Dear Jochen,
Thanks for your kind help.
Aside from the problem occurred in Kibana, wen I run the Elastic, I receive the following error:
Authentication finally failed
When Loking at the log file, I get the following:
[WARN ][c.f.s.a.BackendRegistry ] [BREZAEI-PC] Authentication finally failed for null from [::1]:4048
[c.f.s.h.SearchGuardHttpServerTransport] [BREZAEI-PC] Someone (/127.0.0.1:4050) speaks http plaintext instead of ssl, will close the channel
···
On Thursday, February 21, 2019 at 1:35:03 PM UTC+3:30, Jochen Kressin wrote:
This is an error/warning from X-Pack, not Search Guard. I stumbled upon this, does not seem to affect any Kibana functionality. If it does please open an issue on the Kibana / X-Pack forum.
On Wednesday, February 20, 2019 at 5:11:57 PM UTC+1, Behzad Rezaie wrote:
I did solve the problem by modifying the paths. Thanks so much, dear Jochen.
I set the Kibana configuration according to the tutorial. When running the kibana.bat, I get the following error:
[BABEL] Note: The code generator has deoptimised the styling of “[JibanaDirectory]/node_modules/x-pack/plugins/canvas/canvas_plugin/types/all.js” as it exceeds the max of “500KB”.
On Wednesday, February 20, 2019 at 6:31:38 PM UTC+3:30, Behzad Rezaie wrote:
I just got the point!
The problem is that my [ElasticSearch]/config folder is placed in “…......\config”, while the sgadmin.bat searches for “…....\config”. How can I set it to my config folder?On Wednesday, February 20, 2019 at 6:24:20 PM UTC+3:30, Behzad Rezaie wrote:
The PowerShell is run as administrator and the folder of [Elastic]/config is NOT read-only
On Wednesday, February 20, 2019 at 6:22:55 PM UTC+3:30, Behzad Rezaie wrote:
Yes, I have set the config. When running the command, I get the following error:
On Wednesday, February 20, 2019 at 6:19:22 PM UTC+3:30, Jochen Kressin wrote:
Did you enable the auto init feature in elasticsearch.yml as per installation instructions?
searchguard.allow_default_init_sgindex: true
``
Have you tried to initialize SG manually?
https://docs.search-guard.com/latest/installation-windows#applying-configuration-changes
On Wednesday, February 20, 2019 at 3:46:24 PM UTC+1, Behzad Rezaie wrote:
When browsing the https://localhost:9200/_searchguard/authinfo, I accepted the certificate, and then I received again the following message after restarting the node:
Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin
On Wednesday, February 20, 2019 at 6:09:52 PM UTC+3:30, Jochen Kressin wrote:
Oh, sorry, there seems to be a broken link in the docs. Here’s the working one, we’ll update the docs soon:
https://downloads.search-guard.com/resources/certificates/certificates.zip
On Wednesday, February 20, 2019 at 3:37:07 PM UTC+1, Behzad Rezaie wrote:
Thanks so much. Regarding the tutorial, I must download and install the certificates. When clicking the link, there is NO certificate file.
Where can I download them from?
On Wednesday, February 20, 2019 at 5:57:31 PM UTC+3:30, Jochen Kressin wrote:
Ok, I did not know you are on Windows. All the installer scripts that we provide are for Linux and Mac, and will not work on Windows. A bash script (.sh) will not work on Windows.
However, there is a step-by-step instruction for Windows which shows you exactly what you need to configure and install:
https://docs.search-guard.com/latest/installation-windows
On Wednesday, February 20, 2019 at 6:39:43 AM UTC+1, Behzad Rezaie wrote:
By the way, when I run the following command, it works correctly with no errors, but the elastic says that the SG is not initialized yet!
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass
On Wednesday, February 20, 2019 at 8:57:20 AM UTC+3:30, Behzad Rezaie wrote:
Dear Jochen,
I have set the configuration as mentioned in my previous comment. As far as I searched, I must run the install_demo_configuration.sh. I am running the command on Windows. Since there is no “sudo” command in windows, I get the following error
bash: sudo: command not found
I am going through the right way? Please let me know your idea.
Best,
Behzad
On Tuesday, February 19, 2019 at 9:15:58 PM UTC+3:30, Jochen Kressin wrote:
In order to run sgadmin you need ro configure and use an admin TLS certificate:
https://docs.search-guard.com/latest/sgadmin#configuring-the-admin-certificate
This must be different from your node certificates (the ones you already configured) for security reasons.
If you say a console window appeared, may I ask which system you are on? Is it Linux, Mac or Windows? Depending on your operating system I can hint you in the right directions.
On Tuesday, February 19, 2019 at 12:05:17 PM UTC+1, Behzad Rezaie wrote:
Dear Jochen,
Thanks for your help. I installed the SG on elastic. and configured it as mentioned in here. In addition, I added the following lines to code to the elasticsearch.yml:
searchguard.ssl.transport.keystore_filepath: certs/elastic-certificates.p12
searchguard.ssl.transport.keystore_password: somepass
searchguard.ssl.transport.truststore_filepath: certs/elastic-certificates.p12
searchguard.ssl.transport.truststore_password: somepass
Also I added the following lines of code to the sg_config.yml:
authc:
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_url: http://devpub-srv:1080/.well-known/openid-configuration
authentication_backend:
type: noop
Then, I ran the following command
./sgadmin.sh -cd …/sgconfig -icl -nhnv -ts …/…/…/…/config/certs/elastic-certificates.p12 -tspass somepass -ks …/…/…/…/config/certs/elastic-certificates.p12 -kspass somepass
A console window appeared and vanished quickly. Then I browsed through the elastic server (http://localhost:9200/), but received the following message:
Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin
Could you please let me know if I have made any mistakes on my way to configure the elastic and SG?
Best,
Behzad
On Monday, February 18, 2019 at 8:24:02 PM UTC+3:30, Jochen Kressin wrote:
You need to install the Search Guard plugin for Elasticsearch as well. The Kibana plugin alone does very little regarding authentication and authorization. The Search Guard plugin for Elasticsearch is where the access control is implemented:
https://docs.search-guard.com/latest/demo-installer
On Monday, February 18, 2019 at 12:10:04 PM UTC+1, Behzad Rezaie wrote:
Dear Jochen,
Where the sg_config.yml is placed? I can see the folder named “searchguard” in the plugins folder, under the Kibana directory. But cannot find any sg_config.yml file. Should I create it myself?
On Monday, February 18, 2019 at 2:26:48 PM UTC+3:30, Jochen Kressin wrote:
Authentication and authorization is configured in sg_config.yml, not elasticsearch.yml:
https://docs.search-guard.com/latest/authentication-authorization
After changing the configuration you need to apply the changed settings via sgadmin:
If you have used the demo installer to install Search Guard:
You will find an sgadmin_demo.sh script in the plugins/search-guard-6/tools folder which you can use as-is.
On Monday, February 18, 2019 at 11:47:39 AM UTC+1, Behzad Rezaie wrote:
Dear Jochen,
Thanks for your reply. We setting the config in the elasticsearch.yml, I receive an error saying that “unknown setting [searchguard.dynamic.authc.basic_internal_auth_domain.authentication_backend.type] please check that any required plugins are installed, or check the breaking changes documentation for removed settings”!
My setting is as follows:
xpack.security.audit.enabled: true
xpack.security.enabled: false
searchguard:
dynamic:
authc:
basic_internal_auth_domain:
enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_url: http://someserver.com/.well-known/openid-configuration
authentication_backend:
type: noop
On Monday, February 18, 2019 at 1:14:52 PM UTC+3:30, Jochen Kressin wrote:
You also need to configure OpenID on Elasticsearch, not just on Kibana. Kibana is responsible for the OpenID request flow, but the identity token that your IdP issues is ultimately validated on the Elasticsearch side. Please have a look at the docs and make sure OpenID is configured correctly on ES:
https://docs.search-guard.com/latest/openid-json-web-keys
On Monday, February 18, 2019 at 9:59:31 AM UTC+1, Behzad Rezaie wrote:
Hi pals,
I am going to add IdentityServer4 to make the authentication for the Kibana (version 6.5.4) server (http://localhost:5601). I have set the following configuration for in kibana.yml:
searchguard.auth.type: “openid”
searchguard.openid.connect_url: “http://someserver.com/.well-known/openid-configuration”
searchguard.openid.client_id: “elastic-clinetid”
searchguard.openid.client_secret: “elk-secret”
searchguard.openid.scope: “profile openid”
With such configuration, I can login through the identityserver, but the problem is that I receive the error “Authentication failed. Please provide a new token.” in Kibana. How can I solve this? It seems the users and roles are not yet inserted into elastic. Could you please help me with the problem?
Best,
Behzad