ES Information
{
“name” : “elasticsearch”,
“cluster_name” : “searchguard_demo”,
“cluster_uuid” : “YoFc8ZcMRquVm4XZ6y_SYQ”,
“version” : {
“number” : “6.2.4”,
“build_hash” : “ccec39f”,
“build_date” : “2018-04-12T20:37:28.497551Z”,
“build_snapshot” : false,
“lucene_version” : “7.2.1”,
“minimum_wire_compatibility_version” : “5.6.0”,
“minimum_index_compatibility_version” : “5.0.0”
},
“tagline” : “You Know, for Search”
}
``
From ES Debug Logs:
[2018-05-03T20:29:23,659][DEBUG][c.f.s.s.ReflectionHelper ] Loaded module Module [type=JWT_AUTHENTICATION_BACKEND, implementing class=com.floragunn.dlic.auth.http.jwt.HTTPJwtAuthenticator]
[2018-05-03T20:29:23,660][DEBUG][c.f.s.s.ReflectionHelper ] Loaded module Module [type=INTERNAL_USERS_AUTHENTICATION_BACKEND, implementing class=com.floragunn.searchguard.auth.internal.InternalAuthenticationBackend]
[2018-05-03T20:29:23,660][DEBUG][c.f.s.s.ReflectionHelper ] Loaded module Module [type=HTTP_BASIC_AUTHENTICATOR, implementing class=com.floragunn.searchguard.http.HTTPBasicAuthenticator]
[2018-05-03T20:29:23,660][DEBUG][c.f.s.c.ConfigurationLoader] Received config for actiongroups (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=0
[2018-05-03T20:29:23,662][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Info: SearchGuardLicense [uid=00000000-0000-0000-0000-000000000000, type=TRIAL, issueDate=2018-04-27, expiryDate=2018-06-27, issuedTo=The world, issuer=floragunn GmbH, startDate=2018-04-27, majorVersion=6, clusterName=*, allowedNodeCount=2147483647, msgs=, expiresInDays=54, isExpired=false, valid=true, action=, prodUsage=Yes, one cluster with all commercial features and unlimited nodes per cluster., clusterService=org.elasticsearch.cluster.service.ClusterService@784ba8e, getMsgs()=, getExpiresInDays()=54, isExpired()=false, isValid()=true, getAction()=, getProdUsage()=Yes, one cluster with all commercial features and unlimited nodes per cluster.]
``
When I make a request to Search-Guard:
curl -k -H “Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImpvaG5kb2UiLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3M30.uwMCHhodsEOUAQ9wbaAuO7Un7YvcDc-D-JAPS0wjSx0” https://localhost:9200
Unauthorized
``
and I see this error is ES logs:
[2018-05-03T20:35:27,308][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from jwt http authenticator
[2018-05-03T20:35:27,317][DEBUG][c.f.d.a.h.j.HTTPJwtAuthenticator] Invalid or expired JWT token.
io.jsonwebtoken.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.
…
…
[2018-05-03T20:35:27,323][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from basic http authenticator
[2018-05-03T20:35:27,323][WARN ][c.f.s.h.HTTPBasicAuthenticator] No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’
``
My sg_config looks like this and I have run sgadmin after updating signing_key:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: “x-proxy-user”
roles_header: “x-proxy-roles”
authentication_backend:
type: noop
jwt_auth_domain**:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: “dHJ5LXRoaXMtc2hpdA==”
jwt_header: “Authorization”
jwt_url_parameter: null
roles_key: null
subject_key: null
authentication_backend:
type:** ** noop**
clientcert_auth_domain:
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop
ldap:
``