:194)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

at java.lang.Thread.run(Thread.java:745)

Caused by: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]]

So, now I would like to figure out how to give any authenticated user access to everything. So that searchguard is not doing any role checking.

···

On Wednesday, July 6, 2016 at 4:04:01 PM UTC-7, Max Furman wrote:

Below is my sg_config.yml:

This is the main configuration file where the authentication and authorization

backends as well as the http authenticators and other settings will be defined.

The authentication works like that:

If there are no authenticators (authc) defined a implicit one will be created.

This will authenticate against the internal user database and use HTTP Basic.

If more than one is configured the first one which succeeds wins. If all fail then the request will be unauthenticated

and a respective exception is thrown and/or the HTTP status is set to 401.

After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect

the roles from a given backend for the authenticated user.

For HTTP is possible to allow anonymous authentication. If that is allowed then the http authenticators try to

find user credentials in the HTTP request and if such where found then the user gets regularly authenticated.

If none can be found the user will be authenticated as an “anonymous” user. This user has always the username “sg_anonymous”

and one role named “sg_anonymous_backendrole”. If you enable anonymous authentication for all http authenticators will not challenge.

Notice: If you define more than one authenticator make sure to put non-challenging authenticators like “proxy” or “clientcert”

at the beginning and the challenging one at the end. If you configure more than one challenging authenticator you have to deal with

the “challenge” flag. Because its not possible to challenge a client with two different authentication methods (for example

Kerberos and Basic) only one can have challenge: true. All others need to have challenge: false and that means

they look into the request and if they found no credentials they will not challenge. You can cope with this situation

with pre-authentication. That is submitting credentials for non-challenging authenticators within the first request

(Thats especially easy for Basic authentication).

Default value of the challenge flag is true.

HTTP

basic (challenging)

proxy (not challenging, needs xff)

kerberos (challenging) NOT FREE FOR COMMERCIAL

clientcert (not challenging, needs https)

Authc

internal

noop

ldap NOT FREE FOR COMMERCIAL USE

Authz

ldap NOT FREE FOR COMMERCIAL USE

noop

searchguard:

dynamic:

http:

anonymous_auth_enabled: true

xff:

enabled: false

internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern

#internalProxies: ‘.*’ # trust all internal proxies, regex pattern

remoteIpHeader: ‘x-forwarded-for’

proxiesHeader: ‘x-forwarded-by’

#trustedProxies: ‘.*’ # trust all external proxies, regex pattern

see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
and here https://tools.ietf.org/html/rfc7239
and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve

authc:

kerberos_auth_domain:

enabled: false

order: 4

http_authenticator:

type: kerberos # NOT FREE FOR COMMERCIAL USE

challenge: true

config:

If true a lot of kerberos/security related debugging output will be logged to standard out

krb_debug: false

Acceptor (Server) Principal name, must be present in acceptor_keytab_path file

acceptor_principal: ‘HTTP/localhost’

If true then the realm will be stripped from the user name

strip_realm_from_principal: true

authentication_backend:

type: noop

basic_internal_auth_domain:

enabled: false

order: 2

http_authenticator:

type: basic

challenge: true

authentication_backend:

type: intern

proxy_auth_domain:

enabled: true

order: 1

http_authenticator:

type: proxy

challenge: false

config:

user_header: “X-Company-Staff-User”

roles_header: “x-proxy-roles”

authentication_backend:

type: noop

clientcert_auth_domain:

enabled: false

order: 0

http_authenticator:

type: clientcert

challenge: false

authentication_backend:

type: noop

ldap:

enabled: false

order: 3

http_authenticator:

type: basic

challenge: false

authentication_backend:

LDAP authentication backend (authenticate users against a LDAP or Active Directory)

type: ldap # NOT FREE FOR COMMERCIAL USE

config:

enable ldaps

enable_ssl: false

enable start tls, enable_ssl should be false

enable_start_tls: false

send client certificate

enable_ssl_client_auth: false

verify ldap hostname

verify_hostnames: true

hosts:

  • localhost:8389

bind_dn: null

password: null

userbase: ‘ou=people,dc=example,dc=com’

Filter to search for users (currently in the whole subtree beneath userbase)

{0} is substituted with the username

usersearch: ‘(uid={0})’

Use this attribute from the user as username (if not set then DN is used)

username_attribute: null

authz:

roles_from_myldap:

enabled: false

authorization_backend:

LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)

type: ldap # NOT FREE FOR COMMERCIAL USE

config:

enable ldaps

enable_ssl: false

enable start tls, enable_ssl should be false

enable_start_tls: false

send client certificate

enable_ssl_client_auth: false

verify ldap hostname

verify_hostnames: true

hosts:

  • localhost:8389

bind_dn: null

password: null

rolebase: ‘ou=groups,dc=example,dc=com’

Filter to search for roles (currently in the whole subtree beneath rolebase)

{0} is substituted with the DN of the user

{1} is substituted with the username

{2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute

rolesearch: ‘(uniqueMember={0})’

Specify the name of the attribute which value should be substituted with {2} above

userroleattribute: null

Roles as an attribute of the user entry

userrolename: memberOf

The attribute in a role entry containing the name of that role

rolename: cn

Resolve nested roles transitive (roles which are members of other roles and so on …)

resolve_nested_roles: true

userbase: ‘ou=people,dc=example,dc=com’

Filter to search for users (currently in the whole subtree beneath userbase)

{0} is substituted with the username

usersearch: ‘(uid={0})’

roles_from_another_ldap:

enabled: false

authorization_backend:

type: ldap # NOT FREE FOR COMMERCIAL USE

#config goes here …

Basically, I’ve turned proxy_auth_domain on and anonymous_auth on, but im still finding that searchguard is 401-ing my requests.

On Wednesday, July 6, 2016 at 3:18:57 PM UTC-7, Max Furman wrote:

I have a proxy layer that does all ssl and basic authentication (for http) already, and therefore would like to turn off said features in search-guard. I’ve tried setting the various auth_domains to false in the sg_config.yml, but can’t seem to get the authentication to turn off. Whats the right way to do this?

In an old version of searchguard I was able to set

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.AlwaysSucceedAuthenticationBackend

How can I get the same behavior with search-guard-2? I’ve been fumbling around with the sg_config.yml flipping various flags, but I dont feel like Im getting any closer.

···

On Wednesday, July 6, 2016 at 5:08:31 PM UTC-7, Max Furman wrote:

After making sure that the configs are the same on each server in the cluster I am now getting:

[2016-07-06 23:53:25,931][WARN ][gateway ] [nextkibana01-ops] [logstash-2016.07.06][3]: failed to list shard for shard_store on node [VNO0GIHuTsC9Yd1syMxXaQ]

FailedNodeException[total failure in fetching]; nested: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]];

at org.elasticsearch.gateway.AsyncShardFetch$1.onFailure(AsyncShardFetch.java:277)

at org.elasticsearch.action.support.TransportAction$1.onFailure(TransportAction.java:95)

at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:135)

at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)

at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)

at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:85)

at org.elasticsearch.indices.store.TransportNodesListShardStoreMetaData.list(TransportNodesListShardStoreMetaData.java:88)

at org.elasticsearch.gateway.AsyncShardFetch.asyncFetch(AsyncShardFetch.java:267)

at org.elasticsearch.gateway.AsyncShardFetch.fetchData(AsyncShardFetch.java:117)

at org.elasticsearch.gateway.GatewayAllocator$InternalReplicaShardAllocator.fetchData(GatewayAllocator.java:183)

at org.elasticsearch.gateway.ReplicaShardAllocator.processExistingRecoveries(ReplicaShardAllocator.java:77)

at org.elasticsearch.gateway.GatewayAllocator.allocateUnassigned(GatewayAllocator.java:122)

at org.elasticsearch.cluster.routing.allocation.allocator.ShardsAllocators.allocateUnassigned(ShardsAllocators.java:70)

at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:258)

at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:221)

at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:207)

at org.elasticsearch.cluster.routing.RoutingService$2.execute(RoutingService.java:154)

at org.elasticsearch.cluster.ClusterStateUpdateTask.execute(ClusterStateUpdateTask.java:45)

at org.elasticsearch.cluster.service.InternalClusterService.runTasksForExecutor(InternalClusterService.java:468)

at org.elasticsearch.cluster.service.InternalClusterService$UpdateTask.run(InternalClusterService.java:772)

at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:231)

at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:194)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

at java.lang.Thread.run(Thread.java:745)

Caused by: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]]

So, now I would like to figure out how to give any authenticated user access to everything. So that searchguard is not doing any role checking.

On Wednesday, July 6, 2016 at 4:04:01 PM UTC-7, Max Furman wrote:

Below is my sg_config.yml:

This is the main configuration file where the authentication and authorization

backends as well as the http authenticators and other settings will be defined.

The authentication works like that:

If there are no authenticators (authc) defined a implicit one will be created.

This will authenticate against the internal user database and use HTTP Basic.

If more than one is configured the first one which succeeds wins. If all fail then the request will be unauthenticated

and a respective exception is thrown and/or the HTTP status is set to 401.

After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect

the roles from a given backend for the authenticated user.

For HTTP is possible to allow anonymous authentication. If that is allowed then the http authenticators try to

find user credentials in the HTTP request and if such where found then the user gets regularly authenticated.

If none can be found the user will be authenticated as an “anonymous” user. This user has always the username “sg_anonymous”

and one role named “sg_anonymous_backendrole”. If you enable anonymous authentication for all http authenticators will not challenge.

Notice: If you define more than one authenticator make sure to put non-challenging authenticators like “proxy” or “clientcert”

at the beginning and the challenging one at the end. If you configure more than one challenging authenticator you have to deal with

the “challenge” flag. Because its not possible to challenge a client with two different authentication methods (for example

Kerberos and Basic) only one can have challenge: true. All others need to have challenge: false and that means

they look into the request and if they found no credentials they will not challenge. You can cope with this situation

with pre-authentication. That is submitting credentials for non-challenging authenticators within the first request

(Thats especially easy for Basic authentication).

Default value of the challenge flag is true.

HTTP

basic (challenging)

proxy (not challenging, needs xff)

kerberos (challenging) NOT FREE FOR COMMERCIAL

clientcert (not challenging, needs https)

Authc

internal

noop

ldap NOT FREE FOR COMMERCIAL USE

Authz

ldap NOT FREE FOR COMMERCIAL USE

noop

searchguard:

dynamic:

http:

anonymous_auth_enabled: true

xff:

enabled: false

internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern

#internalProxies: ‘.*’ # trust all internal proxies, regex pattern

remoteIpHeader: ‘x-forwarded-for’

proxiesHeader: ‘x-forwarded-by’

#trustedProxies: ‘.*’ # trust all external proxies, regex pattern

see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
and here https://tools.ietf.org/html/rfc7239
and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve

authc:

kerberos_auth_domain:

enabled: false

order: 4

http_authenticator:

type: kerberos # NOT FREE FOR COMMERCIAL USE

challenge: true

config:

If true a lot of kerberos/security related debugging output will be logged to standard out

krb_debug: false

Acceptor (Server) Principal name, must be present in acceptor_keytab_path file

acceptor_principal: ‘HTTP/localhost’

If true then the realm will be stripped from the user name

strip_realm_from_principal: true

authentication_backend:

type: noop

basic_internal_auth_domain:

enabled: false

order: 2

http_authenticator:

type: basic

challenge: true

authentication_backend:

type: intern

proxy_auth_domain:

enabled: true

order: 1

http_authenticator:

type: proxy

challenge: false

config:

user_header: “X-Company-Staff-User”

roles_header: “x-proxy-roles”

authentication_backend:

type: noop

clientcert_auth_domain:

enabled: false

order: 0

http_authenticator:

type: clientcert

challenge: false

authentication_backend:

type: noop

ldap:

enabled: false

order: 3

http_authenticator:

type: basic

challenge: false

authentication_backend:

LDAP authentication backend (authenticate users against a LDAP or Active Directory)

type: ldap # NOT FREE FOR COMMERCIAL USE

config:

enable ldaps

enable_ssl: false

enable start tls, enable_ssl should be false

enable_start_tls: false

send client certificate

enable_ssl_client_auth: false

verify ldap hostname

verify_hostnames: true

hosts:

  • localhost:8389

bind_dn: null

password: null

userbase: ‘ou=people,dc=example,dc=com’

Filter to search for users (currently in the whole subtree beneath userbase)

{0} is substituted with the username

usersearch: ‘(uid={0})’

Use this attribute from the user as username (if not set then DN is used)

username_attribute: null

authz:

roles_from_myldap:

enabled: false

authorization_backend:

LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)

type: ldap # NOT FREE FOR COMMERCIAL USE

config:

enable ldaps

enable_ssl: false

enable start tls, enable_ssl should be false

enable_start_tls: false

send client certificate

enable_ssl_client_auth: false

verify ldap hostname

verify_hostnames: true

hosts:

  • localhost:8389

bind_dn: null

password: null

rolebase: ‘ou=groups,dc=example,dc=com’

Filter to search for roles (currently in the whole subtree beneath rolebase)

{0} is substituted with the DN of the user

{1} is substituted with the username

{2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute

rolesearch: ‘(uniqueMember={0})’

Specify the name of the attribute which value should be substituted with {2} above

userroleattribute: null

Roles as an attribute of the user entry

userrolename: memberOf

The attribute in a role entry containing the name of that role

rolename: cn

Resolve nested roles transitive (roles which are members of other roles and so on …)

resolve_nested_roles: true

userbase: ‘ou=people,dc=example,dc=com’

Filter to search for users (currently in the whole subtree beneath userbase)

{0} is substituted with the username

usersearch: ‘(uid={0})’

roles_from_another_ldap:

enabled: false

authorization_backend:

type: ldap # NOT FREE FOR COMMERCIAL USE

#config goes here …

Basically, I’ve turned proxy_auth_domain on and anonymous_auth on, but im still finding that searchguard is 401-ing my requests.

On Wednesday, July 6, 2016 at 3:18:57 PM UTC-7, Max Furman wrote:

I have a proxy layer that does all ssl and basic authentication (for http) already, and therefore would like to turn off said features in search-guard. I’ve tried setting the various auth_domains to false in the sg_config.yml, but can’t seem to get the authentication to turn off. Whats the right way to do this?

"noop" is what you looking for

The internal:cluster/nodes/indices/shard/store problem is fixed in Search Guard 2.3.3.2, pls update

···

Am 07.07.2016 um 03:48 schrieb Max Furman <mx.furman@gmail.com>:

In an old version of searchguard I was able to set

   searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.AlwaysSucceedAuthenticationBackend

How can I get the same behavior with search-guard-2? I've been fumbling around with the sg_config.yml flipping various flags, but I dont feel like Im getting any closer.

On Wednesday, July 6, 2016 at 5:08:31 PM UTC-7, Max Furman wrote:
After making sure that the configs are the same on each server in the cluster I am now getting:

[2016-07-06 23:53:25,931][WARN ][gateway ] [nextkibana01-ops] [logstash-2016.07.06][3]: failed to list shard for shard_store on node [VNO0GIHuTsC9Yd1syMxXaQ]
FailedNodeException[total failure in fetching]; nested: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]];
  at org.elasticsearch.gateway.AsyncShardFetch$1.onFailure(AsyncShardFetch.java:277)
  at org.elasticsearch.action.support.TransportAction$1.onFailure(TransportAction.java:95)
  at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:135)
  at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
  at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)
  at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:85)
  at org.elasticsearch.indices.store.TransportNodesListShardStoreMetaData.list(TransportNodesListShardStoreMetaData.java:88)
  at org.elasticsearch.gateway.AsyncShardFetch.asyncFetch(AsyncShardFetch.java:267)
  at org.elasticsearch.gateway.AsyncShardFetch.fetchData(AsyncShardFetch.java:117)
  at org.elasticsearch.gateway.GatewayAllocator$InternalReplicaShardAllocator.fetchData(GatewayAllocator.java:183)
  at org.elasticsearch.gateway.ReplicaShardAllocator.processExistingRecoveries(ReplicaShardAllocator.java:77)
  at org.elasticsearch.gateway.GatewayAllocator.allocateUnassigned(GatewayAllocator.java:122)
  at org.elasticsearch.cluster.routing.allocation.allocator.ShardsAllocators.allocateUnassigned(ShardsAllocators.java:70)
  at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:258)
  at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:221)
  at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:207)
  at org.elasticsearch.cluster.routing.RoutingService$2.execute(RoutingService.java:154)
  at org.elasticsearch.cluster.ClusterStateUpdateTask.execute(ClusterStateUpdateTask.java:45)
  at org.elasticsearch.cluster.service.InternalClusterService.runTasksForExecutor(InternalClusterService.java:468)
  at org.elasticsearch.cluster.service.InternalClusterService$UpdateTask.run(InternalClusterService.java:772)
  at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:231)
  at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:194)
  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
  at java.lang.Thread.run(Thread.java:745)
Caused by: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]]

So, now I would like to figure out how to give any authenticated user access to everything. So that searchguard is not doing any role checking.

On Wednesday, July 6, 2016 at 4:04:01 PM UTC-7, Max Furman wrote:
Below is my sg_config.yml:

# This is the main configuration file where the authentication and authorization
# backends as well as the http authenticators and other settings will be defined.
#
# The authentication works like that:
#
# If there are no authenticators (authc) defined a implicit one will be created.
# This will authenticate against the internal user database and use HTTP Basic.
#
# If more than one is configured the first one which succeeds wins. If all fail then the request will be unauthenticated
# and a respective exception is thrown and/or the HTTP status is set to 401.
#
# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
# the roles from a given backend for the authenticated user.
#
# For HTTP is possible to allow anonymous authentication. If that is allowed then the http authenticators try to
# find user credentials in the HTTP request and if such where found then the user gets regularly authenticated.
# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "sg_anonymous"
# and one role named "sg_anonymous_backendrole". If you enable anonymous authentication for all http authenticators will not challenge.
#
#
# Notice: If you define more than one authenticator make sure to put non-challenging authenticators like "proxy" or "clientcert"
# at the beginning and the challenging one at the end. If you configure more than one challenging authenticator you have to deal with
# the "challenge" flag. Because its not possible to challenge a client with two different authentication methods (for example
# Kerberos and Basic) only one can have challenge: true. All others need to have challenge: false and that means
# they look into the request and if they found no credentials they will not challenge. You can cope with this situation
# with pre-authentication. That is submitting credentials for non-challenging authenticators within the first request
# (Thats especially easy for Basic authentication).
# Default value of the challenge flag is true.
#
#
#
# HTTP
# basic (challenging)
# proxy (not challenging, needs xff)
# kerberos (challenging) NOT FREE FOR COMMERCIAL
# clientcert (not challenging, needs https)

# Authc
# internal
# noop
# ldap NOT FREE FOR COMMERCIAL USE

# Authz
# ldap NOT FREE FOR COMMERCIAL USE
# noop

searchguard:
  dynamic:
    http:
      anonymous_auth_enabled: true
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
        #internalProxies: '.*' # trust all internal proxies, regex pattern
        remoteIpHeader: 'x-forwarded-for'
        proxiesHeader: 'x-forwarded-by'
        #trustedProxies: '.*' # trust all external proxies, regex pattern
        ###### see Pattern (Java Platform SE 7 ) for regex help
        ###### more information about XFF X-Forwarded-For - Wikipedia
        ###### and here RFC 7239 - Forwarded HTTP Extension
        ###### and Apache Tomcat 8 Configuration Reference (8.0.53) - The Valve Component
    authc:
      kerberos_auth_domain:
        enabled: false
        order: 4
        http_authenticator:
          type: kerberos # NOT FREE FOR COMMERCIAL USE
          challenge: true
          config:
            # If true a lot of kerberos/security related debugging output will be logged to standard out
            krb_debug: false
            # Acceptor (Server) Principal name, must be present in acceptor_keytab_path file
            acceptor_principal: 'HTTP/localhost'
            # If true then the realm will be stripped from the user name
            strip_realm_from_principal: true
        authentication_backend:
          type: noop
      basic_internal_auth_domain:
        enabled: false
        order: 2
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
      proxy_auth_domain:
        enabled: true
        order: 1
        http_authenticator:
          type: proxy
          challenge: false
          config:
            user_header: "X-Company-Staff-User"
            roles_header: "x-proxy-roles"
        authentication_backend:
          type: noop
      clientcert_auth_domain:
        enabled: false
        order: 0
        http_authenticator:
          type: clientcert
          challenge: false
        authentication_backend:
          type: noop
      ldap:
        enabled: false
        order: 3
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
          type: ldap # NOT FREE FOR COMMERCIAL USE
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
              - localhost:8389
            bind_dn: null
            password: null
            userbase: 'ou=people,dc=example,dc=com'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(uid={0})'
            # Use this attribute from the user as username (if not set then DN is used)
            username_attribute: null
    authz:
      roles_from_myldap:
        enabled: false
        authorization_backend:
          # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
          type: ldap # NOT FREE FOR COMMERCIAL USE
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
              - localhost:8389
            bind_dn: null
            password: null
            rolebase: 'ou=groups,dc=example,dc=com'
            # Filter to search for roles (currently in the whole subtree beneath rolebase)
            # {0} is substituted with the DN of the user
            # {1} is substituted with the username
            # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
            rolesearch: '(uniqueMember={0})'
            # Specify the name of the attribute which value should be substituted with {2} above
            userroleattribute: null
            # Roles as an attribute of the user entry
            userrolename: memberOf
            # The attribute in a role entry containing the name of that role
            rolename: cn
            # Resolve nested roles transitive (roles which are members of other roles and so on ...)
            resolve_nested_roles: true

            userbase: 'ou=people,dc=example,dc=com'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(uid={0})'

      roles_from_another_ldap:
        enabled: false
        authorization_backend:
          type: ldap # NOT FREE FOR COMMERCIAL USE
          #config goes here ...

Basically, I've turned proxy_auth_domain on and anonymous_auth on, but im still finding that searchguard is 401-ing my requests.

On Wednesday, July 6, 2016 at 3:18:57 PM UTC-7, Max Furman wrote:

I have a proxy layer that does all ssl and basic authentication (for http) already, and therefore would like to turn off said features in search-guard. I've tried setting the various auth_domains to false in the sg_config.yml, but can't seem to get the authentication to turn off. Whats the right way to do this?

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9998e1f5-9dd4-457d-b334-232f83122e34%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

Sorry, I’m not sure I understand where I’m supposed to add the “noop”. I’ve tried adding the following to my elasticsearch.yml

searchguard.authentication.authentication_backend.impl: noop

but, once I configure the backend_registry using the sgadmin.sh tool, any http request that I make fails w/

[com.floragunn.searchguard.auth.BackendRegistry] Unexpected exception com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[user-name not found]

If you could provide an example of what field and where I should be setting to “noop” that would be really helpful. I see “noop” frequently in the sg_config.yml, but again, im not sure which key needs to be set to noop in order to get the behavior that I am interested in. Again, that behavior is to succeed all http requests w/out doing any verification.

Also, I appreciate the note on 2.3.3.2, just upgraded.

···

On Wednesday, July 6, 2016 at 11:34:03 PM UTC-7, SG wrote:

“noop” is what you looking for

The internal:cluster/nodes/indices/shard/store problem is fixed in Search Guard 2.3.3.2, pls update

Am 07.07.2016 um 03:48 schrieb Max Furman mx.f...@gmail.com:

In an old version of searchguard I was able to set

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.AlwaysSucceedAuthenticationBackend

How can I get the same behavior with search-guard-2? I’ve been fumbling around with the sg_config.yml flipping various flags, but I dont feel like Im getting any closer.

On Wednesday, July 6, 2016 at 5:08:31 PM UTC-7, Max Furman wrote:

After making sure that the configs are the same on each server in the cluster I am now getting:

[2016-07-06 23:53:25,931][WARN ][gateway ] [nextkibana01-ops] [logstash-2016.07.06][3]: failed to list shard for shard_store on node [VNO0GIHuTsC9Yd1syMxXaQ]

FailedNodeException[total failure in fetching]; nested: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]];

    at org.elasticsearch.gateway.AsyncShardFetch$1.onFailure(AsyncShardFetch.java:277)
    at org.elasticsearch.action.support.TransportAction$1.onFailure(TransportAction.java:95)
    at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:135)
    at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
    at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)
    at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:85)
    at org.elasticsearch.indices.store.TransportNodesListShardStoreMetaData.list(TransportNodesListShardStoreMetaData.java:88)
    at org.elasticsearch.gateway.AsyncShardFetch.asyncFetch(AsyncShardFetch.java:267)
    at org.elasticsearch.gateway.AsyncShardFetch.fetchData(AsyncShardFetch.java:117)
    at org.elasticsearch.gateway.GatewayAllocator$InternalReplicaShardAllocator.fetchData(GatewayAllocator.java:183)
    at org.elasticsearch.gateway.ReplicaShardAllocator.processExistingRecoveries(ReplicaShardAllocator.java:77)
    at org.elasticsearch.gateway.GatewayAllocator.allocateUnassigned(GatewayAllocator.java:122)
    at org.elasticsearch.cluster.routing.allocation.allocator.ShardsAllocators.allocateUnassigned(ShardsAllocators.java:70)
    at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:258)
    at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:221)
    at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:207)
    at org.elasticsearch.cluster.routing.RoutingService$2.execute(RoutingService.java:154)
    at org.elasticsearch.cluster.ClusterStateUpdateTask.execute(ClusterStateUpdateTask.java:45)
    at org.elasticsearch.cluster.service.InternalClusterService.runTasksForExecutor(InternalClusterService.java:468)
    at org.elasticsearch.cluster.service.InternalClusterService$UpdateTask.run(InternalClusterService.java:772)
    at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:231)
    at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:194)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)

Caused by: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]]

So, now I would like to figure out how to give any authenticated user access to everything. So that searchguard is not doing any role checking.

On Wednesday, July 6, 2016 at 4:04:01 PM UTC-7, Max Furman wrote:

Below is my sg_config.yml:

This is the main configuration file where the authentication and authorization

backends as well as the http authenticators and other settings will be defined.

The authentication works like that:

If there are no authenticators (authc) defined a implicit one will be created.

This will authenticate against the internal user database and use HTTP Basic.

If more than one is configured the first one which succeeds wins. If all fail then the request will be unauthenticated

and a respective exception is thrown and/or the HTTP status is set to 401.

After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect

the roles from a given backend for the authenticated user.

For HTTP is possible to allow anonymous authentication. If that is allowed then the http authenticators try to

find user credentials in the HTTP request and if such where found then the user gets regularly authenticated.

If none can be found the user will be authenticated as an “anonymous” user. This user has always the username “sg_anonymous”

and one role named “sg_anonymous_backendrole”. If you enable anonymous authentication for all http authenticators will not challenge.

Notice: If you define more than one authenticator make sure to put non-challenging authenticators like “proxy” or “clientcert”

at the beginning and the challenging one at the end. If you configure more than one challenging authenticator you have to deal with

the “challenge” flag. Because its not possible to challenge a client with two different authentication methods (for example

Kerberos and Basic) only one can have challenge: true. All others need to have challenge: false and that means

they look into the request and if they found no credentials they will not challenge. You can cope with this situation

with pre-authentication. That is submitting credentials for non-challenging authenticators within the first request

(Thats especially easy for Basic authentication).

Default value of the challenge flag is true.

HTTP

basic (challenging)

proxy (not challenging, needs xff)

kerberos (challenging) NOT FREE FOR COMMERCIAL

clientcert (not challenging, needs https)

Authc

internal

noop

ldap NOT FREE FOR COMMERCIAL USE

Authz

ldap NOT FREE FOR COMMERCIAL USE

noop

searchguard:

dynamic:

http:
  anonymous_auth_enabled: true
  xff:
    enabled: false
    internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
    #internalProxies: '.*' # trust all internal proxies, regex pattern
    remoteIpHeader:  'x-forwarded-for'
    proxiesHeader:   'x-forwarded-by'
    #trustedProxies: '.*' # trust all external proxies, regex pattern
    ###### see [https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html](https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html) for regex help
    ###### more information about XFF [https://en.wikipedia.org/wiki/X-Forwarded-For](https://en.wikipedia.org/wiki/X-Forwarded-For)
    ###### and here [https://tools.ietf.org/html/rfc7239](https://tools.ietf.org/html/rfc7239)
    ###### and [https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve](https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve)
authc:
  kerberos_auth_domain:
    enabled: false
    order: 4
    http_authenticator:
      type: kerberos # NOT FREE FOR COMMERCIAL USE
      challenge: true
      config:
        # If true a lot of kerberos/security related debugging output will be logged to standard out
        krb_debug: false
        # Acceptor (Server) Principal name, must be present in acceptor_keytab_path file
        acceptor_principal: 'HTTP/localhost'
        # If true then the realm will be stripped from the user name
        strip_realm_from_principal: true
    authentication_backend:
      type: noop
  basic_internal_auth_domain:
    enabled: false
    order: 2
    http_authenticator:
      type: basic
      challenge: true
    authentication_backend:
      type: intern
  proxy_auth_domain:
    enabled: true
    order: 1
    http_authenticator:
      type: proxy
      challenge: false
      config:
        user_header: "X-Company-Staff-User"
        roles_header: "x-proxy-roles"
    authentication_backend:
      type: noop
  clientcert_auth_domain:
    enabled: false
    order: 0
    http_authenticator:
      type: clientcert
      challenge: false
    authentication_backend:
      type: noop
  ldap:
    enabled: false
    order: 3
    http_authenticator:
      type: basic
      challenge: false
    authentication_backend:
      # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
      type: ldap # NOT FREE FOR COMMERCIAL USE
      config:
        # enable ldaps
        enable_ssl: false
        # enable start tls, enable_ssl should be false
        enable_start_tls: false
        # send client certificate
        enable_ssl_client_auth: false
        # verify ldap hostname
        verify_hostnames: true
        hosts:
          - localhost:8389
        bind_dn: null
        password: null
        userbase: 'ou=people,dc=example,dc=com'
        # Filter to search for users (currently in the whole subtree beneath userbase)
        # {0} is substituted with the username
        usersearch: '(uid={0})'
        # Use this attribute from the user as username (if not set then DN is used)
        username_attribute: null
authz:
  roles_from_myldap:
    enabled: false
    authorization_backend:
      # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
      type: ldap # NOT FREE FOR COMMERCIAL USE
      config:
        # enable ldaps
        enable_ssl: false
        # enable start tls, enable_ssl should be false
        enable_start_tls: false
        # send client certificate
        enable_ssl_client_auth: false
        # verify ldap hostname
        verify_hostnames: true
        hosts:
          - localhost:8389
        bind_dn: null
        password: null
        rolebase: 'ou=groups,dc=example,dc=com'
        # Filter to search for roles (currently in the whole subtree beneath rolebase)
        # {0} is substituted with the DN of the user
        # {1} is substituted with the username
        # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
        rolesearch: '(uniqueMember={0})'
        # Specify the name of the attribute which value should be substituted with {2} above
        userroleattribute: null
        # Roles as an attribute of the user entry
        userrolename: memberOf
        # The attribute in a role entry containing the name of that role
        rolename: cn
        # Resolve nested roles transitive (roles which are members of other roles and so on ...)
        resolve_nested_roles: true
        userbase: 'ou=people,dc=example,dc=com'
        # Filter to search for users (currently in the whole subtree beneath userbase)
        # {0} is substituted with the username
        usersearch: '(uid={0})'
  roles_from_another_ldap:
    enabled: false
    authorization_backend:
      type: ldap # NOT FREE FOR COMMERCIAL USE
      #config goes here ...

Basically, I’ve turned proxy_auth_domain on and anonymous_auth on, but im still finding that searchguard is 401-ing my requests.

On Wednesday, July 6, 2016 at 3:18:57 PM UTC-7, Max Furman wrote:

I have a proxy layer that does all ssl and basic authentication (for http) already, and therefore would like to turn off said features in search-guard. I’ve tried setting the various auth_domains to false in the sg_config.yml, but can’t seem to get the authentication to turn off. Whats the right way to do this?


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9998e1f5-9dd4-457d-b334-232f83122e34%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

If I remove the search-guard-2 plugin I get the desired behavior. I assumed that I needed to have both search-guard-ssl and search-guard-2 plugins installed, but based on my needs I think I only need search-guard-ssl.

Still, it would be good to know how to completely disable search-guard-2 from doing any verification when it is installed.

···

On Thursday, July 7, 2016 at 12:05:53 PM UTC-7, Max Furman wrote:

Sorry, I’m not sure I understand where I’m supposed to add the “noop”. I’ve tried adding the following to my elasticsearch.yml

searchguard.authentication.authentication_backend.impl: noop

but, once I configure the backend_registry using the sgadmin.sh tool, any http request that I make fails w/

[com.floragunn.searchguard.auth.BackendRegistry] Unexpected exception com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[user-name not found]

If you could provide an example of what field and where I should be setting to “noop” that would be really helpful. I see “noop” frequently in the sg_config.yml, but again, im not sure which key needs to be set to noop in order to get the behavior that I am interested in. Again, that behavior is to succeed all http requests w/out doing any verification.

Also, I appreciate the note on 2.3.3.2, just upgraded.

On Wednesday, July 6, 2016 at 11:34:03 PM UTC-7, SG wrote:

“noop” is what you looking for

The internal:cluster/nodes/indices/shard/store problem is fixed in Search Guard 2.3.3.2, pls update

Am 07.07.2016 um 03:48 schrieb Max Furman mx.f...@gmail.com:

In an old version of searchguard I was able to set

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.AlwaysSucceedAuthenticationBackend

How can I get the same behavior with search-guard-2? I’ve been fumbling around with the sg_config.yml flipping various flags, but I dont feel like Im getting any closer.

On Wednesday, July 6, 2016 at 5:08:31 PM UTC-7, Max Furman wrote:

After making sure that the configs are the same on each server in the cluster I am now getting:

[2016-07-06 23:53:25,931][WARN ][gateway ] [nextkibana01-ops] [logstash-2016.07.06][3]: failed to list shard for shard_store on node [VNO0GIHuTsC9Yd1syMxXaQ]

FailedNodeException[total failure in fetching]; nested: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]];

    at org.elasticsearch.gateway.AsyncShardFetch$1.onFailure(AsyncShardFetch.java:277)
    at org.elasticsearch.action.support.TransportAction$1.onFailure(TransportAction.java:95)
    at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:135)
    at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
    at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)
    at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:85)
    at org.elasticsearch.indices.store.TransportNodesListShardStoreMetaData.list(TransportNodesListShardStoreMetaData.java:88)
    at org.elasticsearch.gateway.AsyncShardFetch.asyncFetch(AsyncShardFetch.java:267)
    at org.elasticsearch.gateway.AsyncShardFetch.fetchData(AsyncShardFetch.java:117)
    at org.elasticsearch.gateway.GatewayAllocator$InternalReplicaShardAllocator.fetchData(GatewayAllocator.java:183)
    at org.elasticsearch.gateway.ReplicaShardAllocator.processExistingRecoveries(ReplicaShardAllocator.java:77)
    at org.elasticsearch.gateway.GatewayAllocator.allocateUnassigned(GatewayAllocator.java:122)
    at org.elasticsearch.cluster.routing.allocation.allocator.ShardsAllocators.allocateUnassigned(ShardsAllocators.java:70)
    at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:258)
    at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:221)
    at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:207)
    at org.elasticsearch.cluster.routing.RoutingService$2.execute(RoutingService.java:154)
    at org.elasticsearch.cluster.ClusterStateUpdateTask.execute(ClusterStateUpdateTask.java:45)
    at org.elasticsearch.cluster.service.InternalClusterService.runTasksForExecutor(InternalClusterService.java:468)
    at org.elasticsearch.cluster.service.InternalClusterService$UpdateTask.run(InternalClusterService.java:772)
    at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:231)
    at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:194)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)

Caused by: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]]

So, now I would like to figure out how to give any authenticated user access to everything. So that searchguard is not doing any role checking.

On Wednesday, July 6, 2016 at 4:04:01 PM UTC-7, Max Furman wrote:

Below is my sg_config.yml:

This is the main configuration file where the authentication and authorization

backends as well as the http authenticators and other settings will be defined.

The authentication works like that:

If there are no authenticators (authc) defined a implicit one will be created.

This will authenticate against the internal user database and use HTTP Basic.

If more than one is configured the first one which succeeds wins. If all fail then the request will be unauthenticated

and a respective exception is thrown and/or the HTTP status is set to 401.

After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect

the roles from a given backend for the authenticated user.

For HTTP is possible to allow anonymous authentication. If that is allowed then the http authenticators try to

find user credentials in the HTTP request and if such where found then the user gets regularly authenticated.

If none can be found the user will be authenticated as an “anonymous” user. This user has always the username “sg_anonymous”

and one role named “sg_anonymous_backendrole”. If you enable anonymous authentication for all http authenticators will not challenge.

Notice: If you define more than one authenticator make sure to put non-challenging authenticators like “proxy” or “clientcert”

at the beginning and the challenging one at the end. If you configure more than one challenging authenticator you have to deal with

the “challenge” flag. Because its not possible to challenge a client with two different authentication methods (for example

Kerberos and Basic) only one can have challenge: true. All others need to have challenge: false and that means

they look into the request and if they found no credentials they will not challenge. You can cope with this situation

with pre-authentication. That is submitting credentials for non-challenging authenticators within the first request

(Thats especially easy for Basic authentication).

Default value of the challenge flag is true.

HTTP

basic (challenging)

proxy (not challenging, needs xff)

kerberos (challenging) NOT FREE FOR COMMERCIAL

clientcert (not challenging, needs https)

Authc

internal

noop

ldap NOT FREE FOR COMMERCIAL USE

Authz

ldap NOT FREE FOR COMMERCIAL USE

noop

searchguard:

dynamic:

http:
  anonymous_auth_enabled: true
  xff:
    enabled: false
    internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
    #internalProxies: '.*' # trust all internal proxies, regex pattern
    remoteIpHeader:  'x-forwarded-for'
    proxiesHeader:   'x-forwarded-by'
    #trustedProxies: '.*' # trust all external proxies, regex pattern
    ###### see [https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html](https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html) for regex help
    ###### more information about XFF [https://en.wikipedia.org/wiki/X-Forwarded-For](https://en.wikipedia.org/wiki/X-Forwarded-For)
    ###### and here [https://tools.ietf.org/html/rfc7239](https://tools.ietf.org/html/rfc7239)
    ###### and [https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve](https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve)
authc:
  kerberos_auth_domain:
    enabled: false
    order: 4
    http_authenticator:
      type: kerberos # NOT FREE FOR COMMERCIAL USE
      challenge: true
      config:
        # If true a lot of kerberos/security related debugging output will be logged to standard out
        krb_debug: false
        # Acceptor (Server) Principal name, must be present in acceptor_keytab_path file
        acceptor_principal: 'HTTP/localhost'
        # If true then the realm will be stripped from the user name
        strip_realm_from_principal: true
    authentication_backend:
      type: noop
  basic_internal_auth_domain:
    enabled: false
    order: 2
    http_authenticator:
      type: basic
      challenge: true
    authentication_backend:
      type: intern
  proxy_auth_domain:
    enabled: true
    order: 1
    http_authenticator:
      type: proxy
      challenge: false
      config:
        user_header: "X-Company-Staff-User"
        roles_header: "x-proxy-roles"
    authentication_backend:
      type: noop
  clientcert_auth_domain:
    enabled: false
    order: 0
    http_authenticator:
      type: clientcert
      challenge: false
    authentication_backend:
      type: noop
  ldap:
    enabled: false
    order: 3
    http_authenticator:
      type: basic
      challenge: false
    authentication_backend:
      # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
      type: ldap # NOT FREE FOR COMMERCIAL USE
      config:
        # enable ldaps
        enable_ssl: false
        # enable start tls, enable_ssl should be false
        enable_start_tls: false
        # send client certificate
        enable_ssl_client_auth: false
        # verify ldap hostname
        verify_hostnames: true
        hosts:
          - localhost:8389
        bind_dn: null
        password: null
        userbase: 'ou=people,dc=example,dc=com'
        # Filter to search for users (currently in the whole subtree beneath userbase)
        # {0} is substituted with the username
        usersearch: '(uid={0})'
        # Use this attribute from the user as username (if not set then DN is used)
        username_attribute: null
authz:
  roles_from_myldap:
    enabled: false
    authorization_backend:
      # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
      type: ldap # NOT FREE FOR COMMERCIAL USE
      config:
        # enable ldaps
        enable_ssl: false
        # enable start tls, enable_ssl should be false
        enable_start_tls: false
        # send client certificate
        enable_ssl_client_auth: false
        # verify ldap hostname
        verify_hostnames: true
        hosts:
          - localhost:8389
        bind_dn: null
        password: null
        rolebase: 'ou=groups,dc=example,dc=com'
        # Filter to search for roles (currently in the whole subtree beneath rolebase)
        # {0} is substituted with the DN of the user
        # {1} is substituted with the username
        # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
        rolesearch: '(uniqueMember={0})'
        # Specify the name of the attribute which value should be substituted with {2} above
        userroleattribute: null
        # Roles as an attribute of the user entry
        userrolename: memberOf
        # The attribute in a role entry containing the name of that role
        rolename: cn
        # Resolve nested roles transitive (roles which are members of other roles and so on ...)
        resolve_nested_roles: true
        userbase: 'ou=people,dc=example,dc=com'
        # Filter to search for users (currently in the whole subtree beneath userbase)
        # {0} is substituted with the username
        usersearch: '(uid={0})'
  roles_from_another_ldap:
    enabled: false
    authorization_backend:
      type: ldap # NOT FREE FOR COMMERCIAL USE
      #config goes here ...

Basically, I’ve turned proxy_auth_domain on and anonymous_auth on, but im still finding that searchguard is 401-ing my requests.

On Wednesday, July 6, 2016 at 3:18:57 PM UTC-7, Max Furman wrote:

I have a proxy layer that does all ssl and basic authentication (for http) already, and therefore would like to turn off said features in search-guard. I’ve tried setting the various auth_domains to false in the sg_config.yml, but can’t seem to get the authentication to turn off. Whats the right way to do this?


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9998e1f5-9dd4-457d-b334-232f83122e34%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

If you just need SSL without any kind of authentication or authorization then SG SSL is all you have to install. For that you not need to run sgadmin tool.
But if you also need role based authentication or authorization then you have to install *both* pluginsand you need to run sgadmin tool.

···

Am 07.07.2016 um 23:18 schrieb Max Furman <mx.furman@gmail.com>:

If I remove the search-guard-2 plugin I get the desired behavior. I assumed that I needed to have both search-guard-ssl and search-guard-2 plugins installed, but based on my needs I think I only need search-guard-ssl.

Still, it would be good to know how to completely disable search-guard-2 from doing any verification when it is installed.

On Thursday, July 7, 2016 at 12:05:53 PM UTC-7, Max Furman wrote:
Sorry, I'm not sure I understand where I'm supposed to add the "noop". I've tried adding the following to my elasticsearch.yml

   searchguard.authentication.authentication_backend.impl: noop

but, once I configure the backend_registry using the sgadmin.sh tool, any http request that I make fails w/
   
   [com.floragunn.searchguard.auth.BackendRegistry] Unexpected exception com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[user-name not found]

If you could provide an example of what field and where I should be setting to "noop" that would be really helpful. I see "noop" frequently in the sg_config.yml, but again, im not sure which key needs to be set to noop in order to get the behavior that I am interested in. Again, that behavior is to succeed all http requests w/out doing any verification.

Also, I appreciate the note on 2.3.3.2, just upgraded.

On Wednesday, July 6, 2016 at 11:34:03 PM UTC-7, SG wrote:
"noop" is what you looking for

The internal:cluster/nodes/indices/shard/store problem is fixed in Search Guard 2.3.3.2, pls update

> Am 07.07.2016 um 03:48 schrieb Max Furman <mx.f...@gmail.com>:
>
> In an old version of searchguard I was able to set
>
> searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.AlwaysSucceedAuthenticationBackend
>
> How can I get the same behavior with search-guard-2? I've been fumbling around with the sg_config.yml flipping various flags, but I dont feel like Im getting any closer.
>
> On Wednesday, July 6, 2016 at 5:08:31 PM UTC-7, Max Furman wrote:
> After making sure that the configs are the same on each server in the cluster I am now getting:
>
> [2016-07-06 23:53:25,931][WARN ][gateway ] [nextkibana01-ops] [logstash-2016.07.06][3]: failed to list shard for shard_store on node [VNO0GIHuTsC9Yd1syMxXaQ]
> FailedNodeException[total failure in fetching]; nested: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]];
> at org.elasticsearch.gateway.AsyncShardFetch$1.onFailure(AsyncShardFetch.java:277)
> at org.elasticsearch.action.support.TransportAction$1.onFailure(TransportAction.java:95)
> at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:135)
> at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
> at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)
> at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:85)
> at org.elasticsearch.indices.store.TransportNodesListShardStoreMetaData.list(TransportNodesListShardStoreMetaData.java:88)
> at org.elasticsearch.gateway.AsyncShardFetch.asyncFetch(AsyncShardFetch.java:267)
> at org.elasticsearch.gateway.AsyncShardFetch.fetchData(AsyncShardFetch.java:117)
> at org.elasticsearch.gateway.GatewayAllocator$InternalReplicaShardAllocator.fetchData(GatewayAllocator.java:183)
> at org.elasticsearch.gateway.ReplicaShardAllocator.processExistingRecoveries(ReplicaShardAllocator.java:77)
> at org.elasticsearch.gateway.GatewayAllocator.allocateUnassigned(GatewayAllocator.java:122)
> at org.elasticsearch.cluster.routing.allocation.allocator.ShardsAllocators.allocateUnassigned(ShardsAllocators.java:70)
> at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:258)
> at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:221)
> at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:207)
> at org.elasticsearch.cluster.routing.RoutingService$2.execute(RoutingService.java:154)
> at org.elasticsearch.cluster.ClusterStateUpdateTask.execute(ClusterStateUpdateTask.java:45)
> at org.elasticsearch.cluster.service.InternalClusterService.runTasksForExecutor(InternalClusterService.java:468)
> at org.elasticsearch.cluster.service.InternalClusterService$UpdateTask.run(InternalClusterService.java:772)
> at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:231)
> at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:194)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=]]
>
> So, now I would like to figure out how to give any authenticated user access to everything. So that searchguard is not doing any role checking.
>
> On Wednesday, July 6, 2016 at 4:04:01 PM UTC-7, Max Furman wrote:
> Below is my sg_config.yml:
>
> # This is the main configuration file where the authentication and authorization
> # backends as well as the http authenticators and other settings will be defined.
> #
> # The authentication works like that:
> #
> # If there are no authenticators (authc) defined a implicit one will be created.
> # This will authenticate against the internal user database and use HTTP Basic.
> #
> # If more than one is configured the first one which succeeds wins. If all fail then the request will be unauthenticated
> # and a respective exception is thrown and/or the HTTP status is set to 401.
> #
> # After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
> # the roles from a given backend for the authenticated user.
> #
> # For HTTP is possible to allow anonymous authentication. If that is allowed then the http authenticators try to
> # find user credentials in the HTTP request and if such where found then the user gets regularly authenticated.
> # If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "sg_anonymous"
> # and one role named "sg_anonymous_backendrole". If you enable anonymous authentication for all http authenticators will not challenge.
> #
> #
> # Notice: If you define more than one authenticator make sure to put non-challenging authenticators like "proxy" or "clientcert"
> # at the beginning and the challenging one at the end. If you configure more than one challenging authenticator you have to deal with
> # the "challenge" flag. Because its not possible to challenge a client with two different authentication methods (for example
> # Kerberos and Basic) only one can have challenge: true. All others need to have challenge: false and that means
> # they look into the request and if they found no credentials they will not challenge. You can cope with this situation
> # with pre-authentication. That is submitting credentials for non-challenging authenticators within the first request
> # (Thats especially easy for Basic authentication).
> # Default value of the challenge flag is true.
> #
> #
> #
> # HTTP
> # basic (challenging)
> # proxy (not challenging, needs xff)
> # kerberos (challenging) NOT FREE FOR COMMERCIAL
> # clientcert (not challenging, needs https)
>
> # Authc
> # internal
> # noop
> # ldap NOT FREE FOR COMMERCIAL USE
>
> # Authz
> # ldap NOT FREE FOR COMMERCIAL USE
> # noop
>
> searchguard:
> dynamic:
> http:
> anonymous_auth_enabled: true
> xff:
> enabled: false
> internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
> #internalProxies: '.*' # trust all internal proxies, regex pattern
> remoteIpHeader: 'x-forwarded-for'
> proxiesHeader: 'x-forwarded-by'
> #trustedProxies: '.*' # trust all external proxies, regex pattern
> ###### see Pattern (Java Platform SE 7 ) for regex help
> ###### more information about XFF X-Forwarded-For - Wikipedia
> ###### and here RFC 7239 - Forwarded HTTP Extension
> ###### and Apache Tomcat 8 Configuration Reference (8.0.53) - The Valve Component
> authc:
> kerberos_auth_domain:
> enabled: false
> order: 4
> http_authenticator:
> type: kerberos # NOT FREE FOR COMMERCIAL USE
> challenge: true
> config:
> # If true a lot of kerberos/security related debugging output will be logged to standard out
> krb_debug: false
> # Acceptor (Server) Principal name, must be present in acceptor_keytab_path file
> acceptor_principal: 'HTTP/localhost'
> # If true then the realm will be stripped from the user name
> strip_realm_from_principal: true
> authentication_backend:
> type: noop
> basic_internal_auth_domain:
> enabled: false
> order: 2
> http_authenticator:
> type: basic
> challenge: true
> authentication_backend:
> type: intern
> proxy_auth_domain:
> enabled: true
> order: 1
> http_authenticator:
> type: proxy
> challenge: false
> config:
> user_header: "X-Company-Staff-User"
> roles_header: "x-proxy-roles"
> authentication_backend:
> type: noop
> clientcert_auth_domain:
> enabled: false
> order: 0
> http_authenticator:
> type: clientcert
> challenge: false
> authentication_backend:
> type: noop
> ldap:
> enabled: false
> order: 3
> http_authenticator:
> type: basic
> challenge: false
> authentication_backend:
> # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
> type: ldap # NOT FREE FOR COMMERCIAL USE
> config:
> # enable ldaps
> enable_ssl: false
> # enable start tls, enable_ssl should be false
> enable_start_tls: false
> # send client certificate
> enable_ssl_client_auth: false
> # verify ldap hostname
> verify_hostnames: true
> hosts:
> - localhost:8389
> bind_dn: null
> password: null
> userbase: 'ou=people,dc=example,dc=com'
> # Filter to search for users (currently in the whole subtree beneath userbase)
> # {0} is substituted with the username
> usersearch: '(uid={0})'
> # Use this attribute from the user as username (if not set then DN is used)
> username_attribute: null
> authz:
> roles_from_myldap:
> enabled: false
> authorization_backend:
> # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
> type: ldap # NOT FREE FOR COMMERCIAL USE
> config:
> # enable ldaps
> enable_ssl: false
> # enable start tls, enable_ssl should be false
> enable_start_tls: false
> # send client certificate
> enable_ssl_client_auth: false
> # verify ldap hostname
> verify_hostnames: true
> hosts:
> - localhost:8389
> bind_dn: null
> password: null
> rolebase: 'ou=groups,dc=example,dc=com'
> # Filter to search for roles (currently in the whole subtree beneath rolebase)
> # {0} is substituted with the DN of the user
> # {1} is substituted with the username
> # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
> rolesearch: '(uniqueMember={0})'
> # Specify the name of the attribute which value should be substituted with {2} above
> userroleattribute: null
> # Roles as an attribute of the user entry
> userrolename: memberOf
> # The attribute in a role entry containing the name of that role
> rolename: cn
> # Resolve nested roles transitive (roles which are members of other roles and so on ...)
> resolve_nested_roles: true
>
> userbase: 'ou=people,dc=example,dc=com'
> # Filter to search for users (currently in the whole subtree beneath userbase)
> # {0} is substituted with the username
> usersearch: '(uid={0})'
>
> roles_from_another_ldap:
> enabled: false
> authorization_backend:
> type: ldap # NOT FREE FOR COMMERCIAL USE
> #config goes here ...
>
> Basically, I've turned proxy_auth_domain on and anonymous_auth on, but im still finding that searchguard is 401-ing my requests.
>
> On Wednesday, July 6, 2016 at 3:18:57 PM UTC-7, Max Furman wrote:
>
> I have a proxy layer that does all ssl and basic authentication (for http) already, and therefore would like to turn off said features in search-guard. I've tried setting the various auth_domains to false in the sg_config.yml, but can't seem to get the authentication to turn off. Whats the right way to do this?
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9998e1f5-9dd4-457d-b334-232f83122e34%40googlegroups.com\.
> For more options, visit https://groups.google.com/d/optout\.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8e631530-c074-4db4-b63f-573fda617b2d%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.