When asking questions, please provide the following information:

• Search Guard and Elasticsearch version

• Installed and used enterprise modules, if any

• JVM version and operating system version

• Search Guard configuration files

• Elasticsearch log messages on debug level

• Other installed Elasticsearch or Kibana plugins, if any

I am using SearchGuard Enterprise License 6.1.1 version , Will this license include “Search Guard Kibana plugin”

or need additional cost?

The Kibana Plugin is licensed under Apache2, so you are free to use and modify it without any cost.

Thank You , I have kibana is already installed in my environment.(Please find the screenshot)but there is no searchguard configuration GUI.

Now I am trying to install the download plugin to get the SG UI with below.

• Stop Kibana
• cd into your Kibana installation directory.
• Execute:bin/kibana-plugin install search-guard-kibana-plugin-6.1.1-12.zip

My current configuration is below

–elasticsearch.yml-----

#: SG - Https for client nodes only
searchguard.ssl.http.enabled: false

searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false

—sg_config.yml----

  searchguard:
dynamic:
kibana:
 multitenancy_enabled: true
      server_username: "bdm156"
index: ".kibana"
      do_not_fail_on_forbidden: false
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: "192\\.168\\.0\\.10|192\\.168\        \.0\\.11"
remoteIpHeader: "X-Forwarded-For"
proxiesHeader: "X-Forwarded-By"

  authc:

ldap:
enabled: true
order: 1
http_authenticator:
type: “basic”
challenge: tru e
authentication_backend:
type: “ldap”

clientcert_auth_domain:
        enabled: true
        order: 0
 http_authenticator:
type: "clientcert"
          challenge: false
config:
username_attribute: "cn"
authentication_backend:
type: "noop"

  authz:

roles_from_myldap:
enabled: true
authorization_backend:
type: “ldap”
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: false

----kibana.yml—

searchguard.basicauth.enabled: true
#: https must be enabled for below
searchguard.cookie.secure: true

Multitenancy

1811×834 45.6 KB

- 1)will it automatically update the kibana (for searchguard gui)as soon as i install with out cluster restart?
- 2)Do i need to add any other configurations before installing the plugin?

3)which access i need to install? anything to do with below.

If you have [restricted certain endpoints](https://docs.search-guard.com/latest/rest-api-access-control) for the currently logged in user, the plugin will automatically disable these features.

For everything to work, the logged in user should have:

- Access to the `ACTIONGROUPS` endpoint with `GET` method
- Otherwise, autocompletion of action groups will not work
- the permission `indices:admin/validate/query` on all indices
- Otherwise, the syntax check for DLS queries will not work

- 

On Thursday, August 9, 2018 at 3:38:28 PM UTC-5, Jochen Kressin wrote:
> The Kibana Plugin is licensed under Apache2, so you are free to use and modify it without any cost.
> 
> On Thursday, August 9, 2018 at 7:20:33 PM UTC+2, rud wrote:
> > When asking questions, please provide the following information:
> > 

> > * Search Guard and Elasticsearch version

> > * Installed and used enterprise modules, if any

> > * JVM version and operating system version

> > * Search Guard configuration files

> > * Elasticsearch log messages on debug level

> > * Other installed Elasticsearch or Kibana plugins, if any

> > 

> > I am using SearchGuard Enterprise License 6.1.1 version , Will this license include  "Search Guard Kibana plugin"

> > 

> > or need additional cost?

</details>

you need to configure the roles that should have access to the GUI in elasticsearch:

searchguard.restapi.roles_enabled: [“sg_all_access”, …]

``

(Configuration GUI | Security for Elasticsearch | Search Guard)

Also, in sg_config.yml you configured:

server_username: "bdm156"

What is this user? Have you configured it in kibana.yml?

<details class='elided'>
<summary title='Show trimmed content'>&#183;&#183;&#183;</summary>

On Thursday, August 9, 2018 at 11:47:20 PM UTC+2, rud wrote:
> Thank You , I have kibana  is already installed in my environment.(Please find the screenshot)but there is no searchguard configuration GUI.
> 

> Now I am trying to install the download plugin to get the SG UI with below.

> 

> ```
> 
> ```
> - Stop Kibana
> - cd into your Kibana installation directory.
> - Execute:bin/kibana-plugin install search-guard-kibana-plugin-6.1.1-12.zip
> 

> My current configuration is below

> 

> --elasticsearch.yml-----

> 

> ```
> #: SG - Https for client nodes only
> searchguard.ssl.http.enabled: false
> ```
> ```
> 
> 
> ```
> ```
> ```
> searchguard.ssl.transport.enforce_hostname_verification: false
> searchguard.ssl.transport.resolve_hostname: false
> ```
> ```
> ---sg_config.yml----
> 
> ```
> ```
> 
> 
> ```
> ```
> ```
>   searchguard:
> dynamic:
> kibana:
>  multitenancy_enabled: true
>       server_username: "bdm156"
> index: ".kibana"
>       do_not_fail_on_forbidden: false
> http:
> anonymous_auth_enabled: false
> xff:
> enabled: false
> internalProxies: "192\\.168\\.0\\.10|192\\.168\        \.0\\.11"
> remoteIpHeader: "X-Forwarded-For"
> proxiesHeader: "X-Forwarded-By"
> ```
> ```
> ```
>       authc:
> ldap:
> enabled: true
> order: 1
>        http_authenticator:
> type: "basic"
> challenge: tru        e
> authentication_backend:
> type: "ldap"
> ```
> ```
> ```
> clientcert_auth_domain:
>         enabled: true
>         order: 0
>  http_authenticator:
> type: "clientcert"
>           challenge: false
> config:
> username_attribute: "cn"
> authentication_backend:
> type: "noop"
> ```
> ```
> ```
>       authz:
> roles_from_myldap:
> enabled: true
> authorization_backend:
> type: "ldap"
> config:
> enable_ssl: false
> enable_start_tls: false
> enable_ssl_client_auth: false
> verify_hostnames: false
> ```
> ```
> 
> 
> ```
> ```
> ----kibana.yml---
> ```
> ```
> 
> 
> ```
> ```
> searchguard.basicauth.enabled: true
> #: https must be enabled for below
> searchguard.cookie.secure: true
> 
> ```
> ```
> # Multitenancy
> #
> searchguard.multitenancy.enabled: true
> searchguard.multitenancy.tenants.enable_global: true
> searchguard.multitenancy.tenants.enable_private: true
> 
> ```
> 

> ```
> 
> 
> ```
> ```
> elasticsearch.requestHeadersWhitelist: [ "sg_tenant", "X-Authenticated-User", "Authorization", "X-Forwarded-For", "X-Forwarded-Server", "X-Forwarded-By
> , "X-Proxy-User", "X-Proxy-Roles", "X-Client-Cert" ]
> ```
> ```
> 
> ```
> - 1)will it automatically update the kibana (for searchguard gui)as soon as i install with out cluster restart?
> - 2)Do i need to add any other configurations before installing the plugin?
> 

> 3)which access i need to install? anything to do with below.

> If you have [restricted certain endpoints](https://docs.search-guard.com/latest/rest-api-access-control) for the currently logged in user, the plugin will automatically disable these features.

> For everything to work, the logged in user should have:

> - Access to the `ACTIONGROUPS` endpoint with `GET` method
> - Otherwise, autocompletion of action groups will not work
> - the permission `indices:admin/validate/query` on all indices
> - Otherwise, the syntax check for DLS queries will not work

> - 

> On Thursday, August 9, 2018 at 3:38:28 PM UTC-5, Jochen Kressin wrote:
> > The Kibana Plugin is licensed under Apache2, so you are free to use and modify it without any cost.
> > 
> > On Thursday, August 9, 2018 at 7:20:33 PM UTC+2, rud wrote:
> > > When asking questions, please provide the following information:
> > > 

> > > * Search Guard and Elasticsearch version

> > > * Installed and used enterprise modules, if any

> > > * JVM version and operating system version

> > > * Search Guard configuration files

> > > * Elasticsearch log messages on debug level

> > > * Other installed Elasticsearch or Kibana plugins, if any

> > > 

> > > I am using SearchGuard Enterprise License 6.1.1 version , Will this license include  "Search Guard Kibana plugin"

> > > 

> > > or need additional cost?

</details>

bdm156 is Kibana Server User (for authenticating to ES) in sg_cpnfig.yml but It’s not in kibana.yml.