Kibana licence issue

Search Guard
1

Hi, i have an issue when i try to start my kibana (it’s the same error with or without the plugins searchguard installed in my Kibana VM). I don’t have a licence for search guard so i try to install it without the enterptrise functionnality.

I installed and configure Elasticsearch and Search-guard with 2 nodes (node-1 and node-2) the communication between the nodes are establish and i have no issue.

Elasticsearch version: elasticsearch-8.5.3-1.x86_64
kibana version: kibana-8.5.3-1.x86_64
Searchguard zip version (Kibana): search-guard-flx-kibana-plugin-1.1.0-es-8.5.3
Searchguard zip version (ELasticsearch) : search-guard-flx-elasticsearch-plugin-1.1.1-es-8.5.3
Server OS version: red hat 8.7

Elasticsearch configuration node look like (elasticsearch.yml)

cluster.name: MyELAcluster
node.name: node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: XX.XX.XX.XX
http.port: 9200
discovery.seed_hosts: 
 - MyNode-1
 - MyNode-2
cluster.initial_master_nodes: 
 - node-1
ingest.geoip.downloader.enabled: false
xpack.security.enabled: false
xpack.security.enrollment.enabled: false
#----------------------- SEARCH GUARD --------------------------------------------
# Enable encryption and mutual authentication between all nodes
searchguard.enterprise_modules_enabled: false
searchguard.ssl.transport.pemcert_filepath: certs/node-1.pem
searchguard.ssl.transport.pemkey_filepath: certs/node-1.key
searchguard.ssl.transport.pemtrustedcas_filepath: certs/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
# Enable https for the web application
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: certs/node-1_http.pem
searchguard.ssl.http.pemkey_filepath: certs/node-1_http.key
searchguard.ssl.http.pemtrustedcas_filepath: certs/root-ca.pem
###### CRL Verification part ###########
#searchguard.ssl.http.crl.validate: true
#searchguard.ssl.http.crl.file_path: certs/crl.pem
searchguard.nodes_dn:
- "CN=MyNode-1,OU=MyELAcluster,DC=AMyhouse,C=FR"
- "CN=MyNode-2,OU=MyELAcluster,DC=Myhouse,C=FR"
- "CN=logstash,OU=MyELAcluster,DC=Myhouse,C=FR"
- "CN=kibana,OU=MyELAcluster,DC=Myhouse,C=FR"
searchguard.authcz.admin_dn:
- "CN=Elastic,OU=MyELAcluster,DC=Myhouse,C=FR"
http.host: 0.0.0.0

I create a directory for configure Search guard with the following files:
-sg_tenants

_sg_meta:
  type: "tenants"
  config_version: 2

-sg_actions_groups

# In this files action groups can be defined. Action groups are a collection of permissions.

# Define your own action groups here
# or use the built-in groups
# See https://docs.search-guard.com/latest/action-groups
_sg_meta:
  type: "actiongroups"
  config_version: 2

UNLIMITED:
  reserved: false
  allowed_actions:
  - "*"

###### INDEX LEVEL ######

INDICES_ALL:
  reserved: false
  allowed_actions:
  - "indices:*"
  type: "index"

# for backward compatibility
ALL:
  reserved: false
  allowed_actions:
  - INDICES_ALL
  type: "index"

MANAGE:
  reserved: false
  allowed_actions:
  - "indices:monitor/*"
  - "indices:admin/*"
  type: "index"

CREATE_INDEX:
  reserved: false
  allowed_actions:
  - "indices:admin/create"
  - "indices:admin/mapping/put"
  type: "index"

MANAGE_ALIASES:
  reserved: false
  allowed_actions:
  - "indices:admin/aliases*"
  type: "index"

# for backward compatibility
MONITOR:
  reserved: false
  allowed_actions:
  - INDICES_MONITOR
  type: "index"

INDICES_MONITOR:
  reserved: false
  allowed_actions:
  - "indices:monitor/*"
  type: "index"

DATA_ACCESS:
  reserved: false
  allowed_actions:
  - "indices:data/*"
  - CRUD
  type: "index"

WRITE:
  reserved: false
  allowed_actions:
  - "indices:data/write*"
  - "indices:admin/mapping/put"
  type: "index"

READ:
  reserved: false
  allowed_actions:
  - "indices:data/read*"
  - "indices:admin/mappings/fields/get*"
  type: "index"

DELETE:
  reserved: false
  allowed_actions:
  - "indices:data/write/delete*"
  type: "index"

CRUD:
  reserved: false
  allowed_actions:
  - READ
  - WRITE
  type: "index"

SEARCH:
  reserved: false
  allowed_actions:
  - "indices:data/read/search*"
  - "indices:data/read/msearch*"
  - SUGGEST
  type: "index"

SUGGEST:
  reserved: false
  allowed_actions:
  - "indices:data/read/suggest*"
  type: "index"

INDEX:
  reserved: false
  allowed_actions:
  - "indices:data/write/index*"
  - "indices:data/write/update*"
  - "indices:admin/mapping/put"
  - "indices:data/write/bulk*"
  type: "index"

GET:
  reserved: false
  allowed_actions:
  - "indices:data/read/get*"
  - "indices:data/read/mget*"
  type: "index"

###### CLUSTER LEVEL ######

CLUSTER_ALL:
  reserved: false
  allowed_actions:
  - "cluster:*"
  type: "cluster"

CLUSTER_MONITOR:
  reserved: false
  allowed_actions:
  - "cluster:monitor/*"
  type: "cluster"

CLUSTER_COMPOSITE_OPS_RO:
  reserved: false
  allowed_actions:
  - "indices:data/read/mget"
  - "indices:data/read/msearch"
  - "indices:data/read/mtv"
  - "indices:data/read/coordinate-msearch*"
  - "indices:admin/aliases/exists*"
  - "indices:admin/aliases/get*"
  type: "cluster"

CLUSTER_COMPOSITE_OPS:
  reserved: false
  allowed_actions:
  - "indices:data/write/bulk"
  - "indices:admin/aliases*"
  - CLUSTER_COMPOSITE_OPS_RO
  type: "cluster"
  
MANAGE_SNAPSHOTS:
  reserved: false
  allowed_actions:
  - "cluster:admin/snapshot/*"
  - "cluster:admin/repository/*"
  type: "cluster"

Logstash_writer: 
  reserved: false
  allowed_actions:
  - DATA_ACCESS
  - CREATE_INDEX
  type: "index"
  description: "Group of user for Write the event into Elasticsearch cluster"

Kibana_user:
  reserved: false
  allowed_actions:
  - DATA_ACCESS
  - SEARCH
  type: "index"
  description: "Kibana user for just vizualize the logs"

-sg_internal_users

admin:
  hash: "hash"
  backend_roles:
  - "admin"
  description: "ELA ADMIN user"

kibanaserver:
  hash: "hash"
  backend_roles:
  - "SGS_KIBANA_USER"
  description: "Kibana normal user"

logstash:
  hash: "hash"
  backend_roles:
  - "logstash"
  - "Logstash_writer"
  description: "Logstash user"

kibana_system:
  search_guard_roles:
  - "SGS_ALL_ACCESS"
  backend_roles: 
  - "admin"
  hash: "hash"
  description: "Kibana user for communication between kibana and Elasticsearch"

-sg_roles

_sg_meta:
  type: "roles"
  config_version: 2

# Allows any action on the cluster.
SGS_ALL_ACCESS:
  cluster_permissions:
  - '*'
  index_permissions:
  - index_patterns:
    - '*'
    allowed_actions:
    - '*'

SGS_LOGSTASH:
  index_permissions:
  - index_patterns:
    - '*'
    allowed_actions:
    - Logstash_writer

SGS_KIBANA_USER:
  index_permissions:
  - index_patterns:
    - '*'
    allowed_actions:
    - Kibana_user

-sg_roles_mapping

SGS_ALL_ACCESS:
  users: 
  - "admin"
  - "kibana_system"
  backend_roles:
  - "admin"
  description: "Maps admin to SGS_ALL_ACCESS"

SGS_LOGSTASH:
  backend_roles:
  - "logstash"

SGS_KIBANA_USER:
  backend_roles:
  - "kibanauser"
  description: "Maps kibanauser to SGS_KIBANA_USER"

-sg_config

_sg_meta:
  type: "config"
  config_version: 2

sg_config:
  dynamic: 
    kibana:
      multitenancy_enabled: false
      index: '.kibana'
      server_username: kibana_system
    http:
      anonymous_auth_enabled: false  # Disable anonymous authentication
      xff:
        enabled: false # Disable proxy authentication support
    authc:
    # http basic authentication
      basic_internal_auth_domain:
        http_enabled: true # Enabled for REST requests
        transport_enabled: true # Enabled for the transport protocol
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern # Authenticate against the internal users list

kibana.yml:

server.port: 5601
server.host: "XX.XX.XX.XX"
searchguard.multitenancy.enabled: false
server.name: "Kibana"
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/kibana_http.pem
server.ssl.key: /etc/kibana/certs/kibana_http.key
elasticsearch.hosts: ["https://XX.XX.XX.XX:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "XXXXXX" #My password define in sg_internal_user
elasticsearch.ssl.certificate: /etc/kibana/certs/kibana.pem
elasticsearch.ssl.key: /etc/kibana/certs/kibana.key
elasticsearch.ssl.certificateAuthorities: "/etc/kibana/certs/root-ca.pem"
logging:
  appenders:
    file:
      type: file
      fileName: /var/log/kibana/kibana.log
      layout:
        type: json
  root:
    appenders:
      - default
      - file
pid.file: /run/kibana/kibana.pid
xpack.actions.preconfiguredAlertHistoryEsIndex: true

So here is my problem my issue when i try to start kibana i have this issue: (/var/log/kibana/kibana.log)

Capture
Capture799×362 56.8 KB

Did i miss to disable a enterprise functionnality ? Can i have some explaination if it’s the case

Note: When i try to put xpack.security.enabled: false in kibana.yml the kibana service restart 3 time and could not start the log in almost empty but when i run /usr/share/bin/kibana the output of this command say to me xpack.security.enabled is not configured.

In advance thanks for your time

2

It’s strange because when i check the licence status of Searchguard in node-1 and node-2 i have this result:

Capture
Capture791×204 9.49 KB

3

@theo Could you try removing elasticsearch.ssl.certificate and elasticsearch.ssl.key?

image
image894×233 28.6 KB

These settings are used for client certificate authentication as per Elasticsearch documentation. Your kibana.yml config file has already a basic auth configuration with elasticsearch.username and elasticsearch.password options.

The multitenancy and kibana user/index configuration have been moved to sg_frontend_multi_tenancy.yml config file in FLX plugin as per documentation.

The basic auth is configured in sg_authc.yml in FLX.

I suggest testing the connectivity and roles mapping by running the curl commands against the ES cluster.

i.e.

curl --insecure -u <username>:<password> -XGET https://<ES_node>:9200/_searchguard/authinfo?pretty
4

Heu… i try to do that like that in my first try but i have an issue when i try to disable the multitenancy options:

sg_frontend_multi_tenancy.yml:

# This file configures multi-tenancy for Dashboards/Kibana. 
#
# NOTE: For using this on production systems, you have to obtain a license.
# See:  https://docs.search-guard.com/latest/search-guard-enterprise-edition
# 
# In normal configurations, it is sufficient to set `enabled` to true. 
# 
# The major configuration needs to be done in the `kibana.yml` file.
# 
# See https://docs.search-guard.com/latest/kibana-multi-tenancy for details

default:
  enabled: false
  index: .kibana
  server_user: kibanaserver

After i have an issue when i run the sgctl.sh script, to me the enabled: false is not possible. Is for that i create the sg_config.yml

Did i miss something here for disable Multitenancy configuration ?

I just advanced on my side i have an error when i installed searchguard in fact after the installation the /usr/share/kibana/plugins/searchguard directory doesn’t have enough authorization to be read and execute by the systemd

So if you start the kibana with:

-systemctl restart kibana.service

or

-service kibana restart

You need first to change the permission:

chmod -R 755 /usr/share/kibana/plugins/searchguard

I will try without the ssl and i try to update my sg_config also thanks @pablo

5

@theo The errors in your screenshot are not related to the Search Guard plugin but to X-Pack security.

Does your Kibana connect to Elasticsearch? Can you authenticate?

In regards to multitenancy, it must be disabled in Elasticsearch and Kibana as per documentation.
On the Elasticsearch side is sg_frontend_multi_tenancy.yml, on the Kibana side is searchguard.multitenancy.enabled: false

Do you see any errors when you run the sgctl.sh script?

Did you install the Kibana SG plugin as a root user?

6

@theo The sg_config.yml is no longer used by SG FLX plugin.

7

OK i try to update my config without sg_config.yml:
I take the sgconfig file provide by default in the searchguard plugin directory (for me /usr/share/elasticsearch/plugin/search-guard-flx/sgconfig/)
I modify only the file sg_frontend_multi_tenancy

# This file configures multi-tenancy for Dashboards/Kibana. 
#
# NOTE: For using this on production systems, you have to obtain a license.
# See:  https://docs.search-guard.com/latest/search-guard-enterprise-edition
# 
# In normal configurations, it is sufficient to set `enabled` to true. 
# 
# The major configuration needs to be done in the `kibana.yml` file.
# 
# See https://docs.search-guard.com/latest/kibana-multi-tenancy for details

default:
  enabled: false  
  index: .kibana
  server_user: kibanaserver

But when i run the sgtclt update config i have this error:

Capturesearchguard
Capturesearchguard792×114 1.13 KB

And i check the i log but i have only this warning and it’s not very usefull because when i try to update the searchguard i don’t have any new logs

Capturesearchguard2
Capturesearchguard2802×650 35.8 KB

I will try to reinstall my system from scratch

8

@theo Did you use the latest version of sgctl.sh tool?

https://maven.search-guard.com//search-guard-flx-release/com/floragunn/sgctl/1.1.0/sgctl-1.1.0.sh

9

Yes i use the sgctl-1.1.0 version

But i have a question i unzip and run the sgctl with the root user perhaps the problem is here did you think i need to do this actions with a onther user (a sudoers user) ?

10

@theo That shouldn’t cause any issues. As long as you can execute the script, you should be fine.

Could you share all the commands you’ve executed to connect, get the config and update the config?

11

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.