Hi!

After installing the elasticsearch and kibana Search Guard plugin, and initializing Search Guard with sgctl the kibana GUI is not reachable. The kibana log file contains the following error:

kibana[3361368]: [2023-03-06T13:13:21.394+01:00][ERROR][plugins.security.authentication] License is not available or does not support security features, re-authentication is not possible (available: true, enabled: false).

*** Edited ***

Meanwhile in the elasticsearch log:
[WARN ][c.f.s.a.b.RequestAuthenticationProcessor] [hostname] Authentication failed for null from [request=/.kibana_8.5.3/_search, directIpAddress=127.0.0.1, originatingIpAddress=127.0.0.1, clientCertSubject=null]

Additional info:
curl -u kibanaserver:password https://host:9200/_searchguard/health
{“message”:null,“mode”:“strict”,“status”:“UP”}

curl -u kibanaserver:password https://host:9200/_searchguard/authinfo
{“user”:“User kibanaserver <basic/internal_users_db>”,“user_name”:“kibanaserver”,“user_requested_tenant”:null,“remote_address”:“ip address:port”,“backend_roles”:,“custom_attribute_names”:,“attribute_names”:,“sg_roles”:[“SGS_KIBANA_SERVER”,“SGS_ALL_ACCESS”,“SGS_OWN_INDEX”,“SG_KBNSRV”],“sg_tenants”:{},“principal”:null,“peer_certificates”:“0”,“cluster_name”:“cluster”}

*** Edited ***

The same configuration worked before with ELK 7.17.4 and SG 53. How can I solve this issue?

Elasticsearch version:
8.5.3

Server OS version:
Red Hat Enterprise Linux 8.6

Kibana version (if relevant):
8.5.3

Describe the issue:
Kibana GUI unreachable

Steps to reproduce:

1. After starting the kibana service the error occures immediately

Expected behavior:

Provide configuration:
kibana.yml:

server.port: 5601
server.host: “hostname”
server.publicBaseUrl: “load balancer hostname”
server.name: “hostname”
elasticsearch.hosts: [“https://localhost:9200”]
elasticsearch.username: “kibanaserver”
elasticsearch.password: “password”
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/kibana.cer
server.ssl.key: /etc/kibana/kibana.key
elasticsearch.ssl.certificateAuthorities: [ “/etc/kibana/ca-chain.pem” ]
elasticsearch.ssl.verificationMode: none
xpack.reporting.roles.enabled: false

@korodif Could you share your sg_frontend_authc.yml and sg_authc.yml files?

@pablo

Of course, here they are:

sg_authc.yml:

---
auth_domains:
- type: "basic/internal_users_db"
- type: "basic/ldap"
  ldap:
    idp:
      hosts:
      - "ldaps://AD:636"
      bind_dn: "binduser"
      password: "password"
      tls:
        verify_hostnames: false
        trusted_cas: "#{file:/etc/elasticsearch/ca-chain.pem}"
    user_search:
      base_dn: "OU=DomainUsers,...,DC=local"
      filter:
        raw: "(sAMAccountName=${user.name})"

sg_frontend_authc.yml:

---
default:
  auth_domains:
  - type: basic
    label: "Login"

@korodif Do you use a reverse proxy in front of the Kibana?

@pablo Yes, there is a haproxy configuration for the kibana instances.

@korodif Have you tried to bypass the reverse proxy and test the connection directly?

How did you set the redirect to Kibana in reverse proxy? Is it https://<reverse_proxy>?

You’ll need to add server.basePath option to your kibana.yml

image836×120 15.1 KB

@pablo If I try to connect directly the error is the same.

*** Edited ***

Without the Search Guard plugin the Kibana works fine with haproxy configuration and directly too.

@korodif Please share your elasticsearch.yml.

@pablo

elasticsearch.yml on kibana servers:

cluster.name: elk-cluster
node.name: ${HOSTNAME}
node.roles: [ remote_cluster_client ]
path.data: /opt/elasticsearch
path.logs: /opt/elasticsearch/log
network.host: ens192
http.host: local
http.port: 9200
discovery.seed_hosts: [“master1”,“master2”,“master3”]
xpack.security.enabled: false

#searchguard.ssl.transport.pemcert_filepath: cert.cer
#searchguard.ssl.transport.pemkey_filepath: cert.key
#searchguard.ssl.transport.pemtrustedcas_filepath: ca-chain.pem
#searchguard.ssl.transport.enforce_hostname_verification: false
#searchguard.ssl.http.enabled: true
#searchguard.ssl.http.pemcert_filepath: cert.cer
#searchguard.ssl.http.pemkey_filepath: cert.key
#searchguard.ssl.http.pemtrustedcas_ca-chain.pem
#searchguard.ssl.cert_reload_enabled: true

#searchguard.authcz.admin_dn:

- CN=sgadmin

#searchguard.restapi.roles_enabled: [“SGS_ALL_ACCESS”]

Data nodes have additional cluster.routing.allocation related parameters, but it is not relevant here.

@pablo

I think the issue is related to this from elastic log (kibana is not authenticating itself with kibanaserver user?):

Authentication failed for null from [request=/.kibana_8.5.3/_search, directIpAddress=127.0.0.1, originatingIpAddress=127.0.0.1, clientCertS
ubject=null]

I tried the following:

sg_authc.yml

auth_domains:

• type: basic/internal_users_db
  - type: anonymous
  user_mapping.user_name.static: kibanaserver
  user_mapping.roles.static: SGS_KIBANA_SERVER

Now the kibana GUI is working (with limitation related to the kibanaserver user).

I just found the issue. It was a permission issue on the Search Guard related plugin files. Now it works as expected.

@korodif Thank you for sharing the solution. Just a quick note about the anonymous user.
You should be assigning the least possible permissions to the anonymous user as it authenticates without any password.

@pablo I’m not planning to use the anonymous authentication method, it was just a test case.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.