Elastic Stack 7.10.2/Search Guard 49.0.0.
I’m configuring the JWT Authentication Tokens for Elasticsearch. After I load my sg_config.yml
, I get the following, when I look at my Search Guard configuration in the Kibana UI:
I copied the JWT token config directly from the documentation page. My sg_config.yml
is:
---
_sg_meta:
type: 'config'
config_version: 2
sg_config:
dynamic:
auth_failure_listeners: {}
disable_rest_auth: false
disable_intertransport_auth: false
do_not_fail_on_forbidden: true
do_not_fail_on_forbidden_empty: false
filtered_alias_mode: 'warn'
hosts_resolver_mode: 'ip-only'
multi_rolespan_enabled: true
respect_request_indices_options: false
license: '${env.SG_LICENSE}'
http:
anonymous_auth_enabled: false
xff:
enabled: true
internalProxies: '.*'
remoteIpHeader: 'X-Forwarded-For'
kibana:
multitenancy_enabled: true
server_username: 'kibanaserver'
index: '.kibana'
rbac_enabled: false
auth_token_provider:
enabled: true
jwt_signing_key_hs512: '${env.SG_JWT_SIGNING_KEY_HS512}'
jwt_encryption_key_a256kw: '${env.SG_JWT_ENCRYPTION_KEY_A256KW}'
max_validity: '1y'
max_tokens_per_user: 100
authc:
sg_issued_jwt_auth_domain:
description: 'Authenticate via JSON Web Tokens issued by Search Guard'
http_enabled: true
transport_enabled: false
order: 0
http_authenticator:
type: 'sg_auth_token'
challenge: false
authentication_backend:
type: 'sg_auth_token'
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
challenge: false
type: 'basic'
config: {}
authentication_backend:
type: 'intern'
config: {}
description: 'Internal Users'
skip_users: []
adfs_ldap:
http_enabled: true
transport_enabled: true
order: 2
http_authenticator:
challenge: false
type: 'basic'
config: {}
authentication_backend:
type: 'ldap'
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
pemtrustedcas_filepath: 'certs/app/ca_bundle.pem'
hosts:
- '${env.SG_LDAP_HOST}'
bind_dn: '${env.SG_LDAP_BIND_DN}'
password: '${env.SG_LDAP_BIND_DN_PASSWD}'
users:
example:
base: '${env.SG_LDAP_USER_BASE}'
search: '(sAMAccountName={0})'
username_attribute: 'cn'
description: 'LDAP Authentication'
skip_users: []
adfs_saml:
http_enabled: true
order: 3
http_authenticator:
type: 'com.floragunn.dlic.auth.http.saml.HTTPSamlAuthenticator'
challenge: true
config:
idp:
metadata_url: '${env.SG_SAML_METADATA_URL}'
entity_id: '${env.SG_SAML_IDP_ENTITY_ID}'
enable_ssl: true
verify_hostnames: false
pemtrustedcas_filepath: 'certs/host/ca-bundle.crt'
sp:
entity_id: '${env.SG_SAML_SP_ENTITY_ID}'
roles_key: 'Role'
exchange_key: '${env.SG_SAML_EXCHANGE_KEY}'
kibana_url: '${env.KIBANA_URL}'
authentication_backend:
type: 'noop'
authz:
adfs_ldap_roles:
http_enabled: true
transport_enabled: true
authorization_backend:
type: 'ldap'
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false
pemtrustedcas_filepath: '/usr/share/elasticsearch/config/certs/app/ca_bundle.pem'
hosts:
- '${env.SG_LDAP_HOST}'
bind_dn: '${env.SG_LDAP_BIND_DN}'
password: '${env.SG_LDAP_BIND_DN_PASSWD}'
roles:
example:
base: '${env.SG_LDAP_ROLE_BASE}'
search: '(member={1})'
userroleattribute: null
userrolename: 'memberOf'
rolename: 'cn'
resolve_nested_roles: true
users:
example:
base: '${env.SG_LDAP_USER_BASE}'
search: '(sAMAccountName={0})'
username_attribute: 'cn'
description: 'LDAP Roles'
skipped_users: []
…and when I attempt to generate a token, I get the following, as expected:
{
"error" : {
"root_cause" : [
{
"type" : "status_exception",
"reason" : "AuthTokenProvider is not configured"
}
],
"type" : "status_exception",
"reason" : "AuthTokenProvider is not configured",
"caused_by" : {
"type" : "token_creation_exception",
"reason" : "AuthTokenProvider is not configured"
}
},
"status" : 500
}