Kibana and ES version => 6.2.4
Hi,
I have read and re-read the docs and have been googling this stuff forever now. I have a working JWT protected cluster and all I want to do is use Kibana on top of it. I installed Kibana and also the searchguard plugin for Kibana. Kibana is able to connect to ES since I have kibanaserver
credentials defined in kibana.yml
I have been treating this discussion Redirecting to Google Groups as my holy grail to get this done and I have read this multiple times and applied things like moving JWT config on top of basic auth and so on.
I tried using the JWT url param and it fails to work too.
``
My main goal here is to make “Authorization” headers work. I used the Chrome extension “requestly” to insert an “Authorization” header with the Bearer JWT token and Kibana keeps taking me to search guard login page. Is there a different way to test it out when you dont have a authentication server ready so that you can insert Auth headers from the browser (hence, requestly)? The ES logs always show this which looks like its using basic all the time.
[2018-05-16T21:54:50,783][WARN ][c.f.d.a.h.j.HTTPJwtAuthenticator] [Content-Length=[0], Host=[localhost:9200], Authorization=[Basic a2liYW5hc2VydmVyOmtpYmFuYXNlcnZlcg==], Connection=[keep-alive]]
[2018-05-16T21:54:53,290][WARN ][c.f.d.a.h.j.HTTPJwtAuthenticator] [Content-Length=[0], Host=[localhost:9200], Authorization=[Basic a2liYW5hc2VydmVyOmtpYmFuYXNlcnZlcg==], Connection=[keep-alive]]
[2018-05-16T21:54:53,294][WARN ][c.f.d.a.h.j.HTTPJwtAuthenticator] [Content-Length=[0], Host=[localhost:9200], Authorization=[Basic a2liYW5hc2VydmVyOmtpYmFuYXNlcnZlcg==], Connection=[keep-alive]]
[2018-05-16T21:54:53,297][WARN ][c.f.d.a.h.j.HTTPJwtAuthenticator] [Content-Length=[0], Host=[localhost:9200], Authorization=[Basic a2liYW5hc2VydmVyOmtpYmFuYXNlcnZlcg==], Connection=[keep-alive]]
[2018-05-16T21:54:53,300][WARN ][c.f.d.a.h.j.HTTPJwtAuthenticator] [Content-Length=[0], Host=[localhost:9200], Authorization=[Basic a2liYW5hc2VydmVyOmtpYmFuYXNlcnZlcg==], Connection=[keep-alive]]
``
Here’s my sg_config.yml
searchguard:
dynamic:
kibana:
multitenancy_enabled: true
server_username: kibanaserver
index: ‘.kibana’
do_not_fail_on_forbidden: true
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
#internalProxies: ‘.*’ # trust all internal proxies, regex pattern
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
jwt_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: |-
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyzAnJJCV/ihJGhutqA11
47elFKtDQ4pNpQjhIwNPc1YkHYqanThHbyejv5Nsfn4yC9wpuEnpnsmD1yrfsFuV
nl8MymOKmL7FoLkT9vALDpPhnMtHd9b4ffI6kZTrVpQBmd5yNud6buVPTjH+N3o7
Y9yZhAMChc9X+6SyllnE55gBXR57r1e0b+s0BKqswE/iUuvSNHUN+JyuJnF+TrUI
E6pqQJpkyXQOgjGgKuE+/HZzY7XT54PnUbZRH+CIReS2nJ9TholG4UtRnxCl2hPg
e21KcjFG0bYPFJfpS/+Js+XS1p2g7ttPTLlPMdg5GZYa9cUbJvIu1CatudWvb7Ku
c/FeNI5QKIe2nOKiTh+4CL9ENWsN9e6IVXNPFwGGOOgklnL8tCy00lZTMoTkpD20
eK830ZXRMHQ6E4D/fgbttL4CJYY3BNwNRcuQEZGOuUS85kiDGVyqdrqK2oVUlfQ6
ezU6qWRyrPuZJK2Kpmaq572VFJtZ0yZYkQ/7mtLzcHhavKvnqeYV5nhqkmRHG+/q
oqMLdrzhL04HGaWmPRe2kSrZnCAXXD+qED7noDcbGdv521ioxrnBbv6LweGSoHoH
ogEU+ReQrst2nJijfxgGS5tHLct5dRkztxcLXdt5WM0xydobqhp/sf1mLaXqRhwq
hWevTP4OD4NFAqDi2IDFHZ0CAwEAAQ==
-----END PUBLIC KEY-----
jwt_header: “Authorization”
jwt_url_parameter: “some_jwt”
cookieName: “Cookie”
cookieHeaderName: “jwt_token”
roles_key: roles
subject_key: sub
authentication_backend:
type: noop
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: “x-proxy-user”
roles_header: “x-proxy-roles”
authentication_backend:
type: noop
clientcert_auth_domain:
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop
``
Kibana.yml
console.enabled: false
elasticsearch.requestTimeout: 600000
elasticsearch.shardTimeout: 595000
elasticsearch.ssl.verificationMode: none
elasticsearch.url: “https://localhost:9200”
elasticsearch.username: “kibanaserver”
elasticsearch.password: “kibanaserver”
logging.verbose: false
server.host: “0.0.0.0”
searchguard.jwt.enabled: true
elasticsearch.requestHeadersWhitelist: [ “Authorization”, “sgtenant”, “some_jwt” ]
``
Elasticsearch.yml
node.name: “elasticsearch”
node.master: true
node.data: true
gateway.recover_after_nodes: 1
gateway.recover_after_time: 10m
gateway.expected_nodes: 1
action.auto_create_index: true
######## Start Search Guard Demo Configuration ########
WARNING: revise all the lines below before you go into production
searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=test, C=de
searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: [“sg_all_access”]
cluster.routing.allocation.disk.threshold_enabled: false
cluster.name: searchguard_demo
network.host: 0.0.0.0
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
######## End Search Guard Demo Configuration ########
``