JWT Authentication Shows as Disabled After Configuring

Elastic Stack 7.10.2/Search Guard 49.0.0.

I’m configuring the JWT Authentication Tokens for Elasticsearch. After I load my sg_config.yml, I get the following, when I look at my Search Guard configuration in the Kibana UI:

I copied the JWT token config directly from the documentation page. My sg_config.yml is:

---
_sg_meta:
  type: 'config'
  config_version: 2
sg_config:
  dynamic:
    auth_failure_listeners: {}
    disable_rest_auth: false
    disable_intertransport_auth: false
    do_not_fail_on_forbidden: true
    do_not_fail_on_forbidden_empty: false
    filtered_alias_mode: 'warn'
    hosts_resolver_mode: 'ip-only'
    multi_rolespan_enabled: true
    respect_request_indices_options: false
    license: '${env.SG_LICENSE}'
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: true
        internalProxies: '.*'
        remoteIpHeader: 'X-Forwarded-For'
    kibana:
      multitenancy_enabled: true
      server_username: 'kibanaserver'
      index: '.kibana'
      rbac_enabled: false
    auth_token_provider:
      enabled: true
      jwt_signing_key_hs512: '${env.SG_JWT_SIGNING_KEY_HS512}'
      jwt_encryption_key_a256kw: '${env.SG_JWT_ENCRYPTION_KEY_A256KW}'
      max_validity: '1y'
      max_tokens_per_user: 100    
    authc:
      sg_issued_jwt_auth_domain:
        description: 'Authenticate via JSON Web Tokens issued by Search Guard'
        http_enabled: true
        transport_enabled: false
        order: 0
        http_authenticator:
          type: 'sg_auth_token'
          challenge: false
        authentication_backend:
          type: 'sg_auth_token'
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          challenge: false
          type: 'basic'
          config: {}
        authentication_backend:
          type: 'intern'
          config: {}
        description: 'Internal Users'
        skip_users: []
      adfs_ldap:
        http_enabled: true
        transport_enabled: true
        order: 2
        http_authenticator:
          challenge: false
          type: 'basic'
          config: {}
        authentication_backend:
          type: 'ldap'
          config:
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: false
            pemtrustedcas_filepath: 'certs/app/ca_bundle.pem'
            hosts:
              - '${env.SG_LDAP_HOST}'
            bind_dn: '${env.SG_LDAP_BIND_DN}'
            password: '${env.SG_LDAP_BIND_DN_PASSWD}'
            users:
              example:
                base: '${env.SG_LDAP_USER_BASE}'
                search: '(sAMAccountName={0})'
            username_attribute: 'cn'
        description: 'LDAP Authentication'
        skip_users: []
      adfs_saml:
        http_enabled: true
        order: 3
        http_authenticator:
          type: 'com.floragunn.dlic.auth.http.saml.HTTPSamlAuthenticator'
          challenge: true
          config:
            idp:
              metadata_url: '${env.SG_SAML_METADATA_URL}'
              entity_id: '${env.SG_SAML_IDP_ENTITY_ID}'
              enable_ssl: true
              verify_hostnames: false
              pemtrustedcas_filepath: 'certs/host/ca-bundle.crt'
            sp:
              entity_id: '${env.SG_SAML_SP_ENTITY_ID}'
            roles_key: 'Role'
            exchange_key: '${env.SG_SAML_EXCHANGE_KEY}'
            kibana_url: '${env.KIBANA_URL}'
        authentication_backend:
          type: 'noop'
    authz:
      adfs_ldap_roles:
        http_enabled: true
        transport_enabled: true
        authorization_backend:
          type: 'ldap'
          config:
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: false
            pemtrustedcas_filepath: '/usr/share/elasticsearch/config/certs/app/ca_bundle.pem'
            hosts:
              - '${env.SG_LDAP_HOST}'
            bind_dn: '${env.SG_LDAP_BIND_DN}'
            password: '${env.SG_LDAP_BIND_DN_PASSWD}'
            roles:
              example:
                base: '${env.SG_LDAP_ROLE_BASE}'
                search: '(member={1})'
            userroleattribute: null
            userrolename: 'memberOf'
            rolename: 'cn'
            resolve_nested_roles: true
            users:
              example:
                base: '${env.SG_LDAP_USER_BASE}'
                search: '(sAMAccountName={0})'
            username_attribute: 'cn'
        description: 'LDAP Roles'
        skipped_users: []

…and when I attempt to generate a token, I get the following, as expected:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "status_exception",
        "reason" : "AuthTokenProvider is not configured"
      }
    ],
    "type" : "status_exception",
    "reason" : "AuthTokenProvider is not configured",
    "caused_by" : {
      "type" : "token_creation_exception",
      "reason" : "AuthTokenProvider is not configured"
    }
  },
  "status" : 500
}

Hello Doug!

Can you please try to run sgadmin again to trigger a configuration refresh and check the logs ES/SG produces meanwhile?

I’m not sure whether it is really related to the “disabled” display in Kibana; I would just guess a display bug here. We will check that.

Certainly. I reloaded the config, and got the following:

{
  "type": "server",
  "timestamp": "2021-02-26T14:19:31,841Z",
  "level": "INFO",
  "component": "c.f.s.c.ConfigurationRepository",
  "cluster.name": "elk-es-dev",
  "node.name": "elk-es-master-0",
  "message": "Search Guard License Info: SearchGuardLicense [uid=A0655B18-1F41-4CFF-84D2-E09A41140416, type=FULL, features=[], issueDate=2020-03-22, expiryDate=2021-04-10, issuedTo=My Company Name, issuer=floragunn GmbH, startDate=2020-04-10, majorVersion=7, clusterName=*, allowedNodeCount=32768, msgs=[], expiresInDays=43, isExpired=false, valid=true, action=, prodUsage=Yes, one cluster with all commercial features and unlimited nodes per cluster., clusterService=org.elasticsearch.cluster.service.ClusterService@66d983f9, getMsgs()=[], getExpiresInDays()=43, isExpired()=false, isValid()=true, getAction()=, getProdUsage()=Yes, one cluster with all commercial features and unlimited nodes per cluster.]",
  "cluster.uuid": "YgzlFBvxQm--yeQRS3V_CQ",
  "node.id": "cnUjA2cuSXSukBepaXgc5Q"
}
{
  "type": "server",
  "timestamp": "2021-02-26T14:19:31,842Z",
  "level": "INFO",
  "component": "c.f.s.c.ConfigurationRepository",
  "cluster.name": "elk-es-dev",
  "node.name": "elk-es-master-0",
  "message": "Search Guard License Type: FULL, valid",
  "cluster.uuid": "YgzlFBvxQm--yeQRS3V_CQ",
  "node.id": "cnUjA2cuSXSukBepaXgc5Q"
}

I wasn’t certain that was what you wanted, so I put it in debug mode and ran it again. It’s too big to paste in, so I’m attaching it as a file.

elk-es-master-0.log (52.9 KB)

Interesting. I was making another minor change to my test cluster, restarted it again, and auth tokens appear to be functioning as expected now. I didn’t make any changes to the SG config.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.