Search guard flx and kibana proxy authentication

fbacchella · August 29, 2023, 1:10pm

I’m migrating from SG 53.0.0 on 7.17.10. I’m trying to run sgctl migrate-config, but I’m getting:

Errors in /tmp/kibana.yml
searchguard.auth.type:
	The Kibana authentication type PROXY is not supported

The current kibana.yml configuration is:

searchguard:
    cookie:
        secure: true
    auth:
        type: "proxy"
        debug: false
    proxycache:
      user_header: "CAS_sAMAccountName"
      roles_header: "CAS_memberOf"
      proxy_header_ip: "127.0.0.1"
    accountinfo:
        enabled: true

What am I doing wrong ? It’s the actual running setup, and SG FLX is said to keep support of proxy authentication.

Eugene7 · August 30, 2023, 12:09pm

What are your new versions of ElasticSearch and SearchGuard? Also, what version of sgctl.sh do you use?

fbacchella · August 30, 2023, 12:36pm

Elastic 7.17.12 and SG 1.2.0, same for sgctl.

Eugene7 · September 1, 2023, 2:29pm

Could you share kibana.yml file? Have you tried to manually add searchguard.auth.type: "proxy" to the kibana.yml ?

fbacchella · September 4, 2023, 8:14am

Yes the current configuration is:

searchguard:
    cookie:
        secure: true
    auth:
        type: "proxy"
        debug: false
    accountinfo:
        enabled: true

with SG 1.3, so it’s not an illegal settings. I think the problem is in the proxycache entries which are indeed deprecated. But the error message is missleading.

fbacchella · September 20, 2023, 10:32am

Any one at search guard that have any hint about that ?

Eugene7 · September 22, 2023, 10:23am

The issue was created for the development team. You can find it at the link below:

You can use basicauth authentication in kibana.yml instead for the migration process and then switch manually to proxy once migrated. The proxy authentication type is supported as per the SG FLX documentation below: