Search Guard authentication feature in community version

Search Guard
1

Hi All,

I was checking SG’s product page and its info here Search Guard Security | Securing your Elasticsearch cluster with Search Guard

In the 3rd and 5th point it says that Role-based access control and HTTP Basic authentication is allowed in the community version.

So I removed enterprise version using :-

searchguard.enterprise_modules_enabled: false
in elasticsearch.yml file.

But when I try to start Kibana it shows the following huge error(Check Kibana Logs in the end of this post)

1) Can I have a simple authentication page for Kibana under Community version such that a user can log in before using anything?

MY USE CASE:-

My ES(community version as well) is non-prod node I installed for use in PoC. I have created a simple Dashboard and want only my Manager to log in and see my dashboard. So there is only 1 user i.e Manager with readall access and me as admin(defaultSG user) to upload data and create Dashboard.

I do not need Kibana Multitenancy, or other high end features as of now.

2) Is it possible to do this in Community version of SG, such that only me and my manager can access the link I share?

3) If not, is there an alternate option for this simple use case?

Kibana logs:-

C:\Users\path\Desktop\ELK Sandbox\kibana-6.2.4-windows-x86_64>bin\kibana.bat
 error  [06:40:04.058] [fatal] ValidationError: child "searchguard" fails becaus
e ["enterprise_modules_enabled" is not allowed]
    at Object.exports.process (C:\Users\path\Desktop\ELK Sandbox\kibana-6.2.4
-windows-x86_64\node_modules\joi\lib\errors.js:181:19)
    at _validateWithOptions (C:\Users\path\Desktop\ELK Sandbox\kibana-6.2.4-w
indows-x86_64\node_modules\joi\lib\any.js:651:31)
    at root.validate (C:\Users\path\Desktop\ELK Sandbox\kibana-6.2.4-windows-
x86_64\node_modules\joi\lib\index.js:121:23)
    at Config._commit (C:\Users\path\Desktop\ELK Sandbox\kibana-6.2.4-windows
-x86_64\src\server\config\config.js:119:35)
    at Config.set (C:\Users\path\Desktop\ELK Sandbox\kibana-6.2.4-windows-x86
_64\src\server\config\config.js:89:10)
    at Config.extendSchema (C:\Users\path\Desktop\ELK Sandbox\kibana-6.2.4-wi
ndows-x86_64\src\server\config\config.js:62:10)
    at C:\Users\path\Desktop\ELK Sandbox\kibana-6.2.4-windows-x86_64\src\plug
in_discovery\plugin_config\extend_config_service.js:22:12
    at next (native)
    at step (C:\Users\path\Desktop\ELK Sandbox\kibana-6.2.4-windows-x86_64\sr
c\plugin_discovery\plugin_config\extend_config_service.js:45:191)
    at C:\Users\path\Desktop\ELK Sandbox\kibana-6.2.4-windows-x86_64\src\plug
in_discovery\plugin_config\extend_config_service.js:45:361
FATAL { ValidationError: child "searchguard" fails because ["enterprise_modules_
enabled" is not allowed]
    at Object.exports.process (C:\Users\path\Desktop\ELK Sandbox\kibana-6.2.4
-windows-x86_64\node_modules\joi\lib\errors.js:181:19)
    at _validateWithOptions (C:\Users\path\Desktop\ELK Sandbox\kibana-6.2.4-w
indows-x86_64\node_modules\joi\lib\any.js:651:31)
    at root.validate (C:\Users\path\Desktop\ELK Sandbox\kibana-6.2.4-windows-
x86_64\node_modules\joi\lib\index.js:121:23)
    at Config._commit (C:\Users\path\Desktop\ELK Sandbox\kibana-6.2.4-windows
-x86_64\src\server\config\config.js:119:35)
    at Config.set (C:\Users\path\Desktop\ELK Sandbox\kibana-6.2.4-windows-x86
_64\src\server\config\config.js:89:10)
    at Config.extendSchema (C:\Users\path\Desktop\ELK Sandbox\kibana-6.2.4-wi
ndows-x86_64\src\server\config\config.js:62:10)
    at C:\Users\path\Desktop\ELK Sandbox\kibana-6.2.4-windows-x86_64\src\plug
in_discovery\plugin_config\extend_config_service.js:22:12
    at next (native)
    at step (C:\Users\path\Desktop\ELK Sandbox\kibana-6.2.4-windows-x86_64\sr
c\plugin_discovery\plugin_config\extend_config_service.js:45:191)
    at C:\Users\path\Desktop\ELK Sandbox\kibana-6.2.4-windows-x86_64\src\plug
in_discovery\plugin_config\extend_config_service.js:45:361
  isJoi: true,
  name: 'ValidationError',
  details:
   [ { message: '"enterprise_modules_enabled" is not allowed',
       path: 'searchguard.enterprise_modules_enabled',
       type: 'object.allowUnknown',
       context: [Object] } ],
  _object:
   { pkg:
      { version: '6.2.4',
        branch: '6.x',
        buildNum: 16627,
        buildSha: 'ee501cfd9c1281cfbd6948e1c5f80dc9356ee56f' },
     dev: { basePathProxyTarget: 5603 },
     pid: { exclusive: false },
     cpu: undefined,
     cpuacct: undefined,
     server:
      { port: 5601,
        name: 'PC name',
        host: 'localhost',
        maxPayloadBytes: 1048576,
        autoListen: true,
        defaultRoute: '/app/kibana',
        basePath: '',
        customResponseHeaders: {},
        ssl: [Object],
        cors: false,
        xsrf: [Object] },
     logging:
      { silent: false,
        quiet: false,
        verbose: false,
        events: {},
        dest: 'stdout',
        filter: {},
        json: false,
        useUTC: true },
     ops: { interval: 5000 },
     plugins: { scanDirs: [Object], paths: [], initialize: true },
     path: { data: 'C:\\Users\\path\\Desktop\\ELK Sandbox\\kibana-6.2.4-windo
ws-x86_64\\data' },
     optimize:
      { enabled: true,
        bundleFilter: '!tests',
        bundleDir: 'C:\\Users\\path\\Desktop\\ELK Sandbox\\kibana-6.2.4-windo
ws-x86_64\\optimize\\bundles',
        viewCaching: true,
        watch: false,
        watchPort: 5602,
        watchHost: 'localhost',
        watchPrebuild: false,
        watchProxyTimeout: 300000,
        useBundleCache: true,
        profile: false },
     status: { allowAnonymous: false },
     map:
      { manifestServiceUrl: 'https://catalogue.maps.elastic.co/v2/manifest',
        includeElasticMapsService: true },
     tilemap: { options: [Object] },
     regionmap: { includeElasticMapsService: true },
     i18n: { defaultLocale: 'en' },
     elasticsearch:
      { url: 'https://localhost:9200',
        username: 'kibanaserver',
        password: 'kibanaserver',
        ssl: [Object],
        requestHeadersWhitelist: [Object],
        enabled: true,
        preserveHost: true,
        shardTimeout: 0,
        requestTimeout: 30000,
        customHeaders: {},
        pingTimeout: 30000,
        startupTimeout: 5000,
        logQueries: false,
        apiVersion: 'master',
        healthCheck: [Object],
        tribe: [Object] },
     input_control_vis: { enabled: true },
     kbn_doc_views: { enabled: true },
     kbn_vislib_vis_types: { enabled: true },
     markdown_vis: { enabled: true },
     metric_vis: { enabled: true },
     region_map: { enabled: true },
     spy_modes: { enabled: true },
     state_session_storage_redirect: { enabled: true },
     status_page: { enabled: true },
     table_vis: { enabled: true },
     tile_map: { enabled: true },
     timelion: { enabled: true },
     tagcloud: { enabled: true },
     kibana: { enabled: true, defaultAppId: 'home', index: '.kibana' },
     metrics: { enabled: true, chartResolution: 150, minimumBucketSize: 10 },
     console: { enabled: true, proxyFilter: [Object], ssl: {} },
     vega: { enabled: true, enableExternalUrls: false },
     searchguard: { enterprise_modules_enabled: false } },
  annotate: [Function] }
3

Hi,

Kibana session management is part of the Community Edition. So you can have a login screen in Kibana where the users need to authenticate first before they can access Kibana. The easiest way to implement this is to use HTTP Basic Authentication. If you use the Search Guard demo installer for the Elasticsearch plugin this is enabled by default.

For Kibana, enable HTTP Basic Authentication in kibana.yml like:

searchguard.auth.type: "basicauth"

Controlling access to individual Dashboards and Visualizations is provided by the Multi Tenancy feature which is not part of the Community Edition:

The error you see:

is triggered because you try to apply the configuration settings for the Elasticsearch plugin to the Kibana plugin. For Kibana, there is no searchguard.enterprise_modules_enabled setting.

4

Hi Jochen,

It worked well now. :slight_smile:
Thanks for being super responsive as always. Appreciate it.

5

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.