Proxy Authentication using Oauth

Search Guard
1

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version

SG - 6.4.2

ES - 6.4.2
  • JVM version and operating system version
java version "1.8.0_162"

Java(TM) SE Runtime Environment (build 1.8.0_162-b12)

Java HotSpot(TM) 64-Bit Server VM (build 25.162-b12, mixed mode)
  • Search Guard configuration files
ca:

root:

# The distinguished name of this CA. You must specify a distinguished name.

dn: CN=root.ca.es-k8s-001.XXXX.pro,OU=IL,O=XXXX,DC=pro

pkPassword: none

file: root-ca.pem

intermediate:

dn: CN=root.ca.es-k8s-001.XXXX.pro,OU=IL,O=XXXX,DC=pro

pkPassword: none

file: intermediate-ca.pem

defaults:

validityDays: 3650

pkPassword: none

httpsEnabled: false

verifyHostnames: true

resolveHostnames: true

nodes:

- name: es-k8s-001

dn: CN=es-k8s-001.XXXX.pro,OU=IL,O=XXXX,DC=pro

dns: es-k8s-001.XXXX.pro

clients:

- name: spock

dn: CN=spock.XXXX.pro,OU=IL,O=XXXX,DC=pro

- name: kirk

dn: CN=kirk.XXXXl.pro,OU=IL,O=XXXX,DC=pro

admin: true

And sg_config.yml


searchguard:

dynamic:

# Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index

# Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)

# Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently

#filtered_alias_mode: warn

#kibana:

# Kibana multitenancy - NOT FREE FOR COMMERCIAL USE

# see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md

# To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki

#multitenancy_enabled: true

#server_username: kibanaserver

#index: '.kibana'

#do_not_fail_on_forbidden: false

http:

anonymous_auth_enabled: false

xff:

enabled: true

internalProxies: '10.186.195.254' # regex pattern

#internalProxies: '.*' # trust all internal proxies, regex pattern

remoteIpHeader:  'x-forwarded-for'

proxiesHeader:   'x-forwarded-by'

#trustedProxies: '.*' # trust all external proxies, regex pattern

###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help

###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For

###### and here https://tools.ietf.org/html/rfc7239

###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve

authc:

kerberos_auth_domain:

http_enabled: false

transport_enabled: false

order: 6

http_authenticator:

type: kerberos # NOT FREE FOR COMMERCIAL USE

challenge: true

config:

# If true a lot of kerberos/security related debugging output will be logged to standard out

krb_debug: false

# If true then the realm will be stripped from the user name

strip_realm_from_principal: true

authentication_backend:

type: noop

basic_internal_auth_domain:

http_enabled: true

transport_enabled: true

order: 4

http_authenticator:

type: basic

challenge: true

authentication_backend:

type: intern

proxy_auth_domain:

http_enabled: true

transport_enabled: true

order: 3

http_authenticator:

type: proxy

challenge: false

config:

user_header: "x-proxy-user"

roles_header: "x-proxy-roles"

authentication_backend:

type: noop

jwt_auth_domain:

http_enabled: false

transport_enabled: false

order: 0

http_authenticator:

type: jwt

challenge: false

config:

signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"

jwt_header: "Authorization"

jwt_url_parameter: null

roles_key: null

subject_key: null

authentication_backend:

type: noop

clientcert_auth_domain:

http_enabled: true

transport_enabled: true

order: 2

http_authenticator:

type: clientcert

config:

username_attribute: cn #optional, if omitted DN becomes username

challenge: false

authentication_backend:

type: noop

ldap:

http_enabled: false

transport_enabled: false

order: 5

http_authenticator:

type: basic

challenge: false

authentication_backend:

# LDAP authentication backend (authenticate users against a LDAP or Active Directory)

type: ldap # NOT FREE FOR COMMERCIAL USE

config:

# enable ldaps

enable_ssl: false

# enable start tls, enable_ssl should be false

enable_start_tls: false

# send client certificate

enable_ssl_client_auth: false

verify_hostnames: true

hosts:

- localhost:8389

bind_dn: null

password: null

userbase: 'ou=people,dc=example,dc=com'

# Filter to search for users (currently in the whole subtree beneath userbase)

# {0} is substituted with the username

usersearch: '(sAMAccountName={0})'

# Use this attribute from the user as username (if not set then DN is used)

username_attribute: null

authz:

roles_from_myldap:

http_enabled: false

transport_enabled: false

authorization_backend:

# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)

type: ldap # NOT FREE FOR COMMERCIAL USE

config:

# enable ldaps

enable_ssl: false

# enable start tls, enable_ssl should be false

enable_start_tls: false

# send client certificate

enable_ssl_client_auth: false

# verify ldap hostname

verify_hostnames: true

hosts:

- localhost:8389

bind_dn: null

password: null

rolebase: 'ou=groups,dc=example,dc=com'

# Filter to search for roles (currently in the whole subtree beneath rolebase)

# {0} is substituted with the DN of the user

# {1} is substituted with the username

# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute

rolesearch: '(member={0})'

# Specify the name of the attribute which value should be substituted with {2} above

userroleattribute: null

# Roles as an attribute of the user entry

userrolename: disabled

#userrolename: memberOf

# The attribute in a role entry containing the name of that role, Default is "name".

# Can also be "dn" to use the full DN as rolename.

rolename: cn

# Resolve nested roles transitive (roles which are members of other roles and so on ...)

resolve_nested_roles: true

userbase: 'ou=people,dc=example,dc=com'

# Filter to search for users (currently in the whole subtree beneath userbase)

# {0} is substituted with the username

usersearch: '(uid={0})'
  • Other installed Elasticsearch or Kibana plugins, if any

search-guard-kibana-plugin-6.4.2-16

Hi there,

I have both installed search-guard with Kibana plugin, which are working fine. Also , besides authentication of search-guard (search-guard login page to enter Kibana), I have Lasso for Google oauth.

Everything is working fine, BUT. I have to authenticate myself with google acc, after the authentication with google acc, I have search-guard authentication page.

How can I promote for search-guard, username and password that was used for google authentication?

Thanks,

Aleksei

2

Pls check Kibana Proxy Authentication | Security for Elasticsearch | Search Guard and HTTP Proxy Quick Start | Security for Elasticsearch | Search Guard

ยทยทยท

Am 09.01.2019 um 15:51 schrieb aleksei.saiko@pipl.com:

When asking questions, please provide the following information:

* Search Guard and Elasticsearch version

SG - 6.4.2
ES - 6.4.2

* JVM version and operating system version

java version "1.8.0_162"
Java(TM) SE Runtime Environment (build 1.8.0_162-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.162-b12, mixed mode)

* Search Guard configuration files

ca:
   root:
      # The distinguished name of this CA. You must specify a distinguished name.
      dn: CN=root.ca.es-k8s-001.XXXX.pro,OU=IL,O=XXXX,DC=pro
      pkPassword: none
      file: root-ca.pem
   intermediate:
      dn: CN=root.ca.es-k8s-001.XXXX.pro,OU=IL,O=XXXX,DC=pro
      pkPassword: none
      file: intermediate-ca.pem

defaults:
      validityDays: 3650
      pkPassword: none
      httpsEnabled: false
      verifyHostnames: true
      resolveHostnames: true

nodes:
  - name: es-k8s-001
    dn: CN=es-k8s-001.XXXX.pro,OU=IL,O=XXXX,DC=pro
    dns: es-k8s-001.XXXX.pro

clients:
  - name: spock
    dn: CN=spock.XXXX.pro,OU=IL,O=XXXX,DC=pro
  - name: kirk
    dn: CN=kirk.XXXXl.pro,OU=IL,O=XXXX,DC=pro
    admin: true

And sg_config.yml

searchguard:
  dynamic:
    # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
    # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
    # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
    #filtered_alias_mode: warn
    #kibana:
      # Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
      # see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md
      # To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki
      #multitenancy_enabled: true
      #server_username: kibanaserver
      #index: '.kibana'
      #do_not_fail_on_forbidden: false
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: true
        internalProxies: '10.186.195.254' # regex pattern
        #internalProxies: '.*' # trust all internal proxies, regex pattern
        remoteIpHeader:  'x-forwarded-for'
        proxiesHeader:   'x-forwarded-by'
        #trustedProxies: '.*' # trust all external proxies, regex pattern
        ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
        ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
        ###### and here https://tools.ietf.org/html/rfc7239
        ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
    authc:
      kerberos_auth_domain:
        http_enabled: false
        transport_enabled: false
        order: 6
        http_authenticator:
          type: kerberos # NOT FREE FOR COMMERCIAL USE
          challenge: true
          config:
            # If true a lot of kerberos/security related debugging output will be logged to standard out
            krb_debug: false
            # If true then the realm will be stripped from the user name
            strip_realm_from_principal: true
        authentication_backend:
          type: noop
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 4
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
      proxy_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 3
        http_authenticator:
          type: proxy
          challenge: false
          config:
            user_header: "x-proxy-user"
            roles_header: "x-proxy-roles"
        authentication_backend:
          type: noop
      jwt_auth_domain:
        http_enabled: false
        transport_enabled: false
        order: 0
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
            jwt_header: "Authorization"
            jwt_url_parameter: null
            roles_key: null
            subject_key: null
        authentication_backend:
          type: noop
      clientcert_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 2
        http_authenticator:
          type: clientcert
          config:
            username_attribute: cn #optional, if omitted DN becomes username
          challenge: false
        authentication_backend:
          type: noop
      ldap:
        http_enabled: false
        transport_enabled: false
        order: 5
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
          type: ldap # NOT FREE FOR COMMERCIAL USE
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
        verify_hostnames: true
            hosts:
              - localhost:8389
            bind_dn: null
            password: null
            userbase: 'ou=people,dc=example,dc=com'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(sAMAccountName={0})'
            # Use this attribute from the user as username (if not set then DN is used)
            username_attribute: null
    authz:
      roles_from_myldap:
        http_enabled: false
        transport_enabled: false
        authorization_backend:
          # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
          type: ldap # NOT FREE FOR COMMERCIAL USE
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
              - localhost:8389
            bind_dn: null
            password: null
            rolebase: 'ou=groups,dc=example,dc=com'
            # Filter to search for roles (currently in the whole subtree beneath rolebase)
            # {0} is substituted with the DN of the user
            # {1} is substituted with the username
            # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
            rolesearch: '(member={0})'
            # Specify the name of the attribute which value should be substituted with {2} above
            userroleattribute: null
            # Roles as an attribute of the user entry
            userrolename: disabled
            #userrolename: memberOf
            # The attribute in a role entry containing the name of that role, Default is "name".
            # Can also be "dn" to use the full DN as rolename.
            rolename: cn
            # Resolve nested roles transitive (roles which are members of other roles and so on ...)
            resolve_nested_roles: true
            userbase: 'ou=people,dc=example,dc=com'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(uid={0})'

* Other installed Elasticsearch or Kibana plugins, if any

search-guard-kibana-plugin-6.4.2-16

Hi there,
I have both installed search-guard with Kibana plugin, which are working fine. Also , besides authentication of search-guard (search-guard login page to enter Kibana), I have Lasso for Google oauth.
Everything is working fine, BUT. I have to authenticate myself with google acc, after the authentication with google acc, I have search-guard authentication page.

How can I promote for search-guard, username and password that was used for google authentication?

Thanks,

Aleksei

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/7fd5929c-8d3c-4f3f-b270-2de4edf94a05%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.