Is it possible to authenticate kibana user by cert?

Search Guard
1

Hi,

I am running Elasticsearch+Searchguard+Kibana+Searchguard-Kibana-Plugin 6.3.2.

I am authenticating my users against Searchguard using certs, like:

searchguard:
dynamic:
http:
anonymous_auth_enabled: false
authc:
clientcert_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: clientcert
config:
username_attribute: cn
challenge: false
authentication_backend:
type: noop

``

I am trying to authenticate my kibana-users the same way, but I wasn’t successful so far. So my question is:
Is it possible at all? Or is the only change to auth with kibana+searchguard (not using LDAP of the commercial version) using the basic-auth with the internal_users-db?

Thanks in advance

2

So,
i discovered that:
curl -u $user:$password “https://:9200$esmaster/_searchguard/authinfo?pretty

``

gets rejected with:
“Authentication finally failed”, which is fine. Adding my certs to that call, authentication is successful.

Login into kibana, with exactly the same credentials as in that curl-command, i get access as well.

Switching to

logger.searchguard.name = com.floragunn
logger.searchguard.level = debug

``

I can see, that the authenticated user is the FQDN of the host, kibana is running on. But the login is happening on my localhost.

And my kibana.yml configures:

elasticsearch:
username: “kibanaserver”
password: “$kibanapassword”

``

Now, I am really confused. What is going on, and how can I tell kibana to use certs integrated in the browser to do authentication?

···

On Wednesday, September 19, 2018 at 5:31:38 PM UTC+2, hage42 wrote:

Hi,

I am running Elasticsearch+Searchguard+Kibana+Searchguard-Kibana-Plugin 6.3.2.

I am authenticating my users against Searchguard using certs, like:

searchguard:
dynamic:
http:
anonymous_auth_enabled: false
authc:
clientcert_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: clientcert
config:
username_attribute: cn
challenge: false
authentication_backend:
type: noop

``

I am trying to authenticate my kibana-users the same way, but I wasn’t successful so far. So my question is:
Is it possible at all? Or is the only change to auth with kibana+searchguard (not using LDAP of the commercial version) using the basic-auth with the internal_users-db?

Thanks in advance

3

Unfortunately, due to Kibana inner workings it is not possible to use client cert based auth. Kibana is based on node.js / hapi. So even if your browser adds the certificate correctly, Kibana would simply drop it when communicating with Elasticsearch.

···

On Thursday, September 20, 2018 at 12:13:15 PM UTC+2, hage42 wrote:

So,
i discovered that:
curl -u $user:$password “https://:9200$esmaster/_searchguard/authinfo?pretty

``

gets rejected with:
“Authentication finally failed”, which is fine. Adding my certs to that call, authentication is successful.

Login into kibana, with exactly the same credentials as in that curl-command, i get access as well.

Switching to

logger.searchguard.name = com.floragunn
logger.searchguard.level = debug

``

I can see, that the authenticated user is the FQDN of the host, kibana is running on. But the login is happening on my localhost.

And my kibana.yml configures:

elasticsearch:
username: “kibanaserver”
password: “$kibanapassword”

``

Now, I am really confused. What is going on, and how can I tell kibana to use certs integrated in the browser to do authentication?

On Wednesday, September 19, 2018 at 5:31:38 PM UTC+2, hage42 wrote:

Hi,

I am running Elasticsearch+Searchguard+Kibana+Searchguard-Kibana-Plugin 6.3.2.

I am authenticating my users against Searchguard using certs, like:

searchguard:
dynamic:
http:
anonymous_auth_enabled: false
authc:
clientcert_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: clientcert
config:
username_attribute: cn
challenge: false
authentication_backend:
type: noop

``

I am trying to authenticate my kibana-users the same way, but I wasn’t successful so far. So my question is:
Is it possible at all? Or is the only change to auth with kibana+searchguard (not using LDAP of the commercial version) using the basic-auth with the internal_users-db?

Thanks in advance