Search Guard FLX 1.1.0 Kibana error

Hi!

After installing the elasticsearch and kibana Search Guard plugin, and initializing Search Guard with sgctl the kibana GUI is not reachable. The kibana log file contains the following error:

kibana[3361368]: [2023-03-06T13:13:21.394+01:00][ERROR][plugins.security.authentication] License is not available or does not support security features, re-authentication is not possible (available: true, enabled: false).

*** Edited ***

Meanwhile in the elasticsearch log:
[WARN ][c.f.s.a.b.RequestAuthenticationProcessor] [hostname] Authentication failed for null from [request=/.kibana_8.5.3/_search, directIpAddress=127.0.0.1, originatingIpAddress=127.0.0.1, clientCertSubject=null]

Additional info:
curl -u kibanaserver:password https://host:9200/_searchguard/health
{“message”:null,“mode”:“strict”,“status”:“UP”}

curl -u kibanaserver:password https://host:9200/_searchguard/authinfo
{“user”:“User kibanaserver <basic/internal_users_db>”,“user_name”:“kibanaserver”,“user_requested_tenant”:null,“remote_address”:“ip address:port”,“backend_roles”:,“custom_attribute_names”:,“attribute_names”:,“sg_roles”:[“SGS_KIBANA_SERVER”,“SGS_ALL_ACCESS”,“SGS_OWN_INDEX”,“SG_KBNSRV”],“sg_tenants”:{},“principal”:null,“peer_certificates”:“0”,“cluster_name”:“cluster”}

*** Edited ***

The same configuration worked before with ELK 7.17.4 and SG 53. How can I solve this issue?

Elasticsearch version:
8.5.3

Server OS version:
Red Hat Enterprise Linux 8.6

Kibana version (if relevant):
8.5.3

Describe the issue:
Kibana GUI unreachable

Steps to reproduce:

  1. After starting the kibana service the error occures immediately

Expected behavior:

Provide configuration:
kibana.yml:

server.port: 5601
server.host: “hostname”
server.publicBaseUrl: “load balancer hostname”
server.name: “hostname”
elasticsearch.hosts: [“https://localhost:9200”]
elasticsearch.username: “kibanaserver”
elasticsearch.password: “password”
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/kibana.cer
server.ssl.key: /etc/kibana/kibana.key
elasticsearch.ssl.certificateAuthorities: [ “/etc/kibana/ca-chain.pem” ]
elasticsearch.ssl.verificationMode: none
xpack.reporting.roles.enabled: false

@korodif Could you share your sg_frontend_authc.yml and sg_authc.yml files?

@pablo

Of course, here they are:

sg_authc.yml:

---
auth_domains:
- type: "basic/internal_users_db"
- type: "basic/ldap"
  ldap:
    idp:
      hosts:
      - "ldaps://AD:636"
      bind_dn: "binduser"
      password: "password"
      tls:
        verify_hostnames: false
        trusted_cas: "#{file:/etc/elasticsearch/ca-chain.pem}"
    user_search:
      base_dn: "OU=DomainUsers,...,DC=local"
      filter:
        raw: "(sAMAccountName=${user.name})"

sg_frontend_authc.yml:

---
default:
  auth_domains:
  - type: basic
    label: "Login"

@korodif Do you use a reverse proxy in front of the Kibana?

@pablo Yes, there is a haproxy configuration for the kibana instances.

@korodif Have you tried to bypass the reverse proxy and test the connection directly?

How did you set the redirect to Kibana in reverse proxy? Is it https://<reverse_proxy>?

You’ll need to add server.basePath option to your kibana.yml

@pablo If I try to connect directly the error is the same.

*** Edited ***

Without the Search Guard plugin the Kibana works fine with haproxy configuration and directly too.

@korodif Please share your elasticsearch.yml.

@pablo

elasticsearch.yml on kibana servers:

cluster.name: elk-cluster
node.name: ${HOSTNAME}
node.roles: [ remote_cluster_client ]
path.data: /opt/elasticsearch
path.logs: /opt/elasticsearch/log
network.host: ens192
http.host: local
http.port: 9200
discovery.seed_hosts: [“master1”,“master2”,“master3”]
xpack.security.enabled: false

#searchguard.ssl.transport.pemcert_filepath: cert.cer
#searchguard.ssl.transport.pemkey_filepath: cert.key
#searchguard.ssl.transport.pemtrustedcas_filepath: ca-chain.pem
#searchguard.ssl.transport.enforce_hostname_verification: false
#searchguard.ssl.http.enabled: true
#searchguard.ssl.http.pemcert_filepath: cert.cer
#searchguard.ssl.http.pemkey_filepath: cert.key
#searchguard.ssl.http.pemtrustedcas_ca-chain.pem
#searchguard.ssl.cert_reload_enabled: true

#searchguard.authcz.admin_dn:

- CN=sgadmin

#searchguard.restapi.roles_enabled: [“SGS_ALL_ACCESS”]

Data nodes have additional cluster.routing.allocation related parameters, but it is not relevant here.

@pablo

I think the issue is related to this from elastic log (kibana is not authenticating itself with kibanaserver user?):

Authentication failed for null from [request=/.kibana_8.5.3/_search, directIpAddress=127.0.0.1, originatingIpAddress=127.0.0.1, clientCertS
ubject=null]

I tried the following:

sg_authc.yml

auth_domains:

  • type: basic/internal_users_db
    - type: anonymous
    user_mapping.user_name.static: kibanaserver
    user_mapping.roles.static: SGS_KIBANA_SERVER

Now the kibana GUI is working (with limitation related to the kibanaserver user).

I just found the issue. It was a permission issue on the Search Guard related plugin files. Now it works as expected.

@korodif Thank you for sharing the solution. Just a quick note about the anonymous user.
You should be assigning the least possible permissions to the anonymous user as it authenticates without any password.

@pablo I’m not planning to use the anonymous authentication method, it was just a test case.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.