Search guard flx and kibana proxy authentication

fbacchella · August 29, 2023, 1:10pm

I’m migrating from SG 53.0.0 on 7.17.10. I’m trying to run sgctl migrate-config, but I’m getting:

Errors in /tmp/kibana.yml
searchguard.auth.type:
	The Kibana authentication type PROXY is not supported

The current kibana.yml configuration is:

searchguard:
    cookie:
        secure: true
    auth:
        type: "proxy"
        debug: false
    proxycache:
      user_header: "CAS_sAMAccountName"
      roles_header: "CAS_memberOf"
      proxy_header_ip: "127.0.0.1"
    accountinfo:
        enabled: true

What am I doing wrong ? It’s the actual running setup, and SG FLX is said to keep support of proxy authentication.

Eugene7 · August 30, 2023, 12:09pm

What are your new versions of ElasticSearch and SearchGuard? Also, what version of sgctl.sh do you use?

fbacchella · August 30, 2023, 12:36pm

Elastic 7.17.12 and SG 1.2.0, same for sgctl.

Eugene7 · September 1, 2023, 2:29pm

Could you share kibana.yml file? Have you tried to manually add searchguard.auth.type: "proxy" to the kibana.yml ?

fbacchella · September 4, 2023, 8:14am

Yes the current configuration is:

searchguard:
    cookie:
        secure: true
    auth:
        type: "proxy"
        debug: false
    accountinfo:
        enabled: true

with SG 1.3, so it’s not an illegal settings. I think the problem is in the proxycache entries which are indeed deprecated. But the error message is missleading.

fbacchella · September 20, 2023, 10:32am

Any one at search guard that have any hint about that ?

Eugene7 · September 22, 2023, 10:23am

The issue was created for the development team. You can find it at the link below:

You can use basicauth authentication in kibana.yml instead for the migration process and then switch manually to proxy once migrated. The proxy authentication type is supported as per the SG FLX documentation below:

system · October 13, 2023, 10:23am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

nils · November 9, 2023, 6:04pm

What might be a bit confusing here is that the authentication type proxy is only not supported by the sgctl migrate command - as it is a rare thing. Search Guard FLX itself supports proxy authentication.

See the documentation here:

How the configuration should look like would also depend on the previous proxy configuration in sg_config.yml. However, it will likely look similar to this:

sg_authc.yml:

auth_domains:
- type: trusted_origin
  user_mapping.user_name.from: request.headers.CAS_sAMAccountName
  user_mapping.roles.from_comma_separated_string: request.headers.CAS_memberOf
  
network:
  trusted_proxies: 'x.x.x.x/x' # Edit to set the IP of the trusted proxy and of Kibana (which also acts like a trusted proxy)

kibana.yml:

searchguard.auth.type: "proxy"
elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant", "CAS_sAMAccountName", "CAS_memberOf" ]

Topic		Replies	Views
SG behind a Proxy Search Guard	2	429	September 18, 2018
I cannot make proxy work Search Guard	1	410	January 20, 2017
Proxy authentication (Apache and Kibana) Search Guard	15	4187	June 18, 2019
Searchguard and kibana Search Guard	7	800	March 16, 2018
Problems using HTTP-header/Proxy based authentication Search Guard	3	834	May 3, 2018

Search guard flx and kibana proxy authentication

Related Topics