Restrict auth domain to certain subnet

faxmodem · May 19, 2020, 8:04am

Is it possible to restrict an auth domain to a given CIDR ?
This could for insance be used to prevent the kibanaserver user to use the REST API from outside the organization.
Or is there another way to achieve this ?

faxmodem · May 19, 2020, 12:29pm

actually I’m pretty worried about having to enable basic auth: the kibanaserver user can remove all kibana indices

faxmodem · May 19, 2020, 2:26pm

I see there’s the new blocking configuration options. That could help, if one could block users from certain net_masks or IPs, which it doesn’t seem to.

srgbnd · May 19, 2020, 2:59pm

Yes, you can block by netmask: Main concepts | Security for Elasticsearch | Search Guard. Also, you can use a firewall on the ES servers, for example, iptables if it is Linux.

faxmodem · May 19, 2020, 2:59pm

but you can’t block a user from a certain mask only

faxmodem · May 19, 2020, 3:00pm

the problem with the kibana user is that it’s granted access from everywhere, while it only needs access from the box running kibana. I don’t want to have world accessible basic auth just because of an Elasticsearch/Kibana limitation

srgbnd · May 19, 2020, 3:49pm

You can allow the connection only from a secure subnet, for example

a_secure_subnet:
  type: "net_mask"
  value: ["192.168.1.0/24"]
  verdict: "allow"

faxmodem · May 19, 2020, 3:51pm

but that will be effective for all users, not just the kibana server user

nils · November 30, 2020, 3:44pm

Just a quick update on this topic:

This feature is now available since Search Guard 47:

faxmodem · December 2, 2020, 8:35am

Thanks so much for this !

faxmodem · October 27, 2021, 1:29pm

Hi I just tried this feature, but got an error message while trying to apply the config:

ERR: Seems /opt/search-guard/sgconfig/sg_config.yml is not in SG 7 format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "enabled_only_for_ips" (class com.floragunn.searchguard.sgconf.impl.v7.ConfigV7$AuthcDomain), not marked as ignorable (6 known properties: "http_enabled", "transport_enabled", "http_authenticator", "authentication_backend", "order", "description"])

Nodes are all running search-guard-7 7.9.1-47.3.0

faxmodem · October 27, 2021, 1:30pm

Here is the corresponding config I was trying to apply:

basic_internal_auth_domain:
  order: 3
  enabled_only_for_ips:
    - 10.0.0.0/16
  http_authenticator:
    type: basic
    challenge: false
  authentication_backend:
    type: intern

nils · October 27, 2021, 1:42pm

When do you get the error? If you get it while using sgadmin, please verify that sgadmin is also from SG 47 or above.

faxmodem · November 3, 2021, 9:20am

You’re right, I didn’t upgrade the standalone SG

Topic		Replies	Views
New Release: Search Guard 47 Announcements	1	725	November 24, 2020
Limiting who can log in to Kibana to defined list of users Search Guard	7	907	November 13, 2019
Creating generic user Search Guard	4	361	May 19, 2016
Searchguard.basicauth.allowed_usernames not in documentation Search Guard	2	544	January 28, 2020
LDAP auth for ES no bypass or execute filters at all for action indices:monitor/status Search Guard	3	429	March 30, 2016

Restrict auth domain to certain subnet

Related topics