JWT with searchguard and Kibana

I have trouble connecting to Kibana using JWT.

  • Search Guard and Elasticsearch version

6.2.4

  • JVM version and operating system version

Java version 1.8.0_171

OS: Ubuntu 14.04

This is how I am trying to access the kibana URL:

http://ec2-…-…-…-.compute-1.amazonaws.com:5601/app/kibana?_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3Mywic3ViIjoiYWRtaW4iLCJyb2xlcyI6ImFkbWluIn0.PcKziOlhGIANaIlJrk1rjoWCf7VIJFUDzh9Q0rhGKc4

``

It doesn’t show up anything. Attached is the screenshot.

http://ec2-…-…-…-.compute-1.amazonaws.com:5601/api/v1/auth/authinfo?_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3Mywic3ViIjoiYWRtaW4iLCJyb2xlcyI6ImFkbWluIn0.PcKziOlhGIANaIlJrk1rjoWCf7VIJFUDzh9Q0rhGKc4

``

I get an error for authinfo:
{“statusCode”:500,“error”:“Internal Server Error”,“message”:“An internal server error occurred”}

``

  • Here is my Search Guard configuration

searchguard:
dynamic:
# Set filtered_alias_mode to ‘disallow’ to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to ‘warn’ to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to ‘nowarn’ to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#kibana:
# Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
# see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md
# To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki
#multitenancy_enabled: true
#server_username: kibanaserver
#index: ‘.kibana’
#do_not_fail_on_forbidden: false
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
#internalProxies: ‘.’ # trust all internal proxies, regex pattern
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
#trustedProxies: '.
’ # trust all external proxies, regex pattern
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
#Modified
#basic_internal_auth_domain:
# http_enabled: true
#transport_enabled: true
#order: 4
#http_authenticator:
# type: basic
# challenge: true
#authentication_backend:
# type: intern
#proxy_auth_domain:
# http_enabled: false
#transport_enabled: false
#order: 3
#http_authenticator:
# type: proxy
#challenge: false
#config:
# user_header: “x-proxy-user”
# roles_header: “x-proxy-roles”
#authentication_backend:
# type: noop
jwt_auth_domain:
http_enabled: true
transport_enabled: false
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: “sneezing”
jwt_header: null
jwt_url_parameter: “_token”
roles_key: roles
subject_key: null
authentication_backend:
type: noop
clientcert_auth_domain:
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop

basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
proxy_auth_domain:
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: “x-proxy-user”
roles_header: “x-proxy-roles”
authentication_backend:
type: noop
#Modified
ldap:
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(sAMAccountName={0})’
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: ‘ou=groups,dc=example,dc=com’
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(member={0})’
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is “name”.
# Can also be “dn” to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(uid={0})’
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - ‘cn=Michael Jackson,oupeople,o=TEST’
# - '/\S
/’
roles_from_another_ldap:
enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here …

``

  • Elasticsearch configuration

######## Start Search Guard Demo Configuration ########

WARNING: revise all the lines below before you go into production

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: [“sg_all_access”]
cluster.routing.allocation.disk.threshold_enabled: false
cluster.name: searchguard_demo
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
######## End Search Guard Demo Configuration ########

``

Kibana Configuration:

######## Start Search Guard Configuration ########

server.port: 5601

server.host: 0.0.0.0

elasticsearch.url: https://localhost:9200

elasticsearch.username: kibanaserver

elasticsearch.password: kibanaserver

elasticsearch.ssl.verificationMode: none

#New changes start

searchguard.basicauth.enabled: false

searchguard.jwt.enabled: true

searchguard.jwt.url_param: ‘_token’

elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant” ]

#New changes end

######## End Search Guard Configuration ########

``

The support for JWT tokens as GET parameter in Kibana works as follows:

When a token is sent via a GET parameter, the Kibana plugin will read the JWT from the GET parameter and then copies it to an HTTP header. This is due to limitations in Kibana. While it is possible to add HTTP headers for each request from Kibana to Elasticsearch, adding GET parameters is not.

So with this Kibana configuration:

searchguard.basicauth.enabled: false
searchguard.jwt.enabled: true
searchguard.jwt.url_param: ‘_token’
elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant” ]

``

You are telling Search Guard: Look for a JWT token in a GET parameter called _token, and then copy it to an HTTP Header. The header name will be Authorization since you did not configure the header name and Authorization is the default. Now we have the JWT in the Authorization HTTP header in each request from KI to ES.

Your Elasticsearch configuration does not match these settings:

signing_key: “sneezing”
jwt_header: null
jwt_url_parameter: “_token”

``

This tells Search Guard: Do not look into any HTTP header for a JWT token (jwt_heaeder is set to null), but look for an URL parameter called “_token”. This does not work since Kibana sends the token as HTTP header.

You can just remove the jwt_header and also the jwt_url_parameter from the configuration completely. Search Guard will then fall back to the default Authorization HTTP header name, which is what also Kibana uses as default.

···

On Wednesday, July 11, 2018 at 10:07:14 PM UTC+2, brenda@elementdata.com wrote:

I have trouble connecting to Kibana using JWT.

  • Search Guard and Elasticsearch version

6.2.4

  • JVM version and operating system version

Java version 1.8.0_171

OS: Ubuntu 14.04

This is how I am trying to access the kibana URL:

http://ec2-…-…-…-.compute-1.amazonaws.com:5601/app/kibana?_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3Mywic3ViIjoiYWRtaW4iLCJyb2xlcyI6ImFkbWluIn0.PcKziOlhGIANaIlJrk1rjoWCf7VIJFUDzh9Q0rhGKc4

``

It doesn’t show up anything. Attached is the screenshot.

http://ec2-…-…-…-.compute-1.amazonaws.com:5601/api/v1/auth/authinfo?_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3Mywic3ViIjoiYWRtaW4iLCJyb2xlcyI6ImFkbWluIn0.PcKziOlhGIANaIlJrk1rjoWCf7VIJFUDzh9Q0rhGKc4

``

I get an error for authinfo:
{“statusCode”:500,“error”:“Internal Server Error”,“message”:“An internal server error occurred”}

``

  • Here is my Search Guard configuration

searchguard:
dynamic:
# Set filtered_alias_mode to ‘disallow’ to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to ‘warn’ to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to ‘nowarn’ to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#kibana:
# Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
# see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md
# To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki
#multitenancy_enabled: true
#server_username: kibanaserver
#index: ‘.kibana’
#do_not_fail_on_forbidden: false
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
#internalProxies: ‘.’ # trust all internal proxies, regex pattern
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
#trustedProxies: '.
’ # trust all external proxies, regex pattern
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
#Modified
#basic_internal_auth_domain:
# http_enabled: true
#transport_enabled: true
#order: 4
#http_authenticator:
# type: basic
# challenge: true
#authentication_backend:
# type: intern
#proxy_auth_domain:
# http_enabled: false
#transport_enabled: false
#order: 3
#http_authenticator:
# type: proxy
#challenge: false
#config:
# user_header: “x-proxy-user”
# roles_header: “x-proxy-roles”
#authentication_backend:
# type: noop
jwt_auth_domain:
http_enabled: true
transport_enabled: false
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: “sneezing”
jwt_header: null
jwt_url_parameter: “_token”
roles_key: roles
subject_key: null
authentication_backend:
type: noop
clientcert_auth_domain:
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop

basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
proxy_auth_domain:
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: “x-proxy-user”
roles_header: “x-proxy-roles”
authentication_backend:
type: noop
#Modified
ldap:
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(sAMAccountName={0})’
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: ‘ou=groups,dc=example,dc=com’
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(member={0})’
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is “name”.
# Can also be “dn” to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(uid={0})’
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - ‘cn=Michael Jackson,oupeople,o=TEST’
# - '/\S
/’
roles_from_another_ldap:
enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here …

``

  • Elasticsearch configuration

######## Start Search Guard Demo Configuration ########

WARNING: revise all the lines below before you go into production

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: [“sg_all_access”]
cluster.routing.allocation.disk.threshold_enabled: false
cluster.name: searchguard_demo
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
######## End Search Guard Demo Configuration ########

``

Kibana Configuration:

######## Start Search Guard Configuration ########

server.port: 5601

server.host: 0.0.0.0

elasticsearch.url: https://localhost:9200

elasticsearch.username: kibanaserver

elasticsearch.password: kibanaserver

elasticsearch.ssl.verificationMode: none

#New changes start

searchguard.basicauth.enabled: false

searchguard.jwt.enabled: true

searchguard.jwt.url_param: ‘_token’

elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant” ]

#New changes end

######## End Search Guard Configuration ########

``

Thank you for the explanation.

Even after commenting those two lines in sg_config.yml I get below error in the kibana logs:

{“type”:“error”,"@timestamp":“2018-07-11T20:24:43Z”,“tags”:,“pid”:21771,“level”:“error”,“error”:{“message”:“Internal Server Error”,“name”:“AuthenticationError”,“stack”:“AuthenticationError: Internal Server Error\n at AuthenticationError (/usr/share/kibana/plugins/searchguard/lib/auth/authentication_error.js:20:5)\n at /usr/share/kibana/plugins/searchguard/lib/backend/searchguard.js:68:23\n at throw (native)\n at step (/usr/share/kibana/plugins/searchguard/lib/backend/searchguard.js:33:191)\n at /usr/share/kibana/plugins/searchguard/lib/backend/searchguard.js:33:402”},“url”:{“protocol”:null,“slashes”:null,“auth”:null,“host”:null,“port”:null,“hostname”:null,“hash”:null,“search”:"",“query”:{},“pathname”:"/api/v1/auth/authinfo",“path”:"/api/v1/auth/authinfo",“href”:"/api/v1/auth/authinfo"},“message”:“Internal Server Error”}
{“type”:“response”,"@timestamp":“2018-07-11T20:24:43Z”,“tags”:,“pid”:21771,“method”:“get”,“statusCode”:500,“req”:{“url”:"/api/v1/auth/authinfo",“method”:“get”,“headers”:{“host”:“ec2-name–:5601”,“connection”:“keep-alive”,“accept”:“application/json, text/plain, /”,“kbn-version”:“6.2.4”,“user-agent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36”,“referer”:“http://ec2-name–:5601/app/kibana?_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1MzExODUwNjIsImV4cCI6MTUzMTQ3MTQ2Miwic3ViamVjdF9rZXkiOiJhZG1pbiIsInJvbGVzIjoiYWRtaW4ifQ.VEZTc1jOjmnl38fUKZcZR-1MXRCrhgnYpCWu3rP-nPs”,“accept-encoding”:“gzip, deflate”,“accept-language”:“en-US,en;q=0.9”,“Authorization”:“Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1MzExODUwNjIsImV4cCI6MTUzMTQ3MTQ2Miwic3ViamVjdF9rZXkiOiJhZG1pbiIsInJvbGVzIjoiYWRtaW4ifQ.VEZTc1jOjmnl38fUKZcZR-1MXRCrhgnYpCWu3rP-nPs”},“remoteAddress”:“x.x.x.x”,“userAgent”:“x.x.x.x”,“referer”:“http://ec2-name–:5601/app/kibana?_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1MzExODUwNjIsImV4cCI6MTUzMTQ3MTQ2Miwic3ViamVjdF9rZXkiOiJhZG1pbiIsInJvbGVzIjoiYWRtaW4ifQ.VEZTc1jOjmnl38fUKZcZR-1MXRCrhgnYpCWu3rP-nPs”},“res”:{“statusCode”:500,“responseTime”:17,“contentLength”:9},“message”:“GET /api/v1/auth/authinfo 500 17ms - 9.0B”}

``

···

On Wednesday, July 11, 2018 at 1:07:14 PM UTC-7, bre...@elementdata.com wrote:

I have trouble connecting to Kibana using JWT.

  • Search Guard and Elasticsearch version

6.2.4

  • JVM version and operating system version

Java version 1.8.0_171

OS: Ubuntu 14.04

This is how I am trying to access the kibana URL:

http://ec2-…-…-…-.compute-1.amazonaws.com:5601/app/kibana?_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3Mywic3ViIjoiYWRtaW4iLCJyb2xlcyI6ImFkbWluIn0.PcKziOlhGIANaIlJrk1rjoWCf7VIJFUDzh9Q0rhGKc4

``

It doesn’t show up anything. Attached is the screenshot.

http://ec2-…-…-…-.compute-1.amazonaws.com:5601/api/v1/auth/authinfo?_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3Mywic3ViIjoiYWRtaW4iLCJyb2xlcyI6ImFkbWluIn0.PcKziOlhGIANaIlJrk1rjoWCf7VIJFUDzh9Q0rhGKc4

``

I get an error for authinfo:
{“statusCode”:500,“error”:“Internal Server Error”,“message”:“An internal server error occurred”}

``

  • Here is my Search Guard configuration

searchguard:
dynamic:
# Set filtered_alias_mode to ‘disallow’ to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to ‘warn’ to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to ‘nowarn’ to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#kibana:
# Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
# see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md
# To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki
#multitenancy_enabled: true
#server_username: kibanaserver
#index: ‘.kibana’
#do_not_fail_on_forbidden: false
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
#internalProxies: ‘.’ # trust all internal proxies, regex pattern
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
#trustedProxies: '.
’ # trust all external proxies, regex pattern
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
#Modified
#basic_internal_auth_domain:
# http_enabled: true
#transport_enabled: true
#order: 4
#http_authenticator:
# type: basic
# challenge: true
#authentication_backend:
# type: intern
#proxy_auth_domain:
# http_enabled: false
#transport_enabled: false
#order: 3
#http_authenticator:
# type: proxy
#challenge: false
#config:
# user_header: “x-proxy-user”
# roles_header: “x-proxy-roles”
#authentication_backend:
# type: noop
jwt_auth_domain:
http_enabled: true
transport_enabled: false
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: “sneezing”
jwt_header: null
jwt_url_parameter: “_token”
roles_key: roles
subject_key: null
authentication_backend:
type: noop
clientcert_auth_domain:
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop

basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
proxy_auth_domain:
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: “x-proxy-user”
roles_header: “x-proxy-roles”
authentication_backend:
type: noop
#Modified
ldap:
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(sAMAccountName={0})’
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: ‘ou=groups,dc=example,dc=com’
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(member={0})’
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is “name”.
# Can also be “dn” to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(uid={0})’
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - ‘cn=Michael Jackson,oupeople,o=TEST’
# - '/\S
/’
roles_from_another_ldap:
enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here …

``

  • Elasticsearch configuration

######## Start Search Guard Demo Configuration ########

WARNING: revise all the lines below before you go into production

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: [“sg_all_access”]
cluster.routing.allocation.disk.threshold_enabled: false
cluster.name: searchguard_demo
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
######## End Search Guard Demo Configuration ########

``

Kibana Configuration:

######## Start Search Guard Configuration ########

server.port: 5601

server.host: 0.0.0.0

elasticsearch.url: https://localhost:9200

elasticsearch.username: kibanaserver

elasticsearch.password: kibanaserver

elasticsearch.ssl.verificationMode: none

#New changes start

searchguard.basicauth.enabled: false

searchguard.jwt.enabled: true

searchguard.jwt.url_param: ‘_token’

elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant” ]

#New changes end

######## End Search Guard Configuration ########

``

Did you apply the configuration changes in sg_config with sgadmin?

Please set the log level in Elasticsearch to debug:

logger.searchguard.name = com.floragunn

logger.searchguard.level = debug

``

And restart Elasticsearch. Then issue the Kibana request again and post the complete ES logfile.

···

On Wednesday, July 11, 2018 at 10:29:32 PM UTC+2, brenda@elementdata.com wrote:

Thank you for the explanation.

Even after commenting those two lines in sg_config.yml I get below error in the kibana logs:

{“type”:“error”,"@timestamp":“2018-07-11T20:24:43Z”,“tags”:,“pid”:21771,“level”:“error”,“error”:{“message”:“Internal Server Error”,“name”:“AuthenticationError”,“stack”:“AuthenticationError: Internal Server Error\n at AuthenticationError (/usr/share/kibana/plugins/searchguard/lib/auth/authentication_error.js:20:5)\n at /usr/share/kibana/plugins/searchguard/lib/backend/searchguard.js:68:23\n at throw (native)\n at step (/usr/share/kibana/plugins/searchguard/lib/backend/searchguard.js:33:191)\n at /usr/share/kibana/plugins/searchguard/lib/backend/searchguard.js:33:402”},“url”:{“protocol”:null,“slashes”:null,“auth”:null,“host”:null,“port”:null,“hostname”:null,“hash”:null,“search”:"",“query”:{},“pathname”:"/api/v1/auth/authinfo",“path”:"/api/v1/auth/authinfo",“href”:"/api/v1/auth/authinfo"},“message”:“Internal Server Error”}
{“type”:“response”,"@timestamp":“2018-07-11T20:24:43Z”,“tags”:,“pid”:21771,“method”:“get”,“statusCode”:500,“req”:{“url”:"/api/v1/auth/authinfo",“method”:“get”,“headers”:{“host”:“ec2-name–:5601”,“connection”:“keep-alive”,“accept”:“application/json, text/plain, /”,“kbn-version”:“6.2.4”,“user-agent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36”,“referer”:“http://ec2-name–:5601/app/kibana?_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1MzExODUwNjIsImV4cCI6MTUzMTQ3MTQ2Miwic3ViamVjdF9rZXkiOiJhZG1pbiIsInJvbGVzIjoiYWRtaW4ifQ.VEZTc1jOjmnl38fUKZcZR-1MXRCrhgnYpCWu3rP-nPs”,“accept-encoding”:“gzip, deflate”,“accept-language”:“en-US,en;q=0.9”,“Authorization”:“Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1MzExODUwNjIsImV4cCI6MTUzMTQ3MTQ2Miwic3ViamVjdF9rZXkiOiJhZG1pbiIsInJvbGVzIjoiYWRtaW4ifQ.VEZTc1jOjmnl38fUKZcZR-1MXRCrhgnYpCWu3rP-nPs”},“remoteAddress”:“x.x.x.x”,“userAgent”:“x.x.x.x”,“referer”:“http://ec2-name–:5601/app/kibana?_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1MzExODUwNjIsImV4cCI6MTUzMTQ3MTQ2Miwic3ViamVjdF9rZXkiOiJhZG1pbiIsInJvbGVzIjoiYWRtaW4ifQ.VEZTc1jOjmnl38fUKZcZR-1MXRCrhgnYpCWu3rP-nPs”},“res”:{“statusCode”:500,“responseTime”:17,“contentLength”:9},“message”:“GET /api/v1/auth/authinfo 500 17ms - 9.0B”}

``

On Wednesday, July 11, 2018 at 1:07:14 PM UTC-7, bre...@elementdata.com wrote:

I have trouble connecting to Kibana using JWT.

  • Search Guard and Elasticsearch version

6.2.4

  • JVM version and operating system version

Java version 1.8.0_171

OS: Ubuntu 14.04

This is how I am trying to access the kibana URL:

http://ec2-…-…-…-.compute-1.amazonaws.com:5601/app/kibana?_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3Mywic3ViIjoiYWRtaW4iLCJyb2xlcyI6ImFkbWluIn0.PcKziOlhGIANaIlJrk1rjoWCf7VIJFUDzh9Q0rhGKc4

``

It doesn’t show up anything. Attached is the screenshot.

http://ec2-…-…-…-.compute-1.amazonaws.com:5601/api/v1/auth/authinfo?_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3Mywic3ViIjoiYWRtaW4iLCJyb2xlcyI6ImFkbWluIn0.PcKziOlhGIANaIlJrk1rjoWCf7VIJFUDzh9Q0rhGKc4

``

I get an error for authinfo:
{“statusCode”:500,“error”:“Internal Server Error”,“message”:“An internal server error occurred”}

``

  • Here is my Search Guard configuration

searchguard:
dynamic:
# Set filtered_alias_mode to ‘disallow’ to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to ‘warn’ to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to ‘nowarn’ to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#kibana:
# Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
# see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md
# To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki
#multitenancy_enabled: true
#server_username: kibanaserver
#index: ‘.kibana’
#do_not_fail_on_forbidden: false
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
#internalProxies: ‘.’ # trust all internal proxies, regex pattern
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
#trustedProxies: '.
’ # trust all external proxies, regex pattern
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
#Modified
#basic_internal_auth_domain:
# http_enabled: true
#transport_enabled: true
#order: 4
#http_authenticator:
# type: basic
# challenge: true
#authentication_backend:
# type: intern
#proxy_auth_domain:
# http_enabled: false
#transport_enabled: false
#order: 3
#http_authenticator:
# type: proxy
#challenge: false
#config:
# user_header: “x-proxy-user”
# roles_header: “x-proxy-roles”
#authentication_backend:
# type: noop
jwt_auth_domain:
http_enabled: true
transport_enabled: false
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: “sneezing”
jwt_header: null
jwt_url_parameter: “_token”
roles_key: roles
subject_key: null
authentication_backend:
type: noop
clientcert_auth_domain:
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop

basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
proxy_auth_domain:
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: “x-proxy-user”
roles_header: “x-proxy-roles”
authentication_backend:
type: noop
#Modified
ldap:
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(sAMAccountName={0})’
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: ‘ou=groups,dc=example,dc=com’
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(member={0})’
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is “name”.
# Can also be “dn” to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(uid={0})’
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - ‘cn=Michael Jackson,oupeople,o=TEST’
# - '/\S
/’
roles_from_another_ldap:
enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here …

``

  • Elasticsearch configuration

######## Start Search Guard Demo Configuration ########

WARNING: revise all the lines below before you go into production

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: [“sg_all_access”]
cluster.routing.allocation.disk.threshold_enabled: false
cluster.name: searchguard_demo
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
######## End Search Guard Demo Configuration ########

``

Kibana Configuration:

######## Start Search Guard Configuration ########

server.port: 5601

server.host: 0.0.0.0

elasticsearch.url: https://localhost:9200

elasticsearch.username: kibanaserver

elasticsearch.password: kibanaserver

elasticsearch.ssl.verificationMode: none

#New changes start

searchguard.basicauth.enabled: false

searchguard.jwt.enabled: true

searchguard.jwt.url_param: ‘_token’

elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant” ]

#New changes end

######## End Search Guard Configuration ########

``

No, I didn’t apply the configuration changes using sg_admin. I manually edited the sg_config file.

I have added the below changes in /etc/elasticsearch/log4j2.properties and restarted ES.

logger.searchguard.name = com.floragunn

logger.searchguard.level = debug

``

Here is the log:

2018-07-11T20:43:56,439][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from basic http authenticator
[2018-07-11T20:43:56,439][DEBUG][c.f.s.a.BackendRegistry ] User ‘User [name=kibanaserver, roles=, requestedTenant=null]’ is authenticated
[2018-07-11T20:43:56,439][DEBUG][c.f.s.a.BackendRegistry ] sgtenant ‘null’
[2018-07-11T20:43:56,439][DEBUG][c.f.s.c.PrivilegesEvaluator] ### evaluate permissions for User [name=kibanaserver, roles=, requestedTenant=null] on 3dFs4pZ
[2018-07-11T20:43:56,439][DEBUG][c.f.s.c.PrivilegesEvaluator] requested cluster:monitor/main from 127.0.0.1:55676
[2018-07-11T20:43:56,439][DEBUG][c.f.s.c.PrivilegesEvaluator] class org.elasticsearch.action.main.MainRequest is not an IndicesRequest
[2018-07-11T20:43:56,439][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=_all, type=]]
[2018-07-11T20:43:56,439][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for kibanaserver: [sg_kibana_server, sg_own_index]
[2018-07-11T20:43:56,440][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] raw requestedTenant: ‘null’
[2018-07-11T20:43:56,440][DEBUG][c.f.s.c.PrivilegesEvaluator] Result from privileges interceptor: null
[2018-07-11T20:43:56,440][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_kibana_server
[2018-07-11T20:43:56,440][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[indices:data/read/msearch, cluster:admin/xpack/monitoring
, indices:data/read/mget, indices:data/write/reindex, indices:admin/aliases/exists*, indices:admin/aliases*, indices:data/read/scroll, indices:data/read/coordinate-msearch*, indices:admin/template*, indices:data/write/bulk, indices:admin/aliases/get*, indices:data/read/mtv, cluster:monitor/]
[2018-07-11T20:43:56,440][DEBUG][c.f.s.c.PrivilegesEvaluator] found a match for ‘sg_kibana_server’ and cluster:monitor/main, skip other roles
[2018-07-11T20:43:56,442][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from basic http authenticator
[2018-07-11T20:43:56,442][DEBUG][c.f.s.a.BackendRegistry ] User ‘User [name=kibanaserver, roles=[], requestedTenant=null]’ is authenticated
[2018-07-11T20:43:56,442][DEBUG][c.f.s.a.BackendRegistry ] sgtenant ‘null’
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesEvaluator] ### evaluate permissions for User [name=kibanaserver, roles=[], requestedTenant=null] on 3dFs4pZ
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesEvaluator] requested cluster:monitor/nodes/info from 127.0.0.1:55677
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesEvaluator] class org.elasticsearch.action.admin.cluster.node.info.NodesInfoRequest is not an IndicesRequest
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=_all, type=
]]
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for kibanaserver: [sg_kibana_server, sg_own_index]
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] raw requestedTenant: ‘null’
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesEvaluator] Result from privileges interceptor: null
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_kibana_server
[2018-07-11T20:43:56,443][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[indices:data/read/msearch, cluster:admin/xpack/monitoring*, indices:data/read/mget, indices:data/write/reindex, indices:admin/aliases/exists*, indices:admin/aliases*, indices:data/read/scroll, indices:data/read/coordinate-msearch*, indices:admin/template*, indices:data/write/bulk, indices:admin/aliases/get*, indices:data/read/mtv, cluster:monitor/]
[2018-07-11T20:43:56,443][DEBUG][c.f.s.c.PrivilegesEvaluator] found a match for ‘sg_kibana_server’ and cluster:monitor/nodes/info, skip other roles
[2018-07-11T20:43:56,445][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from basic http authenticator
[2018-07-11T20:43:56,446][DEBUG][c.f.s.a.BackendRegistry ] User ‘User [name=kibanaserver, roles=[], requestedTenant=null]’ is authenticated
[2018-07-11T20:43:56,446][DEBUG][c.f.s.a.BackendRegistry ] sgtenant ‘null’
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] ### evaluate permissions for User [name=kibanaserver, roles=[], requestedTenant=null] on 3dFs4pZ
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] requested cluster:monitor/nodes/info from 127.0.0.1:55676
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] class org.elasticsearch.action.admin.cluster.node.info.NodesInfoRequest is not an IndicesRequest
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=_all, type=
]]
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for kibanaserver: [sg_kibana_server, sg_own_index]
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] raw requestedTenant: ‘null’
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] Result from privileges interceptor: null
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_kibana_server
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[indices:data/read/msearch, cluster:admin/xpack/monitoring*, indices:data/read/mget, indices:data/write/reindex, indices:admin/aliases/exists*, indices:admin/aliases*, indices:data/read/scroll, indices:data/read/coordinate-msearch*, indices:admin/template*, indices:data/write/bulk, indices:admin/aliases/get*, indices:data/read/mtv, cluster:monitor/]
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] found a match for ‘sg_kibana_server’ and cluster:monitor/nodes/info, skip other roles
[2018-07-11T20:43:56,449][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from basic http authenticator
[2018-07-11T20:43:56,449][DEBUG][c.f.s.a.BackendRegistry ] User ‘User [name=kibanaserver, roles=[], requestedTenant=null]’ is authenticated
[2018-07-11T20:43:56,449][DEBUG][c.f.s.a.BackendRegistry ] sgtenant ‘null’
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] ### evaluate permissions for User [name=kibanaserver, roles=[], requestedTenant=null] on 3dFs4pZ
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] requested indices:admin/mappings/get from 127.0.0.1:55677
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.admin.indices.mapping.get.GetMappingsRequest for action indices:admin/mappings/get
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] indicesOptions IndicesOptions[id=6, ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_aliases_to_multiple_indices=true, forbid_closed_indices=false, ignore_aliases=false]
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] 1 raw indices [.kibana]
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] 0 requestTypes []
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] No date math indices found
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolved [.kibana] to [.kibana]
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] pre final indices: [.kibana]
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] pre final types: []
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] final indices: [.kibana]
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] final types: [_all]
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=.kibana, type=
]]
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for kibanaserver: [sg_kibana_server, sg_own_index]
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] raw requestedTenant: ‘null’
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] Result from privileges interceptor: null
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_kibana_server
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] Try wildcard match for ?monitoring*
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] No wildcard match found for ?monitoring*
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] For index ?monitoring* remaining requested indextype: [IndexType [index=.kibana, type=]]
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] Try wildcard match for ?reporting

[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] No wildcard match found for ?reporting*
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] For index ?reporting* remaining requested indextype: [IndexType [index=.kibana, type=]]
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] Try wildcard match for ?kibana
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] Wildcard match for ?kibana: [.kibana]
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] matches for ?kibana, will check now types [
]
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] match requested action [indices:admin/mappings/get] against ?kibana/: [indices:]
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] removed .kibana*
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] For index ?kibana remaining requested indextype:
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] found a match for ‘sg_kibana_server.?kibana’, evaluate other roles

``

···

On Wednesday, July 11, 2018 at 1:07:14 PM UTC-7, bre...@elementdata.com wrote:

I have trouble connecting to Kibana using JWT.

  • Search Guard and Elasticsearch version

6.2.4

  • JVM version and operating system version

Java version 1.8.0_171

OS: Ubuntu 14.04

This is how I am trying to access the kibana URL:

http://ec2-…-…-…-.compute-1.amazonaws.com:5601/app/kibana?_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3Mywic3ViIjoiYWRtaW4iLCJyb2xlcyI6ImFkbWluIn0.PcKziOlhGIANaIlJrk1rjoWCf7VIJFUDzh9Q0rhGKc4

``

It doesn’t show up anything. Attached is the screenshot.

http://ec2-…-…-…-.compute-1.amazonaws.com:5601/api/v1/auth/authinfo?_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3Mywic3ViIjoiYWRtaW4iLCJyb2xlcyI6ImFkbWluIn0.PcKziOlhGIANaIlJrk1rjoWCf7VIJFUDzh9Q0rhGKc4

``

I get an error for authinfo:
{“statusCode”:500,“error”:“Internal Server Error”,“message”:“An internal server error occurred”}

``

  • Here is my Search Guard configuration

searchguard:
dynamic:
# Set filtered_alias_mode to ‘disallow’ to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to ‘warn’ to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to ‘nowarn’ to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#kibana:
# Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
# see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md
# To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki
#multitenancy_enabled: true
#server_username: kibanaserver
#index: ‘.kibana’
#do_not_fail_on_forbidden: false
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
#internalProxies: ‘.’ # trust all internal proxies, regex pattern
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
#trustedProxies: '.
’ # trust all external proxies, regex pattern
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
#Modified
#basic_internal_auth_domain:
# http_enabled: true
#transport_enabled: true
#order: 4
#http_authenticator:
# type: basic
# challenge: true
#authentication_backend:
# type: intern
#proxy_auth_domain:
# http_enabled: false
#transport_enabled: false
#order: 3
#http_authenticator:
# type: proxy
#challenge: false
#config:
# user_header: “x-proxy-user”
# roles_header: “x-proxy-roles”
#authentication_backend:
# type: noop
jwt_auth_domain:
http_enabled: true
transport_enabled: false
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: “sneezing”
jwt_header: null
jwt_url_parameter: “_token”
roles_key: roles
subject_key: null
authentication_backend:
type: noop
clientcert_auth_domain:
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop

basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
proxy_auth_domain:
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: “x-proxy-user”
roles_header: “x-proxy-roles”
authentication_backend:
type: noop
#Modified
ldap:
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(sAMAccountName={0})’
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: ‘ou=groups,dc=example,dc=com’
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(member={0})’
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is “name”.
# Can also be “dn” to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(uid={0})’
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - ‘cn=Michael Jackson,oupeople,o=TEST’
# - '/\S
/’
roles_from_another_ldap:
enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here …

``

  • Elasticsearch configuration

######## Start Search Guard Demo Configuration ########

WARNING: revise all the lines below before you go into production

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: [“sg_all_access”]
cluster.routing.allocation.disk.threshold_enabled: false
cluster.name: searchguard_demo
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
######## End Search Guard Demo Configuration ########

``

Kibana Configuration:

######## Start Search Guard Configuration ########

server.port: 5601

server.host: 0.0.0.0

elasticsearch.url: https://localhost:9200

elasticsearch.username: kibanaserver

elasticsearch.password: kibanaserver

elasticsearch.ssl.verificationMode: none

#New changes start

searchguard.basicauth.enabled: false

searchguard.jwt.enabled: true

searchguard.jwt.url_param: ‘_token’

elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant” ]

#New changes end

######## End Search Guard Configuration ########

``

If you did not apply the configuration changes you made then they do not have any effect of course.

Here’s the docs on how to do that:

If you are using the SG demo installer you can also use the preconfigured sgadmin script:

···

On Wednesday, July 11, 2018 at 10:45:31 PM UTC+2, brenda@elementdata.com wrote:

No, I didn’t apply the configuration changes using sg_admin. I manually edited the sg_config file.

I have added the below changes in /etc/elasticsearch/log4j2.properties and restarted ES.

logger.searchguard.name = com.floragunn

logger.searchguard.level = debug

``

Here is the log:

2018-07-11T20:43:56,439][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from basic http authenticator
[2018-07-11T20:43:56,439][DEBUG][c.f.s.a.BackendRegistry ] User ‘User [name=kibanaserver, roles=, requestedTenant=null]’ is authenticated
[2018-07-11T20:43:56,439][DEBUG][c.f.s.a.BackendRegistry ] sgtenant ‘null’
[2018-07-11T20:43:56,439][DEBUG][c.f.s.c.PrivilegesEvaluator] ### evaluate permissions for User [name=kibanaserver, roles=, requestedTenant=null] on 3dFs4pZ
[2018-07-11T20:43:56,439][DEBUG][c.f.s.c.PrivilegesEvaluator] requested cluster:monitor/main from 127.0.0.1:55676
[2018-07-11T20:43:56,439][DEBUG][c.f.s.c.PrivilegesEvaluator] class org.elasticsearch.action.main.MainRequest is not an IndicesRequest
[2018-07-11T20:43:56,439][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=_all, type=]]
[2018-07-11T20:43:56,439][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for kibanaserver: [sg_kibana_server, sg_own_index]
[2018-07-11T20:43:56,440][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] raw requestedTenant: ‘null’
[2018-07-11T20:43:56,440][DEBUG][c.f.s.c.PrivilegesEvaluator] Result from privileges interceptor: null
[2018-07-11T20:43:56,440][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_kibana_server
[2018-07-11T20:43:56,440][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[indices:data/read/msearch, cluster:admin/xpack/monitoring
, indices:data/read/mget, indices:data/write/reindex, indices:admin/aliases/exists*, indices:admin/aliases*, indices:data/read/scroll, indices:data/read/coordinate-msearch*, indices:admin/template*, indices:data/write/bulk, indices:admin/aliases/get*, indices:data/read/mtv, cluster:monitor/]
[2018-07-11T20:43:56,440][DEBUG][c.f.s.c.PrivilegesEvaluator] found a match for ‘sg_kibana_server’ and cluster:monitor/main, skip other roles
[2018-07-11T20:43:56,442][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from basic http authenticator
[2018-07-11T20:43:56,442][DEBUG][c.f.s.a.BackendRegistry ] User ‘User [name=kibanaserver, roles=[], requestedTenant=null]’ is authenticated
[2018-07-11T20:43:56,442][DEBUG][c.f.s.a.BackendRegistry ] sgtenant ‘null’
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesEvaluator] ### evaluate permissions for User [name=kibanaserver, roles=[], requestedTenant=null] on 3dFs4pZ
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesEvaluator] requested cluster:monitor/nodes/info from 127.0.0.1:55677
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesEvaluator] class org.elasticsearch.action.admin.cluster.node.info.NodesInfoRequest is not an IndicesRequest
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=_all, type=
]]
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for kibanaserver: [sg_kibana_server, sg_own_index]
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] raw requestedTenant: ‘null’
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesEvaluator] Result from privileges interceptor: null
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_kibana_server
[2018-07-11T20:43:56,443][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[indices:data/read/msearch, cluster:admin/xpack/monitoring*, indices:data/read/mget, indices:data/write/reindex, indices:admin/aliases/exists*, indices:admin/aliases*, indices:data/read/scroll, indices:data/read/coordinate-msearch*, indices:admin/template*, indices:data/write/bulk, indices:admin/aliases/get*, indices:data/read/mtv, cluster:monitor/]
[2018-07-11T20:43:56,443][DEBUG][c.f.s.c.PrivilegesEvaluator] found a match for ‘sg_kibana_server’ and cluster:monitor/nodes/info, skip other roles
[2018-07-11T20:43:56,445][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from basic http authenticator
[2018-07-11T20:43:56,446][DEBUG][c.f.s.a.BackendRegistry ] User ‘User [name=kibanaserver, roles=[], requestedTenant=null]’ is authenticated
[2018-07-11T20:43:56,446][DEBUG][c.f.s.a.BackendRegistry ] sgtenant ‘null’
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] ### evaluate permissions for User [name=kibanaserver, roles=[], requestedTenant=null] on 3dFs4pZ
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] requested cluster:monitor/nodes/info from 127.0.0.1:55676
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] class org.elasticsearch.action.admin.cluster.node.info.NodesInfoRequest is not an IndicesRequest
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=_all, type=
]]
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for kibanaserver: [sg_kibana_server, sg_own_index]
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] raw requestedTenant: ‘null’
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] Result from privileges interceptor: null
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_kibana_server
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[indices:data/read/msearch, cluster:admin/xpack/monitoring*, indices:data/read/mget, indices:data/write/reindex, indices:admin/aliases/exists*, indices:admin/aliases*, indices:data/read/scroll, indices:data/read/coordinate-msearch*, indices:admin/template*, indices:data/write/bulk, indices:admin/aliases/get*, indices:data/read/mtv, cluster:monitor/]
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] found a match for ‘sg_kibana_server’ and cluster:monitor/nodes/info, skip other roles
[2018-07-11T20:43:56,449][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from basic http authenticator
[2018-07-11T20:43:56,449][DEBUG][c.f.s.a.BackendRegistry ] User ‘User [name=kibanaserver, roles=[], requestedTenant=null]’ is authenticated
[2018-07-11T20:43:56,449][DEBUG][c.f.s.a.BackendRegistry ] sgtenant ‘null’
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] ### evaluate permissions for User [name=kibanaserver, roles=[], requestedTenant=null] on 3dFs4pZ
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] requested indices:admin/mappings/get from 127.0.0.1:55677
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.admin.indices.mapping.get.GetMappingsRequest for action indices:admin/mappings/get
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] indicesOptions IndicesOptions[id=6, ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_aliases_to_multiple_indices=true, forbid_closed_indices=false, ignore_aliases=false]
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] 1 raw indices [.kibana]
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] 0 requestTypes []
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] No date math indices found
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolved [.kibana] to [.kibana]
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] pre final indices: [.kibana]
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] pre final types: []
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] final indices: [.kibana]
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] final types: [_all]
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=.kibana, type=
]]
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for kibanaserver: [sg_kibana_server, sg_own_index]
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] raw requestedTenant: ‘null’
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] Result from privileges interceptor: null
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_kibana_server
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] Try wildcard match for ?monitoring*
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] No wildcard match found for ?monitoring*
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] For index ?monitoring* remaining requested indextype: [IndexType [index=.kibana, type=]]
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] Try wildcard match for ?reporting

[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] No wildcard match found for ?reporting*
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] For index ?reporting* remaining requested indextype: [IndexType [index=.kibana, type=]]
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] Try wildcard match for ?kibana
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] Wildcard match for ?kibana: [.kibana]
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] matches for ?kibana, will check now types [
]
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] match requested action [indices:admin/mappings/get] against ?kibana/: [indices:]
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] removed .kibana*
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] For index ?kibana remaining requested indextype:
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] found a match for ‘sg_kibana_server.?kibana’, evaluate other roles

``

On Wednesday, July 11, 2018 at 1:07:14 PM UTC-7, bre...@elementdata.com wrote:

I have trouble connecting to Kibana using JWT.

  • Search Guard and Elasticsearch version

6.2.4

  • JVM version and operating system version

Java version 1.8.0_171

OS: Ubuntu 14.04

This is how I am trying to access the kibana URL:

http://ec2-…-…-…-.compute-1.amazonaws.com:5601/app/kibana?_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3Mywic3ViIjoiYWRtaW4iLCJyb2xlcyI6ImFkbWluIn0.PcKziOlhGIANaIlJrk1rjoWCf7VIJFUDzh9Q0rhGKc4

``

It doesn’t show up anything. Attached is the screenshot.

http://ec2-…-…-…-.compute-1.amazonaws.com:5601/api/v1/auth/authinfo?_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3Mywic3ViIjoiYWRtaW4iLCJyb2xlcyI6ImFkbWluIn0.PcKziOlhGIANaIlJrk1rjoWCf7VIJFUDzh9Q0rhGKc4

``

I get an error for authinfo:
{“statusCode”:500,“error”:“Internal Server Error”,“message”:“An internal server error occurred”}

``

  • Here is my Search Guard configuration

searchguard:
dynamic:
# Set filtered_alias_mode to ‘disallow’ to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to ‘warn’ to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to ‘nowarn’ to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#kibana:
# Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
# see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md
# To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki
#multitenancy_enabled: true
#server_username: kibanaserver
#index: ‘.kibana’
#do_not_fail_on_forbidden: false
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
#internalProxies: ‘.’ # trust all internal proxies, regex pattern
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
#trustedProxies: '.
’ # trust all external proxies, regex pattern
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
#Modified
#basic_internal_auth_domain:
# http_enabled: true
#transport_enabled: true
#order: 4
#http_authenticator:
# type: basic
# challenge: true
#authentication_backend:
# type: intern
#proxy_auth_domain:
# http_enabled: false
#transport_enabled: false
#order: 3
#http_authenticator:
# type: proxy
#challenge: false
#config:
# user_header: “x-proxy-user”
# roles_header: “x-proxy-roles”
#authentication_backend:
# type: noop
jwt_auth_domain:
http_enabled: true
transport_enabled: false
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: “sneezing”
jwt_header: null
jwt_url_parameter: “_token”
roles_key: roles
subject_key: null
authentication_backend:
type: noop
clientcert_auth_domain:
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop

basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
proxy_auth_domain:
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: “x-proxy-user”
roles_header: “x-proxy-roles”
authentication_backend:
type: noop
#Modified
ldap:
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(sAMAccountName={0})’
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: ‘ou=groups,dc=example,dc=com’
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(member={0})’
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is “name”.
# Can also be “dn” to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(uid={0})’
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - ‘cn=Michael Jackson,oupeople,o=TEST’
# - '/\S
/’
roles_from_another_ldap:
enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here …

``

  • Elasticsearch configuration

######## Start Search Guard Demo Configuration ########

WARNING: revise all the lines below before you go into production

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: [“sg_all_access”]
cluster.routing.allocation.disk.threshold_enabled: false
cluster.name: searchguard_demo
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
######## End Search Guard Demo Configuration ########

``

Kibana Configuration:

######## Start Search Guard Configuration ########

server.port: 5601

server.host: 0.0.0.0

elasticsearch.url: https://localhost:9200

elasticsearch.username: kibanaserver

elasticsearch.password: kibanaserver

elasticsearch.ssl.verificationMode: none

#New changes start

searchguard.basicauth.enabled: false

searchguard.jwt.enabled: true

searchguard.jwt.url_param: ‘_token’

elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant” ]

#New changes end

######## End Search Guard Configuration ########

``

sudo /usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig -icl -key /etc/elasticsearch/kirk-key.pem -cert /etc/elasticsearch/kirk.pem -cacert /etc/elasticsearch/root-ca.pem -nhnv
WARNING: JAVA_HOME not set, will use /usr/bin/java
Search Guard Admin v6
Will connect to localhost:9300 … done
Elasticsearch Version: 6.2.4
Search Guard Version: 6.2.4-22.1
Connected as CN=kirk,OU=client,O=client,L=test,C=de
Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …
Clustername: searchguard_demo
Clusterstate: YELLOW
Number of nodes: 1
Number of data nodes: 1
searchguard index already exists, so we do not need to create one.
Populate config from /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/
Will update ‘sg/config’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_config.

Will update ‘sg/roles’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles.yml
SUCC: Configuration for ‘roles’ created or updated
Will update ‘sg/rolesmapping’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘sg/internalusers’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘sg/actiongroups’ with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated

yml SUCC: Configuration for 'config' created or updated Done with success

Still, I have an error:

[2018-07-11T22:08:30,127][DEBUG][c.f.s.c.PrivilegesEvaluator] Added to leftovers sg_kibana_server=>

[2018-07-11T22:08:30,127][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_own_index

[2018-07-11T22:08:30,127][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolve and match kibanaserver

[2018-07-11T22:08:30,127][DEBUG][c.f.s.c.PrivilegesEvaluator] no permittedAliasesIndex ‘kibanaserver’ found for ‘[indices:admin/mappings/get]’

[2018-07-11T22:08:30,127][DEBUG][c.f.s.c.PrivilegesEvaluator] permittedAliasesIndices ‘{kibanaserver={"":[“INDICES_ALL”]}}’ -> '{"":[“INDICES_ALL”]}’

[2018-07-11T22:08:30,127][DEBUG][c.f.s.c.PrivilegesEvaluator] requestedResolvedIndexTypes ‘[IndexType [index=.kibana, type=*]]’

[2018-07-11T22:08:30,127][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved permitted aliases indices for kibanaserver: [kibanaserver]

[2018-07-11T22:08:30,127][DEBUG][c.f.s.c.PrivilegesEvaluator] matches for kibanaserver, will check now types

[2018-07-11T22:08:30,127][DEBUG][c.f.s.c.PrivilegesEvaluator] match requested action [indices:admin/mappings/get] against kibanaserver/: [indices:]

[2018-07-11T22:08:30,128][DEBUG][c.f.s.c.PrivilegesEvaluator] no match kibanaserver* in [IndexType [index=.kibana, type=*]]

[2018-07-11T22:08:30,128][DEBUG][c.f.s.c.PrivilegesEvaluator] For index kibanaserver remaining requested indextype: [IndexType [index=.kibana, type=*]]

[2018-07-11T22:08:30,128][DEBUG][c.f.s.c.PrivilegesEvaluator] Added to leftovers sg_own_index=>[IndexType [index=.kibana, type=*]]

[2018-07-11T22:08:31,160][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] sg index exists and was created with ES 6 (new layout)

[2018-07-11T22:08:31,163][DEBUG][c.f.s.c.ConfigurationLoader] Received config for config (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=4

[2018-07-11T22:08:31,164][DEBUG][c.f.s.c.ConfigurationLoader] Received config for roles (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=3

[2018-07-11T22:08:31,164][DEBUG][c.f.s.c.ConfigurationLoader] Received config for rolesmapping (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=2

[2018-07-11T22:08:31,164][DEBUG][c.f.s.c.ConfigurationLoader] Received config for internalusers (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=1

[2018-07-11T22:08:31,168][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Notify com.floragunn.searchguard.http.XFFResolver@34330f77 listener about change configuration with type config

[2018-07-11T22:08:31,168][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Notify com.floragunn.searchguard.auth.BackendRegistry@3b7c58e7 listener about change configuration with type config

[2018-07-11T22:08:31,171][DEBUG][c.f.s.a.BackendRegistry ] Clear user cache for kibanaserver due to EXPLICIT

[2018-07-11T22:08:31,171][DEBUG][c.f.s.a.BackendRegistry ] Clear user cache for admin due to EXPLICIT

[2018-07-11T22:08:31,172][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Info: SearchGuardLicense [uid=00000000-0000-0000-0000-000000000000, type=TRIAL, issueDate=2018-07-06, expiryDate=2018-09-05, issuedTo=The world, issuer=floragunn GmbH, startDate=2018-07-06, majorVersion=6, clusterName=*, allowedNodeCount=2147483647, msgs=, expiresInDays=55, isExpired=false, valid=true, action=, prodUsage=Yes, one cluster with all commercial features and unlimited nodes per cluster., clusterService=org.elasticsearch.cluster.service.ClusterService@576debc7, getMsgs()=, getExpiresInDays()=55, isExpired()=false, isValid()=true, getAction()=, getProdUsage()=Yes, one cluster with all commercial features and unlimited nodes per cluster.]

[2018-07-11T22:08:31,172][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Type: TRIAL, valid

[2018-07-11T22:08:31,173][DEBUG][c.f.s.c.ConfigurationLoader] Received config for actiongroups (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=0

[2018-07-11T22:08:32,631][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:08:35,136][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:08:37,639][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:08:40,143][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:08:42,646][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:08:42,868][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:08:45,148][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:08:47,651][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:08:50,155][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:08:52,658][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:08:55,160][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:08:57,662][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:09:00,167][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:09:01,881][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:09:02,670][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:09:05,172][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:09:07,674][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:09:10,178][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:09:12,681][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:09:15,183][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:09:17,686][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:09:20,191][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:09:22,695][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:09:25,197][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:09:27,699][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:09:30,204][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:09:32,707][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:09:35,209][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:09:37,712][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:09:40,217][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:09:42,719][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

[2018-07-11T22:09:45,221][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

root@ip-172-31-33-164:/var/log/elasticsearch#

``

···

On Wednesday, July 11, 2018 at 1:07:14 PM UTC-7, bre...@elementdata.com wrote:

I have trouble connecting to Kibana using JWT.

  • Search Guard and Elasticsearch version

6.2.4

  • JVM version and operating system version

Java version 1.8.0_171

OS: Ubuntu 14.04

This is how I am trying to access the kibana URL:

http://ec2-…-…-…-.compute-1.amazonaws.com:5601/app/kibana?_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3Mywic3ViIjoiYWRtaW4iLCJyb2xlcyI6ImFkbWluIn0.PcKziOlhGIANaIlJrk1rjoWCf7VIJFUDzh9Q0rhGKc4

``

It doesn’t show up anything. Attached is the screenshot.

http://ec2-…-…-…-.compute-1.amazonaws.com:5601/api/v1/auth/authinfo?_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3Mywic3ViIjoiYWRtaW4iLCJyb2xlcyI6ImFkbWluIn0.PcKziOlhGIANaIlJrk1rjoWCf7VIJFUDzh9Q0rhGKc4

``

I get an error for authinfo:
{“statusCode”:500,“error”:“Internal Server Error”,“message”:“An internal server error occurred”}

``

  • Here is my Search Guard configuration

searchguard:
dynamic:
# Set filtered_alias_mode to ‘disallow’ to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to ‘warn’ to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to ‘nowarn’ to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#kibana:
# Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
# see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md
# To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki
#multitenancy_enabled: true
#server_username: kibanaserver
#index: ‘.kibana’
#do_not_fail_on_forbidden: false
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
#internalProxies: ‘.’ # trust all internal proxies, regex pattern
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
#trustedProxies: '.
’ # trust all external proxies, regex pattern
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
#Modified
#basic_internal_auth_domain:
# http_enabled: true
#transport_enabled: true
#order: 4
#http_authenticator:
# type: basic
# challenge: true
#authentication_backend:
# type: intern
#proxy_auth_domain:
# http_enabled: false
#transport_enabled: false
#order: 3
#http_authenticator:
# type: proxy
#challenge: false
#config:
# user_header: “x-proxy-user”
# roles_header: “x-proxy-roles”
#authentication_backend:
# type: noop
jwt_auth_domain:
http_enabled: true
transport_enabled: false
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: “sneezing”
jwt_header: null
jwt_url_parameter: “_token”
roles_key: roles
subject_key: null
authentication_backend:
type: noop
clientcert_auth_domain:
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop

basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
proxy_auth_domain:
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: “x-proxy-user”
roles_header: “x-proxy-roles”
authentication_backend:
type: noop
#Modified
ldap:
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(sAMAccountName={0})’
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: ‘ou=groups,dc=example,dc=com’
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(member={0})’
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is “name”.
# Can also be “dn” to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(uid={0})’
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - ‘cn=Michael Jackson,oupeople,o=TEST’
# - '/\S
/’
roles_from_another_ldap:
enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here …

``

  • Elasticsearch configuration

######## Start Search Guard Demo Configuration ########

WARNING: revise all the lines below before you go into production

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: [“sg_all_access”]
cluster.routing.allocation.disk.threshold_enabled: false
cluster.name: searchguard_demo
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
######## End Search Guard Demo Configuration ########

``

Kibana Configuration:

######## Start Search Guard Configuration ########

server.port: 5601

server.host: 0.0.0.0

elasticsearch.url: https://localhost:9200

elasticsearch.username: kibanaserver

elasticsearch.password: kibanaserver

elasticsearch.ssl.verificationMode: none

#New changes start

searchguard.basicauth.enabled: false

searchguard.jwt.enabled: true

searchguard.jwt.url_param: ‘_token’

elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant” ]

#New changes end

######## End Search Guard Configuration ########

``

I was able to get JWT working with Kibana and SG when I pass it through the header but it still doesn’t work with url_param. Also as you mentioned in a different post regarding url_param and session cookie, does the setting of session cookie happen only when JWT is passed as url_param to Kibana?

···

On Wednesday, July 11, 2018 at 1:07:14 PM UTC-7, bre...@elementdata.com wrote:

I have trouble connecting to Kibana using JWT.

  • Search Guard and Elasticsearch version

6.2.4

  • JVM version and operating system version

Java version 1.8.0_171

OS: Ubuntu 14.04

This is how I am trying to access the kibana URL:

http://ec2-…-…-…-.compute-1.amazonaws.com:5601/app/kibana?_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3Mywic3ViIjoiYWRtaW4iLCJyb2xlcyI6ImFkbWluIn0.PcKziOlhGIANaIlJrk1rjoWCf7VIJFUDzh9Q0rhGKc4

``

It doesn’t show up anything. Attached is the screenshot.

http://ec2-…-…-…-.compute-1.amazonaws.com:5601/api/v1/auth/authinfo?_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3Mywic3ViIjoiYWRtaW4iLCJyb2xlcyI6ImFkbWluIn0.PcKziOlhGIANaIlJrk1rjoWCf7VIJFUDzh9Q0rhGKc4

``

I get an error for authinfo:
{“statusCode”:500,“error”:“Internal Server Error”,“message”:“An internal server error occurred”}

``

  • Here is my Search Guard configuration

searchguard:
dynamic:
# Set filtered_alias_mode to ‘disallow’ to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to ‘warn’ to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to ‘nowarn’ to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#kibana:
# Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
# see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md
# To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki
#multitenancy_enabled: true
#server_username: kibanaserver
#index: ‘.kibana’
#do_not_fail_on_forbidden: false
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
#internalProxies: ‘.’ # trust all internal proxies, regex pattern
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
#trustedProxies: '.
’ # trust all external proxies, regex pattern
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
#Modified
#basic_internal_auth_domain:
# http_enabled: true
#transport_enabled: true
#order: 4
#http_authenticator:
# type: basic
# challenge: true
#authentication_backend:
# type: intern
#proxy_auth_domain:
# http_enabled: false
#transport_enabled: false
#order: 3
#http_authenticator:
# type: proxy
#challenge: false
#config:
# user_header: “x-proxy-user”
# roles_header: “x-proxy-roles”
#authentication_backend:
# type: noop
jwt_auth_domain:
http_enabled: true
transport_enabled: false
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: “sneezing”
jwt_header: null
jwt_url_parameter: “_token”
roles_key: roles
subject_key: null
authentication_backend:
type: noop
clientcert_auth_domain:
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop

basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
proxy_auth_domain:
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: “x-proxy-user”
roles_header: “x-proxy-roles”
authentication_backend:
type: noop
#Modified
ldap:
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(sAMAccountName={0})’
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: ‘ou=groups,dc=example,dc=com’
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(member={0})’
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is “name”.
# Can also be “dn” to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(uid={0})’
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - ‘cn=Michael Jackson,oupeople,o=TEST’
# - '/\S
/’
roles_from_another_ldap:
enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here …

``

  • Elasticsearch configuration

######## Start Search Guard Demo Configuration ########

WARNING: revise all the lines below before you go into production

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: [“sg_all_access”]
cluster.routing.allocation.disk.threshold_enabled: false
cluster.name: searchguard_demo
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
######## End Search Guard Demo Configuration ########

``

Kibana Configuration:

######## Start Search Guard Configuration ########

server.port: 5601

server.host: 0.0.0.0

elasticsearch.url: https://localhost:9200

elasticsearch.username: kibanaserver

elasticsearch.password: kibanaserver

elasticsearch.ssl.verificationMode: none

#New changes start

searchguard.basicauth.enabled: false

searchguard.jwt.enabled: true

searchguard.jwt.url_param: ‘_token’

elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant” ]

#New changes end

######## End Search Guard Configuration ########

``

是的,我有同样的问题,jwt在标题中是正常的,但它会在url中返回401异常。我的配置与您上面讨论的相同。

在 2018年7月12日星期四 UTC+8上午4:49:00,Jochen Kressin写道:

···

如果您没有应用您所做的配置更改,那么它们当然没有任何效果。

这是关于如何做到这一点的文档:

https://docs.search-guard.com/latest/sgadmin

如果您使用的是SG演示安装程序,还可以使用预配置的sgadmin脚本:

https://docs.search-guard.com/ latest / demo-installer #

application -configuration-changes星期三,2018年7月11日星期三下午10:45:31 UTC + 2,bre … @ elementdata.com写道:

不,我没有使用sg_admin应用配置更改。我手动编辑了sg_config文件。

我在/ etc / elasticsearch / log4j2中添加了以下更改。属性并重新启动ES。

logger.searchguard.name = com.floragunn

logger.searchguard.level = debug

``

这是日志:

2018-07-11T20:43:56,439][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from basic http authenticator
[2018-07-11T20:43:56,439][DEBUG][c.f.s.a.BackendRegistry ] User ‘User [name=kibanaserver, roles=, requestedTenant=null]’ is authenticated
[2018-07-11T20:43:56,439][DEBUG][c.f.s.a.BackendRegistry ] sgtenant ‘null’
[2018-07-11T20:43:56,439][DEBUG][c.f.s.c.PrivilegesEvaluator] ### evaluate permissions for User [name=kibanaserver, roles=, requestedTenant=null] on 3dFs4pZ
[2018-07-11T20:43:56,439][DEBUG][c.f.s.c.PrivilegesEvaluator] requested cluster:monitor/main from 127.0.0.1:55676
[2018-07-11T20:43:56,439][DEBUG][c.f.s.c.PrivilegesEvaluator] class org.elasticsearch.action.main.MainRequest is not an IndicesRequest
[2018-07-11T20:43:56,439][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=_all, type=]]
[2018-07-11T20:43:56,439][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for kibanaserver: [sg_kibana_server, sg_own_index]
[2018-07-11T20:43:56,440][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] raw requestedTenant: ‘null’
[2018-07-11T20:43:56,440][DEBUG][c.f.s.c.PrivilegesEvaluator] Result from privileges interceptor: null
[2018-07-11T20:43:56,440][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_kibana_server
[2018-07-11T20:43:56,440][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[indices:data/read/msearch, cluster:admin/xpack/monitoring
, indices:data/read/mget, indices:data/write/reindex, indices:admin/aliases/exists*, indices:admin/aliases*, indices:data/read/scroll, indices:data/read/coordinate-msearch*, indices:admin/template*, indices:data/write/bulk, indices:admin/aliases/get*, indices:data/read/mtv, cluster:monitor/]
[2018-07-11T20:43:56,440][DEBUG][c.f.s.c.PrivilegesEvaluator] found a match for ‘sg_kibana_server’ and cluster:monitor/main, skip other roles
[2018-07-11T20:43:56,442][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from basic http authenticator
[2018-07-11T20:43:56,442][DEBUG][c.f.s.a.BackendRegistry ] User ‘User [name=kibanaserver, roles=[], requestedTenant=null]’ is authenticated
[2018-07-11T20:43:56,442][DEBUG][c.f.s.a.BackendRegistry ] sgtenant ‘null’
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesEvaluator] ### evaluate permissions for User [name=kibanaserver, roles=[], requestedTenant=null] on 3dFs4pZ
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesEvaluator] requested cluster:monitor/nodes/info from 127.0.0.1:55677
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesEvaluator] class org.elasticsearch.action.admin.cluster.node.info.NodesInfoRequest is not an IndicesRequest
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=_all, type=
]]
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for kibanaserver: [sg_kibana_server, sg_own_index]
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] raw requestedTenant: ‘null’
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesEvaluator] Result from privileges interceptor: null
[2018-07-11T20:43:56,442][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_kibana_server
[2018-07-11T20:43:56,443][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[indices:data/read/msearch, cluster:admin/xpack/monitoring*, indices:data/read/mget, indices:data/write/reindex, indices:admin/aliases/exists*, indices:admin/aliases*, indices:data/read/scroll, indices:data/read/coordinate-msearch*, indices:admin/template*, indices:data/write/bulk, indices:admin/aliases/get*, indices:data/read/mtv, cluster:monitor/]
[2018-07-11T20:43:56,443][DEBUG][c.f.s.c.PrivilegesEvaluator] found a match for ‘sg_kibana_server’ and cluster:monitor/nodes/info, skip other roles
[2018-07-11T20:43:56,445][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from basic http authenticator
[2018-07-11T20:43:56,446][DEBUG][c.f.s.a.BackendRegistry ] User ‘User [name=kibanaserver, roles=[], requestedTenant=null]’ is authenticated
[2018-07-11T20:43:56,446][DEBUG][c.f.s.a.BackendRegistry ] sgtenant ‘null’
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] ### evaluate permissions for User [name=kibanaserver, roles=[], requestedTenant=null] on 3dFs4pZ
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] requested cluster:monitor/nodes/info from 127.0.0.1:55676
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] class org.elasticsearch.action.admin.cluster.node.info.NodesInfoRequest is not an IndicesRequest
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=_all, type=
]]
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for kibanaserver: [sg_kibana_server, sg_own_index]
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] raw requestedTenant: ‘null’
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] Result from privileges interceptor: null
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_kibana_server
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] resolved cluster actions:[indices:data/read/msearch, cluster:admin/xpack/monitoring*, indices:data/read/mget, indices:data/write/reindex, indices:admin/aliases/exists*, indices:admin/aliases*, indices:data/read/scroll, indices:data/read/coordinate-msearch*, indices:admin/template*, indices:data/write/bulk, indices:admin/aliases/get*, indices:data/read/mtv, cluster:monitor/]
[2018-07-11T20:43:56,446][DEBUG][c.f.s.c.PrivilegesEvaluator] found a match for ‘sg_kibana_server’ and cluster:monitor/nodes/info, skip other roles
[2018-07-11T20:43:56,449][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from basic http authenticator
[2018-07-11T20:43:56,449][DEBUG][c.f.s.a.BackendRegistry ] User ‘User [name=kibanaserver, roles=[], requestedTenant=null]’ is authenticated
[2018-07-11T20:43:56,449][DEBUG][c.f.s.a.BackendRegistry ] sgtenant ‘null’
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] ### evaluate permissions for User [name=kibanaserver, roles=[], requestedTenant=null] on 3dFs4pZ
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] requested indices:admin/mappings/get from 127.0.0.1:55677
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.admin.indices.mapping.get.GetMappingsRequest for action indices:admin/mappings/get
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] indicesOptions IndicesOptions[id=6, ignore_unavailable=false, allow_no_indices=true, expand_wildcards_open=true, expand_wildcards_closed=false, allow_aliases_to_multiple_indices=true, forbid_closed_indices=false, ignore_aliases=false]
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] 1 raw indices [.kibana]
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] 0 requestTypes []
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] No date math indices found
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] Resolved [.kibana] to [.kibana]
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] pre final indices: [.kibana]
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] pre final types: []
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] final indices: [.kibana]
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] final types: [_all]
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] requested resolved indextypes: [IndexType [index=.kibana, type=
]]
[2018-07-11T20:43:56,449][DEBUG][c.f.s.c.PrivilegesEvaluator] mapped roles for kibanaserver: [sg_kibana_server, sg_own_index]
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] raw requestedTenant: ‘null’
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] Result from privileges interceptor: null
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] ---------- evaluate sg_role: sg_kibana_server
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] Try wildcard match for ?monitoring*
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] No wildcard match found for ?monitoring*
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] For index ?monitoring* remaining requested indextype: [IndexType [index=.kibana, type=]]
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] Try wildcard match for ?reporting

[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] No wildcard match found for ?reporting*
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] For index ?reporting* remaining requested indextype: [IndexType [index=.kibana, type=]]
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] Try wildcard match for ?kibana
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] Wildcard match for ?kibana: [.kibana]
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] matches for ?kibana, will check now types [
]
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] match requested action [indices:admin/mappings/get] against ?kibana/: [indices:]
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] removed .kibana*
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] For index ?kibana remaining requested indextype:
[2018-07-11T20:43:56,450][DEBUG][c.f.s.c.PrivilegesEvaluator] found a match for ‘sg_kibana_server.?kibana’, evaluate other roles

``

在2018年7月11日星期三下午1:07:14 UTC-7,bre … @ elementdata.com写道:

我无法使用JWT连接到Kibana。

*搜索Guard和Elasticsearch版本

6.2.4

  • JVM版本和操作系统版本

Java版本1.8.0_171

操作系统:Ubuntu 14.04

这是我尝试访问kibana URL的方式:

http://ec2-…-…-…-.compute-1.amazonaws.com:5601/app/kibana?_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3Mywic3ViIjoiYWRtaW4iLCJyb2xlcyI6ImFkbWluIn0.PcKziOlhGIANaIlJrk1rjoWCf7VIJFUDzh9Q0rhGKc4

``

它没有显示任何东西。附件是截图。

http://ec2-…-…-…-.compute-1.amazonaws.com:5601/api/v1/auth/authinfo?_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3Mywic3ViIjoiYWRtaW4iLCJyb2xlcyI6ImFkbWluIn0.PcKziOlhGIANaIlJrk1rjoWCf7VIJFUDzh9Q0rhGKc4

``

我收到authinfo的错误:
{“statusCode”:500,“error”:“Internal Server Error”,“message”:“An internal server error occurred”}

``

*这是我的Search Guard配置

searchguard:
dynamic:
# Set filtered_alias_mode to ‘disallow’ to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to ‘warn’ to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to ‘nowarn’ to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#kibana:
# Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
# see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md
# To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki
#multitenancy_enabled: true
#server_username: kibanaserver
#index: ‘.kibana’
#do_not_fail_on_forbidden: false
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
#internalProxies: ‘.’ # trust all internal proxies, regex pattern
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
#trustedProxies: '.
’ # trust all external proxies, regex pattern
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
#Modified
#basic_internal_auth_domain:
# http_enabled: true
#transport_enabled: true
#order: 4
#http_authenticator:
# type: basic
# challenge: true
#authentication_backend:
# type: intern
#proxy_auth_domain:
# http_enabled: false
#transport_enabled: false
#order: 3
#http_authenticator:
# type: proxy
#challenge: false
#config:
# user_header: “x-proxy-user”
# roles_header: “x-proxy-roles”
#authentication_backend:
# type: noop
jwt_auth_domain:
http_enabled: true
transport_enabled: false
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: “sneezing”
jwt_header: null
jwt_url_parameter: “_token”
roles_key: roles
subject_key: null
authentication_backend:
type: noop
clientcert_auth_domain:
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop

basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
proxy_auth_domain:
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: “x-proxy-user”
roles_header: “x-proxy-roles”
authentication_backend:
type: noop
#Modified
ldap:
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(sAMAccountName={0})’
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: ‘ou=groups,dc=example,dc=com’
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(member={0})’
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is “name”.
# Can also be “dn” to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(uid={0})’
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - ‘cn=Michael Jackson,oupeople,o=TEST’
# - '/\S
/’
roles_from_another_ldap:
enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here …

``

  • Elasticsearch配置

######## Start Search Guard Demo Configuration ########

WARNING: revise all the lines below before you go into production

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: [“sg_all_access”]
cluster.routing.allocation.disk.threshold_enabled: false
cluster.name: searchguard_demo
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
######## End Search Guard Demo Configuration ########

``

Kibana配置:

######## Start Search Guard Configuration ########

server.port: 5601

server.host: 0.0.0.0

elasticsearch.url: https://localhost:9200

elasticsearch.username: kibanaserver

elasticsearch.password: kibanaserver

elasticsearch.ssl.verificationMode: none

#New changes start

searchguard.basicauth.enabled: false

searchguard.jwt.enabled: true

searchguard.jwt.url_param: ‘_token’

elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant” ]

#New changes end

######## End Search Guard Configuration ########

``