ES6 and SG6
I am able to login into kibana using a JWT token and it works as expected based on the roles that the token payload has. The issue shows up when that JWT token expires and I refresh the page, Kibana defaults back to “admin” allowing access to everything again. Is there a way to turn that off, such that when my JWT tokens are no longer valid it should either redirect back to home or throw an error?
Here are my config files and please let me know if you catch something out of the ordinary or if I am doing something completely wrong.
Note: the backend user I pass through JWT payload is “superman”.
sg_roles.yml
Allows everything, but no changes to searchguard configuration index
sg_all_access:
readonly: true
cluster:
- UNLIMITED
indices:
'*':
'*':
- UNLIMITED
tenants:
admin_tenant: RW
Read all, but no write permissions
sg_readall:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
'*':
'*':
- READ
Read all and monitor, but no write permissions
sg_readall_and_monitor:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
'*':
'*':
- READ
For users which use kibana, access to indices must be granted separately
sg_kibana_user:
readonly: true
cluster:
- MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
'?kibana':
'*':
- MANAGE
- INDEX
- READ
- DELETE
'*':
'*':
- indices:data/read/field_caps*
For the kibana server
sg_kibana_server:
readonly: true
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- cluster:admin/xpack/monitoring*
- indices:admin/template*
indices:
'?kibana':
'*':
- INDICES_ALL
'?reporting*':
'*':
- INDICES_ALL
'?monitoring*':
'*':
- INDICES_ALL
For logstash and beats
sg_logstash:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- indices:admin/template/get
- indices:admin/template/put
indices:
'logstash-*':
'*':
- CRUD
- CREATE_INDEX
'*beat*':
'*':
- CRUD
- CREATE_INDEX
Allows adding and modifying repositories and creating and restoring snapshots
sg_manage_snapshots:
cluster:
- MANAGE_SNAPSHOTS
indices:
'*':
'*':
- "indices:data/write/index"
- "indices:admin/create"
Allows each user to access own named index
sg_own_index:
cluster:
- CLUSTER_COMPOSITE_OPS
indices:
'${user_name}':
'*':
- INDICES_ALL
X-Pack COMPATIBILITY
sg_xp_monitoring:
readonly: true
indices:
'?monitor*':
'*':
- INDICES_ALL
sg_xp_alerting:
readonly: true
cluster:
- indices:data/read/scroll
- cluster:admin/xpack/watcher*
- cluster:monitor/xpack/watcher*
indices:
'?watches*':
'*':
- INDICES_ALL
'?watcher-history-*':
'*':
- INDICES_ALL
'?triggered_watches':
'*':
- INDICES_ALL
'*':
'*':
- READ
- indices:admin/aliases/get
sg_xp_machine_learning:
readonly: true
cluster:
- cluster:admin/persistent*
- cluster:internal/xpack/ml*
- indices:data/read/scroll*
- cluster:admin/xpack/ml*
- cluster:monitor/xpack/ml*
indices:
'*':
'*':
- READ
- indices:admin/get*
'?ml-*':
'*':
- "*"
LEGACY ROLES, FOR COMPATIBILITY ONLY
WILL BE REMOVED IN SG7, DO NOT USE ANYMORE
sg_readonly_and_monitor:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS_RO
indices:
'*':
'*':
- READ
Make xpack monitoring work
sg_monitor:
cluster:
- cluster:admin/xpack/monitoring/*
- cluster:admin/ingest/pipeline/put
- cluster:admin/ingest/pipeline/get
- indices:admin/template/get
- indices:admin/template/put
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
'?monitor*':
'*':
- INDICES_ALL
'?marvel*':
'*':
- INDICES_ALL
'?kibana*':
'*':
- READ
'*':
'*':
- indices:data/read/field_caps
Make xpack alerting work
sg_alerting:
cluster:
- indices:data/read/scroll
- cluster:admin/xpack/watcher/watch/put
- cluster:admin/xpack/watcher*
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
'?kibana*':
'*':
- READ
'?watches*':
'*':
- INDICES_ALL
'?watcher-history-*':
'*':
- INDICES_ALL
'?triggered_watches':
'*':
- INDICES_ALL
'*':
'*':
- READ
user:
readonly: true
cluster:
- UNLIMITED
indices:
'*myCustomIndex1*':
'*':
- UNLIMITED
'*myCustomIndex2*':
'*':
- UNLIMITED
#tenants:
#admin_tenant: RW
``
sg_*roles_*mapping.yml
In this file users, backendroles and hosts can be mapped to Search Guard roles.
Permissions for Search Guard roles are configured in sg_roles.yml
sg_all_access:
readonly: true
backendroles:
- admin
sg_logstash:
backendroles:
- logstash
sg_kibana_server:
readonly: true
users:
- kibanaserver
sg_kibana_user:
backendroles:
- kibanauser
- superman
sg_readall:
readonly: true
backendroles:
- readall
sg_manage_snapshots:
readonly: true
backendroles:
- snapshotrestore
sg_own_index:
users:
- '*'
user:
readonly: true
backendroles:
- superman
``
Kibana.yml
console.enabled: true
appender.rolling.policies.time.type = TimeBasedTriggeringPolicy
elasticsearch.requestTimeout: 600000
elasticsearch.shardTimeout: 595000
elasticsearch.ssl.verificationMode: none
elasticsearch.url: “https://localhost:9200”
elasticsearch.username: “kibanaserver”
elasticsearch.password: “kibanaserver”
logging.verbose: false
server.basePath: “/jwt_kibana”
server.host: “0.0.0.0”
kibana.index: “.kibana”
searchguard.basicauth.enabled: false
searchguard.jwt.enabled: true
searchguard.multitenancy.enable_filter: true
searchguard.multitenancy.enabled: true
searchguard.multitenancy.tenants.enable_global: true
searchguard.multitenancy.tenants.enable_private: true
elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant”, “jwt_token”, “x-forwarded-for”, “x-forwarded-server”, “x-forwarded-by”]
``