Problem with IdentityServer4

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

···

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

···

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

After changing the configuration you need to apply the changed settings via sgadmin:

If you have used the demo installer to install Search Guard:

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

···

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

···

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

···

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

···

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

In order to run sgadmin you need ro configure and use an admin TLS certificate:

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

···

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

···

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

···

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

Ok, I did not know you are on Windows. All the installer scripts that we provide are for Linux and Mac, and will not work on Windows. A bash script (.sh) will not work on Windows.

However, there is a step-by-step instruction for Windows which shows you exactly what you need to configure and install:

···

On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

Thanks so much. Regarding the tutorial, I must download and install the certificates. When clicking the link, there is NO certificate file.

Where can I download them from?

···

On Wednesday, February 20, 2019 at 5:57:31 PM UTC+3:30, Jochen Kressin wrote:

Ok, I did not know you are on Windows. All the installer scripts that we provide are for Linux and Mac, and will not work on Windows. A bash script (.sh) will not work on Windows.

However, there is a step-by-step instruction for Windows which shows you exactly what you need to configure and install:

https://docs.search-guard.com/latest/installation-windows

On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

Oh, sorry, there seems to be a broken link in the docs. Here’s the working one, we’ll update the docs soon:

https://downloads.search-guard.com/resources/certificates/certificates.zip

···

On Wednesday, February 20, 2019 at 3:37:07 PM UTC+1, Behzad Rezaie wrote:

Thanks so much. Regarding the tutorial, I must download and install the certificates. When clicking the link, there is NO certificate file.

Where can I download them from?

On Wednesday, February 20, 2019 at 5:57:31 PM UTC+3:30, Jochen Kressin wrote:

Ok, I did not know you are on Windows. All the installer scripts that we provide are for Linux and Mac, and will not work on Windows. A bash script (.sh) will not work on Windows.

However, there is a step-by-step instruction for Windows which shows you exactly what you need to configure and install:

https://docs.search-guard.com/latest/installation-windows

On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

When browsing the https://localhost:9200/_searchguard/authinfo, I accepted the certificate, and then I received again the following message after restarting the node:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

···

On Wednesday, February 20, 2019 at 6:09:52 PM UTC+3:30, Jochen Kressin wrote:

Oh, sorry, there seems to be a broken link in the docs. Here’s the working one, we’ll update the docs soon:

https://downloads.search-guard.com/resources/certificates/certificates.zip

On Wednesday, February 20, 2019 at 3:37:07 PM UTC+1, Behzad Rezaie wrote:

Thanks so much. Regarding the tutorial, I must download and install the certificates. When clicking the link, there is NO certificate file.

Where can I download them from?

On Wednesday, February 20, 2019 at 5:57:31 PM UTC+3:30, Jochen Kressin wrote:

Ok, I did not know you are on Windows. All the installer scripts that we provide are for Linux and Mac, and will not work on Windows. A bash script (.sh) will not work on Windows.

However, there is a step-by-step instruction for Windows which shows you exactly what you need to configure and install:

https://docs.search-guard.com/latest/installation-windows

On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

Did you enable the auto init feature in elasticsearch.yml as per installation instructions?

searchguard.allow_default_init_sgindex: true

``

Have you tried to initialize SG manually?

···

On Wednesday, February 20, 2019 at 3:46:24 PM UTC+1, Behzad Rezaie wrote:

When browsing the https://localhost:9200/_searchguard/authinfo, I accepted the certificate, and then I received again the following message after restarting the node:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

On Wednesday, February 20, 2019 at 6:09:52 PM UTC+3:30, Jochen Kressin wrote:

Oh, sorry, there seems to be a broken link in the docs. Here’s the working one, we’ll update the docs soon:

https://downloads.search-guard.com/resources/certificates/certificates.zip

On Wednesday, February 20, 2019 at 3:37:07 PM UTC+1, Behzad Rezaie wrote:

Thanks so much. Regarding the tutorial, I must download and install the certificates. When clicking the link, there is NO certificate file.

Where can I download them from?

On Wednesday, February 20, 2019 at 5:57:31 PM UTC+3:30, Jochen Kressin wrote:

Ok, I did not know you are on Windows. All the installer scripts that we provide are for Linux and Mac, and will not work on Windows. A bash script (.sh) will not work on Windows.

However, there is a step-by-step instruction for Windows which shows you exactly what you need to configure and install:

https://docs.search-guard.com/latest/installation-windows

On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

Yes, I have set the config. When running the command, I get the following error:

···

On Wednesday, February 20, 2019 at 6:19:22 PM UTC+3:30, Jochen Kressin wrote:

Did you enable the auto init feature in elasticsearch.yml as per installation instructions?

searchguard.allow_default_init_sgindex: true

``

Have you tried to initialize SG manually?

https://docs.search-guard.com/latest/installation-windows#applying-configuration-changes

On Wednesday, February 20, 2019 at 3:46:24 PM UTC+1, Behzad Rezaie wrote:

When browsing the https://localhost:9200/_searchguard/authinfo, I accepted the certificate, and then I received again the following message after restarting the node:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

On Wednesday, February 20, 2019 at 6:09:52 PM UTC+3:30, Jochen Kressin wrote:

Oh, sorry, there seems to be a broken link in the docs. Here’s the working one, we’ll update the docs soon:

https://downloads.search-guard.com/resources/certificates/certificates.zip

On Wednesday, February 20, 2019 at 3:37:07 PM UTC+1, Behzad Rezaie wrote:

Thanks so much. Regarding the tutorial, I must download and install the certificates. When clicking the link, there is NO certificate file.

Where can I download them from?

On Wednesday, February 20, 2019 at 5:57:31 PM UTC+3:30, Jochen Kressin wrote:

Ok, I did not know you are on Windows. All the installer scripts that we provide are for Linux and Mac, and will not work on Windows. A bash script (.sh) will not work on Windows.

However, there is a step-by-step instruction for Windows which shows you exactly what you need to configure and install:

https://docs.search-guard.com/latest/installation-windows

On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

The PowerShell is run as administrator and the folder of [Elastic]/config is NOT read-only

···

On Wednesday, February 20, 2019 at 6:22:55 PM UTC+3:30, Behzad Rezaie wrote:

Yes, I have set the config. When running the command, I get the following error:

On Wednesday, February 20, 2019 at 6:19:22 PM UTC+3:30, Jochen Kressin wrote:

Did you enable the auto init feature in elasticsearch.yml as per installation instructions?

searchguard.allow_default_init_sgindex: true

``

Have you tried to initialize SG manually?

https://docs.search-guard.com/latest/installation-windows#applying-configuration-changes

On Wednesday, February 20, 2019 at 3:46:24 PM UTC+1, Behzad Rezaie wrote:

When browsing the https://localhost:9200/_searchguard/authinfo, I accepted the certificate, and then I received again the following message after restarting the node:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

On Wednesday, February 20, 2019 at 6:09:52 PM UTC+3:30, Jochen Kressin wrote:

Oh, sorry, there seems to be a broken link in the docs. Here’s the working one, we’ll update the docs soon:

https://downloads.search-guard.com/resources/certificates/certificates.zip

On Wednesday, February 20, 2019 at 3:37:07 PM UTC+1, Behzad Rezaie wrote:

Thanks so much. Regarding the tutorial, I must download and install the certificates. When clicking the link, there is NO certificate file.

Where can I download them from?

On Wednesday, February 20, 2019 at 5:57:31 PM UTC+3:30, Jochen Kressin wrote:

Ok, I did not know you are on Windows. All the installer scripts that we provide are for Linux and Mac, and will not work on Windows. A bash script (.sh) will not work on Windows.

However, there is a step-by-step instruction for Windows which shows you exactly what you need to configure and install:

https://docs.search-guard.com/latest/installation-windows

On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

I just got the point!
The problem is that my [ElasticSearch]/config folder is placed in “…\config”, while the sgadmin.bat searches for “…\config”. How can I set it to my config folder?

···

On Wednesday, February 20, 2019 at 6:24:20 PM UTC+3:30, Behzad Rezaie wrote:

The PowerShell is run as administrator and the folder of [Elastic]/config is NOT read-only

On Wednesday, February 20, 2019 at 6:22:55 PM UTC+3:30, Behzad Rezaie wrote:

Yes, I have set the config. When running the command, I get the following error:

On Wednesday, February 20, 2019 at 6:19:22 PM UTC+3:30, Jochen Kressin wrote:

Did you enable the auto init feature in elasticsearch.yml as per installation instructions?

searchguard.allow_default_init_sgindex: true

``

Have you tried to initialize SG manually?

https://docs.search-guard.com/latest/installation-windows#applying-configuration-changes

On Wednesday, February 20, 2019 at 3:46:24 PM UTC+1, Behzad Rezaie wrote:

When browsing the https://localhost:9200/_searchguard/authinfo, I accepted the certificate, and then I received again the following message after restarting the node:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

On Wednesday, February 20, 2019 at 6:09:52 PM UTC+3:30, Jochen Kressin wrote:

Oh, sorry, there seems to be a broken link in the docs. Here’s the working one, we’ll update the docs soon:

https://downloads.search-guard.com/resources/certificates/certificates.zip

On Wednesday, February 20, 2019 at 3:37:07 PM UTC+1, Behzad Rezaie wrote:

Thanks so much. Regarding the tutorial, I must download and install the certificates. When clicking the link, there is NO certificate file.

Where can I download them from?

On Wednesday, February 20, 2019 at 5:57:31 PM UTC+3:30, Jochen Kressin wrote:

Ok, I did not know you are on Windows. All the installer scripts that we provide are for Linux and Mac, and will not work on Windows. A bash script (.sh) will not work on Windows.

However, there is a step-by-step instruction for Windows which shows you exactly what you need to configure and install:

https://docs.search-guard.com/latest/installation-windows

On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

I did solve the problem by modifying the paths. Thanks so much, dear Jochen.

I set the Kibana configuration according to the tutorial. When running the kibana.bat, I get the following error:

[BABEL] Note: The code generator has deoptimised the styling of “[JibanaDirectory]/node_modules/x-pack/plugins/canvas/canvas_plugin/types/all.js” as it exceeds the max of “500KB”.

···

On Wednesday, February 20, 2019 at 6:31:38 PM UTC+3:30, Behzad Rezaie wrote:

I just got the point!
The problem is that my [ElasticSearch]/config folder is placed in “…\config”, while the sgadmin.bat searches for “…\config”. How can I set it to my config folder?

On Wednesday, February 20, 2019 at 6:24:20 PM UTC+3:30, Behzad Rezaie wrote:

The PowerShell is run as administrator and the folder of [Elastic]/config is NOT read-only

On Wednesday, February 20, 2019 at 6:22:55 PM UTC+3:30, Behzad Rezaie wrote:

Yes, I have set the config. When running the command, I get the following error:

On Wednesday, February 20, 2019 at 6:19:22 PM UTC+3:30, Jochen Kressin wrote:

Did you enable the auto init feature in elasticsearch.yml as per installation instructions?

searchguard.allow_default_init_sgindex: true

``

Have you tried to initialize SG manually?

https://docs.search-guard.com/latest/installation-windows#applying-configuration-changes

On Wednesday, February 20, 2019 at 3:46:24 PM UTC+1, Behzad Rezaie wrote:

When browsing the https://localhost:9200/_searchguard/authinfo, I accepted the certificate, and then I received again the following message after restarting the node:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

On Wednesday, February 20, 2019 at 6:09:52 PM UTC+3:30, Jochen Kressin wrote:

Oh, sorry, there seems to be a broken link in the docs. Here’s the working one, we’ll update the docs soon:

https://downloads.search-guard.com/resources/certificates/certificates.zip

On Wednesday, February 20, 2019 at 3:37:07 PM UTC+1, Behzad Rezaie wrote:

Thanks so much. Regarding the tutorial, I must download and install the certificates. When clicking the link, there is NO certificate file.

Where can I download them from?

On Wednesday, February 20, 2019 at 5:57:31 PM UTC+3:30, Jochen Kressin wrote:

Ok, I did not know you are on Windows. All the installer scripts that we provide are for Linux and Mac, and will not work on Windows. A bash script (.sh) will not work on Windows.

However, there is a step-by-step instruction for Windows which shows you exactly what you need to configure and install:

https://docs.search-guard.com/latest/installation-windows

On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad

This is an error/warning from X-Pack, not Search Guard. I stumbled upon this, does not seem to affect any Kibana functionality. If it does please open an issue on the Kibana / X-Pack forum.

···

On Wednesday, February 20, 2019 at 5:11:57 PM UTC+1, Behzad Rezaie wrote:

I did solve the problem by modifying the paths. Thanks so much, dear Jochen.

I set the Kibana configuration according to the tutorial. When running the kibana.bat, I get the following error:

[BABEL] Note: The code generator has deoptimised the styling of “[JibanaDirectory]/node_modules/x-pack/plugins/canvas/canvas_plugin/types/all.js” as it exceeds the max of “500KB”.

On Wednesday, February 20, 2019 at 6:31:38 PM UTC+3:30, Behzad Rezaie wrote:

I just got the point!
The problem is that my [ElasticSearch]/config folder is placed in “…\config”, while the sgadmin.bat searches for “…\config”. How can I set it to my config folder?

On Wednesday, February 20, 2019 at 6:24:20 PM UTC+3:30, Behzad Rezaie wrote:

The PowerShell is run as administrator and the folder of [Elastic]/config is NOT read-only

On Wednesday, February 20, 2019 at 6:22:55 PM UTC+3:30, Behzad Rezaie wrote:

Yes, I have set the config. When running the command, I get the following error:

On Wednesday, February 20, 2019 at 6:19:22 PM UTC+3:30, Jochen Kressin wrote:

Did you enable the auto init feature in elasticsearch.yml as per installation instructions?

searchguard.allow_default_init_sgindex: true

``

Have you tried to initialize SG manually?

https://docs.search-guard.com/latest/installation-windows#applying-configuration-changes

On Wednesday, February 20, 2019 at 3:46:24 PM UTC+1, Behzad Rezaie wrote:

When browsing the https://localhost:9200/_searchguard/authinfo, I accepted the certificate, and then I received again the following message after restarting the node:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

On Wednesday, February 20, 2019 at 6:09:52 PM UTC+3:30, Jochen Kressin wrote:

Oh, sorry, there seems to be a broken link in the docs. Here’s the working one, we’ll update the docs soon:

https://downloads.search-guard.com/resources/certificates/certificates.zip

On Wednesday, February 20, 2019 at 3:37:07 PM UTC+1, Behzad Rezaie wrote:

Thanks so much. Regarding the tutorial, I must download and install the certificates. When clicking the link, there is NO certificate file.

Where can I download them from?

On Wednesday, February 20, 2019 at 5:57:31 PM UTC+3:30, Jochen Kressin wrote:

Ok, I did not know you are on Windows. All the installer scripts that we provide are for Linux and Mac, and will not work on Windows. A bash script (.sh) will not work on Windows.

However, there is a step-by-step instruction for Windows which shows you exactly what you need to configure and install:

https://docs.search-guard.com/latest/installation-windows

On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:

By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:

Dear Jochen,

I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error

bash: sudo: command not found

I am going through the right way? Please let me know your idea.

Best,

Behzad

On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:

In order to run sgadmin you need ro configure and use an admin TLS certificate:

https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate

This must be different from your node certificates (the ones you already configured) for security reasons.

If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.

On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:

searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.keystore_password: somepass

searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12

searchguard.ssl.transport.truststore_password: somepass

Also I added the following lines of code to the sg_config.yml:

authc:

openid_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration

authentication_backend:

type: noop

Then, I ran the following command

./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass

A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:

Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin

Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?

Best,

Behzad

On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:

You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:

https://docs.search-guard.com/latest/demo-installer

On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?

On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:

Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:

https://docs.search-guard.com/latest/authentication-authorization

After changing the configuration you need to apply the changed settings via sgadmin:

https://docs.search-guard.com/latest/sgadmin

If you have used the demo installer to install Search Guard:

https://docs.search-guard.com/latest/demo-installer

You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.

On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:

Dear Jochen,

Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!

My setting is as follows:

xpack.security.audit.enabled: true

xpack.security.enabled: false

searchguard:

dynamic:

authc:

basic_internal_auth_domain:

enabled: true

order: 0

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

openid_auth_domain:

enabled: true

order: 1

http_authenticator:

type: openid

challenge: false

config:

subject_key: preferred_username

roles_key: roles

openid_connect_url: http://someserver.com/.well-known/openid-configuration

authentication_backend:

type: noop

On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:

You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:

https://docs.search-guard.com/latest/openid-json-web-keys

On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:

Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”

With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?

Best,
Behzad