Kibana server with client certificate auth only

Hi,

I’m setting up a fresh new cluster with latest ES/SG.
I’d like kibana to auth using clientcert.
I thus set up kibana.yml like this:

#NO elasticsearch.username: kibana
elasticsearch.ssl.certificate: /etc/kibana/ssl/Kibana User.crt
elasticsearch.ssl.key: /etc/kibana/ssl/Kibana User.key

The subject of that client cert is CN=Kibana User

And I’ve added the following permissions in sg_roles_mapping.yml:

SGS_KIBANA_SERVER:
  users:
    - CN=Kibana User

However, this doesn’t need to suffice for kibana to start:

kibana[2073]: {"type":"log","@timestamp":"2020-04-02T13:36:59Z","tags":["warning","migrations"],"pid":2073,"message":"Unable to connect to Elasticsearch. Error: [security_exception] no permissions for [indices:admin/get] and User [name=CN=Kibana User, backend_roles=[], requestedTenant=null]"}

When I add the SGS_KIBANA_USER role to the user, kibana is happy.

Did I miss something?

You configured the user correctly.

All Kibana users must be mapped to the built-in SGS_KIBANA_USER role. This role has the minimum permissions to access Kibana.

In addition, the users need to have READ permissions to all indices they should be allowed to use with Kibana. Typically you will want to set up different roles for different users, and give them the SGS_KIBANA_USER role in additions.

I’m sorry I didn’t make myself clear.
I was trying to set up the kibana server user: the one used internally by kibana.
It seems this is only possible through basic auth, and not like I was trying to do through clientcert.
Can you confirm that?

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.