Hi,
my configs (just played around a bit, so they are a bit different now):
kibana.yml:
server.port: 5601
server.host: “scanlog”
elasticsearch.url: “https://scanlog.klinikum.de:9200”
kibana.index: “.kibana-6”
kibana.defaultAppId: “discover/2bd32c50-c2e1-11e8-8acc-e57942dc4ef5”
logging.dest: /var/log/elasticsearch/kibana.log
xpack.security.enabled: false
elasticsearch.username: “kibanaserver”
elasticsearch.password: “XXX”
elasticsearch.ssl.verificationMode: none
elasticsearch.ssl.certificateAuthorities: “/etc/kibana/root-ca.pem”
searchguard.readonly_mode.roles: [“sg_readonly”]
searchguard.auth.type: “basicauth”
xpack.apm.enabled: false
xpack.graph.enabled: false
xpack.grokdebugger.enabled: false
xpack.ml.enabled: false
xpack.security.enabled: false
elasticsearch.yml:
cluster.name: LOGSTASH
node.name: node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: [“xxxxx”]
http.cors.enabled: true
http.cors.allow-origin: “*”
discovery.zen.ping.unicast.hosts: [“xxxxx”, “yyyyyy”]
discovery.zen.minimum_master_nodes: 2
xpack.security.enabled: false
xpack.monitoring.enabled: true
xpack.graph.enabled: false
xpack.watcher.enabled: false
searchguard.ssl.transport.pemcert_filepath: node1.pem
searchguard.ssl.transport.pemkey_filepath: node1.key
searchguard.ssl.transport.pemkey_password: XXXXXXX
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: node1_http.pem
searchguard.ssl.http.pemkey_filepath: node1_http.key
searchguard.ssl.http.pemkey_password: XXXXXXXXX
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.nodes_dn:
- CN=XXXX
- CN=XXXX
searchguard.authcz.admin_dn:
- CN=XXXX
- CN=XXXX
searchguard.allow_unsafe_democertificates: true
searchguard.enterprise_modules_enabled: false
Searchguard:
sg_action_groups.yml
UNLIMITED:
readonly: true
permissions:
- “*”
INDEX LEVEL
INDICES_ALL:
readonly: true
permissions:
- “indices:*”
for backward compatibility
ALL:
readonly: true
permissions:
- INDICES_ALL
MANAGE:
readonly: true
permissions:
- “indices:monitor/"
- "indices:admin/”
CREATE_INDEX:
readonly: true
permissions:
- “indices:admin/create”
- “indices:admin/mapping/put”
MANAGE_ALIASES:
readonly: true
permissions:
- “indices:admin/aliases*”
for backward compatibility
MONITOR:
readonly: true
permissions:
- INDICES_MONITOR
INDICES_MONITOR:
readonly: true
permissions:
- “indices:monitor/*”
DATA_ACCESS:
readonly: true
permissions:
- “indices:data/*”
- CRUD
WRITE:
readonly: true
permissions:
- “indices:data/write*”
- “indices:admin/mapping/put”
READ:
readonly: true
permissions:
- “indices:data/read*”
- “indices:admin/mappings/fields/get*”
DELETE:
readonly: true
permissions:
- “indices:data/write/delete*”
CRUD:
readonly: true
permissions:
- READ
- WRITE
SEARCH:
readonly: true
permissions:
- “indices:data/read/search*”
- “indices:data/read/msearch*”
- SUGGEST
SUGGEST:
readonly: true
permissions:
- “indices:data/read/suggest*”
INDEX:
readonly: true
permissions:
- “indices:data/write/index*”
- “indices:data/write/update*”
- “indices:admin/mapping/put”
- “indices:data/write/bulk*”
GET:
readonly: true
permissions:
- “indices:data/read/get*”
- “indices:data/read/mget*”
CLUSTER LEVEL
CLUSTER_ALL:
readonly: true
permissions:
- “cluster:*”
CLUSTER_MONITOR:
readonly: true
permissions:
- “cluster:monitor/*”
CLUSTER_COMPOSITE_OPS_RO:
readonly: true
permissions:
- “indices:data/read/mget”
- “indices:data/read/msearch”
- “indices:data/read/mtv”
- “indices:data/read/coordinate-msearch*”
- “indices:admin/aliases/exists*”
- “indices:admin/aliases/get*”
- “indices:data/read/scroll”
CLUSTER_COMPOSITE_OPS:
readonly: true
permissions:
- “indices:data/write/bulk”
- “indices:admin/aliases*”
- “indices:data/write/reindex”
- CLUSTER_COMPOSITE_OPS_RO
MANAGE_SNAPSHOTS:
readonly: true
permissions:
- “cluster:admin/snapshot/"
- "cluster:admin/repository/”
sg_internal_users.yml
This is the internal user database
The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
admin:
readonly: true
hash: XXX
roles:
- admin
attributes:
#no dots allowed in attribute names
attribute1: value1
attribute2: value2
attribute3: value3
logstash:
hash: xxx
roles:
- logstash
kibanaserver:
readonly: true
hash: xxx
kibanaro:
hash: xxx
roles:
- kibanauser
- readall
- gast
sg_roles.yml:
sg_logstash:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- indices:admin/template/get
- indices:admin/template/put
indices:
‘logstash-':
'’:
- CRUD
- CREATE_INDEX
‘beat’:
‘':
- CRUD
- CREATE_INDEX
'’ :
‘*’:
- CRUD
- CREATE_INDEX
For the kibana server
sg_kibana_server:
readonly: true
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- cluster:admin/xpack/monitoring*
- indices:admin/template*
indices:
‘?kibana’:
‘':
- INDICES_ALL
‘?kibana-6’:
'’:
- INDICES_ALL
‘?reporting*’:
‘':
- INDICES_ALL
'?monitoring’:
‘*’:
- INDICES_ALL
X-Pack COMPATIBILITY
sg_xp_monitoring:
readonly: true
cluster:
- cluster:monitor/xpack/info
- cluster:monitor/main
- cluster:admin/xpack/monitoring/bulk
indices:
‘?monitor*’:
‘*’:
- INDICES_ALL
sg_readonly:
readonly: true
indices:
‘logstash-':
'’:
- READ
sg_admin:
readonly: true
cluster:
- UNLIMITED
indices:
‘':
'’:
- UNLIMITED
# tenants:
# admin_tenant: RW
sg_roles_mapping.yml:
In this file users, backendroles and hosts can be mapped to Search Guard roles.
Permissions for Search Guard roles are configured in sg_roles.yml
sg_all_access:
readonly: true
backendroles:
- admin
users:
- admin
sg_admin:
readonly: true
backendroles:
- admin
users:
- admin
sg_logstash:
backendroles:
- logstash
users:
- logstash
sg_kibana_server:
readonly: true
users:
- kibanaserver
sg_xp_monitoring:
users:
- logstash
- admin
sg_readonly:
readonly: true
backendroles:
- readonly
- gast
sg_config.yml:
searchguard:
dynamic:
# Set filtered_alias_mode to ‘disallow’ to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to ‘warn’ to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to ‘nowarn’ to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
kibana:
# Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
# see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md
# To make this work you need to install Home · floragunncom/search-guard-module-kibana-multitenancy Wiki · GitHub
multitenancy_enabled: false
#server_username: kibanaserver
#index: ‘.kibana’
#do_not_fail_on_forbidden: false
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
#internalProxies: ‘.’ # trust all internal proxies, regex pattern
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
#trustedProxies: '.’ # trust all external proxies, regex pattern
###### see Pattern (Java Platform SE 7 ) for regex help
###### more information about XFF X-Forwarded-For - Wikipedia
###### and here RFC 7239: Forwarded HTTP Extension
###### and Apache Tomcat 8 Configuration Reference (8.0.53) - The Valve Component
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
ldap:
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(sAMAccountName={0})’
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: ‘ou=groups,dc=example,dc=com’
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user’s directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: ‘(member={0})’
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is “name”.
# Can also be “dn” to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on …)
resolve_nested_roles: true
userbase: ‘ou=people,dc=example,dc=com’
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: ‘(uid={0})’
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - ‘cn=Michael Jackson,oupeople,o=TEST’
# - '/\S/’
roles_from_another_ldap:
enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here …
The now made changes I made because of an problem with the permissions (described in another post), but had no effect to the problem.
Thanks for lookingafter it.