sudo /usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig -icl -key /etc/elasticsearch/kirk-key.pem -cert /etc/elasticsearch/kirk.pem -cacert /etc/elasticsearch/root-ca.pem -nhnv
WARNING: JAVA_HOME not set, will use /usr/bin/java
Search Guard Admin v6
Will connect to localhost:9300 … done
Elasticsearch Version: 6.2.4
Search Guard Version: 6.2.4-22.1
Connected as CN=kirk,OU=client,O=client,L=test,C=de
Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …
Clustername: searchguard_demo
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 1
searchguard index already exists, so we do not need to create one.
Populate config from /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/
Will update ‘sg/config’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_config.
Will update ‘sg/roles’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles.yml
SUCC: Configuration for ‘roles’ created or updated
Will update ‘sg/rolesmapping’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘sg/internalusers’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘sg/actiongroups’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
yml SUCC: Configuration for 'config' created or updated Done with success
Still, I have an error:
[2018-07-11T22:08:30,127][DEBUG][c.f.s.c.PrivilegesEvaluator] Added to leftovers sg_kibana_server=>
[2018-07-11T22:08:30,127][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_own_index
[2018-07-11T22:08:30,127][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolve and match kibanaserver
[2018-07-11T22:08:30,127][DEBUG][c.f.s.c.PrivilegesEvaluator] no permittedAliasesIndex ‘kibanaserver’ found for ‘[indices:admin/mappings/get]’
[2018-07-11T22:08:30,127][DEBUG][c.f.s.c.PrivilegesEvaluator] permittedAliasesIndices ‘{kibanaserver={““:[“INDICES_ALL”]}}’ → '{””:[“INDICES_ALL”]}’
[2018-07-11T22:08:30,127][DEBUG][c.f.s.c.PrivilegesEvaluator] requestedResolvedIndexTypes ‘[IndexType [index=.kibana, type=*]]’
[2018-07-11T22:08:30,127][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved permitted aliases indices for kibanaserver: [kibanaserver]
[2018-07-11T22:08:30,127][DEBUG][c.f.s.c.PrivilegesEvaluator] matches for kibanaserver, will check now types [*]
[2018-07-11T22:08:30,127][DEBUG][c.f.s.c.PrivilegesEvaluator] match requested action [indices:admin/mappings/get] against kibanaserver/: [indices:]
[2018-07-11T22:08:30,128][DEBUG][c.f.s.c.PrivilegesEvaluator] no match kibanaserver* in [IndexType [index=.kibana, type=*]]
[2018-07-11T22:08:30,128][DEBUG][c.f.s.c.PrivilegesEvaluator] For index kibanaserver remaining requested indextype: [IndexType [index=.kibana, type=*]]
[2018-07-11T22:08:30,128][DEBUG][c.f.s.c.PrivilegesEvaluator] Added to leftovers sg_own_index=>[IndexType [index=.kibana, type=*]]
[2018-07-11T22:08:31,160][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] sg index exists and was created with ES 6 (new layout)
[2018-07-11T22:08:31,163][DEBUG][c.f.s.c.ConfigurationLoader] Received config for config (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=4
[2018-07-11T22:08:31,164][DEBUG][c.f.s.c.ConfigurationLoader] Received config for roles (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=3
[2018-07-11T22:08:31,164][DEBUG][c.f.s.c.ConfigurationLoader] Received config for rolesmapping (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=2
[2018-07-11T22:08:31,164][DEBUG][c.f.s.c.ConfigurationLoader] Received config for internalusers (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=1
[2018-07-11T22:08:31,168][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Notify com.floragunn.searchguard.http.XFFResolver@34330f77 listener about change configuration with type config
[2018-07-11T22:08:31,168][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Notify com.floragunn.searchguard.auth.BackendRegistry@3b7c58e7 listener about change configuration with type config
[2018-07-11T22:08:31,171][DEBUG][c.f.s.a.BackendRegistry ] Clear user cache for kibanaserver due to EXPLICIT
[2018-07-11T22:08:31,171][DEBUG][c.f.s.a.BackendRegistry ] Clear user cache for admin due to EXPLICIT
[2018-07-11T22:08:31,172][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Info: SearchGuardLicense [uid=00000000-0000-0000-0000-000000000000, type=TRIAL, issueDate=2018-07-06, expiryDate=2018-09-05, issuedTo=The world, issuer=floragunn GmbH, startDate=2018-07-06, majorVersion=6, clusterName=*, allowedNodeCount=2147483647, msgs=, expiresInDays=55, isExpired=false, valid=true, action=, prodUsage=Yes, one cluster with all commercial features and unlimited nodes per cluster., clusterService=org.elasticsearch.cluster.service.ClusterService@576debc7, getMsgs()=, getExpiresInDays()=55, isExpired()=false, isValid()=true, getAction()=, getProdUsage()=Yes, one cluster with all commercial features and unlimited nodes per cluster.]
[2018-07-11T22:08:31,172][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Type: TRIAL, valid
[2018-07-11T22:08:31,173][DEBUG][c.f.s.c.ConfigurationLoader] Received config for actiongroups (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=0
[2018-07-11T22:08:32,631][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:08:35,136][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:08:37,639][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:08:40,143][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:08:42,646][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:08:42,868][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:08:45,148][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:08:47,651][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:08:50,155][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:08:52,658][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:08:55,160][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:08:57,662][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:09:00,167][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:09:01,881][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:09:02,670][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:09:05,172][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:09:07,674][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:09:10,178][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:09:12,681][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:09:15,183][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:09:17,686][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:09:20,191][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:09:22,695][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:09:25,197][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:09:27,699][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:09:30,204][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:09:32,707][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:09:35,209][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:09:37,712][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:09:40,217][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:09:42,719][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-07-11T22:09:45,221][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
root@ip-172-31-33-164:/var/log/elasticsearch#
``
···
On Wednesday, July 11, 2018 at 1:07:14 PM UTC-7, bre...@elementdata.com wrote:
I have trouble connecting to Kibana using JWT.
- Search Guard and Elasticsearch version
6.2.4
- JVM version and operating system version
Java version 1.8.0_171
OS: Ubuntu 14.04
This is how I am trying to access the kibana URL:
http://ec2-…-…-…-.compute-1.amazonaws.com:5601/app/kibana?_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3Mywic3ViIjoiYWRtaW4iLCJyb2xlcyI6ImFkbWluIn0.PcKziOlhGIANaIlJrk1rjoWCf7VIJFUDzh9Q0rhGKc4
``
It doesn’t show up anything. Attached is the screenshot.
http://ec2-…-…-…-.compute-1.amazonaws.com:5601/api/v1/auth/authinfo?_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3Mywic3ViIjoiYWRtaW4iLCJyb2xlcyI6ImFkbWluIn0.PcKziOlhGIANaIlJrk1rjoWCf7VIJFUDzh9Q0rhGKc4
``
I get an error for authinfo:
{“statusCode”:500,“error”:“Internal Server Error”,“message”:“An internal server error occurred”}
``
- Here is my Search Guard configuration
searchguard:
dynamic:
# Set filtered_alias_mode to ‘disallow’ to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to ‘warn’ to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to ‘nowarn’ to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#kibana:
# Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
# see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md
# To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki
#multitenancy_enabled: true
#server_username: kibanaserver
#index: ‘.kibana’
#do_not_fail_on_forbidden: false
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
#internalProxies: ‘.’ # trust all internal proxies, regex pattern
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
#trustedProxies: '.’ # trust all external proxies, regex pattern
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
#Modified
#basic_internal_auth_domain:
# http_enabled: true
#transport_enabled: true
#order: 4
#http_authenticator:
# type: basic
# challenge: true
#authentication_backend:
# type: intern
#proxy_auth_domain:
# http_enabled: false
#transport_enabled: false
#order: 3
#http_authenticator:
# type: proxy
#challenge: false
#config:
# user_header: “x-proxy-user”
# roles_header: “x-proxy-roles”
#authentication_backend:
# type: noop
jwt_auth_domain:
http_enabled: true
transport_enabled: false
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: “sneezing”
jwt_header: null
jwt_url_parameter: “_token”
roles_key: roles
subject_key: null
authentication_backend:
type: noop
clientcert_auth_domain:
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
proxy_auth_domain:
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: “x-proxy-user”
roles_header: “x-proxy-roles”
authentication_backend:
type: noop
#Modified
ldap:
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(sAMAccountName={0})’
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: ‘ou=groups,dc=example,dc=com’
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(member={0})’
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is “name”.
# Can also be “dn” to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(uid={0})’
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - ‘cn=Michael Jackson,oupeople,o=TEST’
# - '/\S/’
roles_from_another_ldap:
enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here …
``
- Elasticsearch configuration
######## Start Search Guard Demo Configuration ########
WARNING: revise all the lines below before you go into production
searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=test, C=de
searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: [“sg_all_access”]
cluster.routing.allocation.disk.threshold_enabled: false
cluster.name: searchguard_demo
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
######## End Search Guard Demo Configuration ########
``
Kibana Configuration:
######## Start Search Guard Configuration ########
server.port: 5601
server.host: 0.0.0.0
elasticsearch.url: https://localhost:9200
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.ssl.verificationMode: none
#New changes start
searchguard.basicauth.enabled: false
searchguard.jwt.enabled: true
searchguard.jwt.url_param: ‘_token’
elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant” ]
#New changes end
######## End Search Guard Configuration ########
``