I have trying to setup search guard for my elasticsearch cluster. I have been testing searchguard for deployment to project.
I was wondering if we could set a user to have timeout period and after the period, the user is informed to login again. How can this be done?
Also, how can we logout of the session from searchguard at anytime ?
Hi,
what do you exactly mean by Search Guard session?
What is your setup?
Do you mean the session management in Kibana?
What authentication method(d) are us using?
In order to help you need to provide some more details please.
···
On Tuesday, May 30, 2017 at 6:11:29 AM UTC+2, Sagar Duwal wrote:
I have trying to setup search guard for my elasticsearch cluster. I have been testing searchguard for deployment to project.
I was wondering if we could set a user to have timeout period and after the period, the user is informed to login again. How can this be done?
Also, how can we logout of the session from searchguard at anytime ?
I am not using Search Guard with Kibana. I am trying to specify custom permission (read/write to specific indices only, and so on) to the users registered.
Currently I have Elasticsearch 2.4.4 in my production cluster, and few of the plugins installed. I have a specific marvel cluster separately setup for monitoring
the production clusters.
In my question previously, I meant when a user is logged in with their specific username and password to the browser, how long would the logged in session be
expired. I went through searchguard.session.ttl and keepalive for kibana that does what I require but, since I am not using kibana, this seems useless. I tried
using it either way, but seems useless.
I am testing with authentication with username and password added to sg_internal_users.yml.
I have other plans for authentication.
Also my other question was, if I could logout from the current user I logged in with.
I couldn’t find better detailed documentation regarding this. Thanks
···
On Tuesday, May 30, 2017 at 1:29:02 PM UTC+5:45, Jochen Kressin wrote:
Hi,
what do you exactly mean by Search Guard session?
What is your setup?
Do you mean the session management in Kibana?
What authentication method(d) are us using?
In order to help you need to provide some more details please.
On Tuesday, May 30, 2017 at 6:11:29 AM UTC+2, Sagar Duwal wrote:
I have trying to setup search guard for my elasticsearch cluster. I have been testing searchguard for deployment to project.
I was wondering if we could set a user to have timeout period and after the period, the user is informed to login again. How can this be done?
Also, how can we logout of the session from searchguard at anytime ?
Thanks, it’s clearer to me now what you’re trying to achieve.
The short answer is: The HTTP Basic Authentication that you’re using is controlled fully by the Browser you are using. There is no such thing as a Search Guard session in our plugin. So the only way to “log out” from Basic Auth is to close the Browser. “Logging Out” here means that the browser forgets about the HTTP Basic credentials you used to log in.
How long these credentials are cached is different from Browser to Browser, but in our experience, it’s cached indefinitely, until the Browser is closed. So in short, apart from closing the browser, there is no way to end the “session” from the outside.
And yes you’re right, searchguard.session.ttl only applies to the Kibana plugin and does not do anything in Search Guard itself.
···
On Tuesday, May 30, 2017 at 5:30:01 PM UTC+2, Sagar Duwal wrote:
I am not using Search Guard with Kibana. I am trying to specify custom permission (read/write to specific indices only, and so on) to the users registered.
Currently I have Elasticsearch 2.4.4 in my production cluster, and few of the plugins installed. I have a specific marvel cluster separately setup for monitoring
the production clusters.
In my question previously, I meant when a user is logged in with their specific username and password to the browser, how long would the logged in session be
expired. I went through searchguard.session.ttl and keepalive for kibana that does what I require but, since I am not using kibana, this seems useless. I tried
using it either way, but seems useless.
I am testing with authentication with username and password added to sg_internal_users.yml.
I have other plans for authentication.
Also my other question was, if I could logout from the current user I logged in with.
I couldn’t find better detailed documentation regarding this. Thanks
On Tuesday, May 30, 2017 at 1:29:02 PM UTC+5:45, Jochen Kressin wrote:
Hi,
what do you exactly mean by Search Guard session?
What is your setup?
Do you mean the session management in Kibana?
What authentication method(d) are us using?
In order to help you need to provide some more details please.
On Tuesday, May 30, 2017 at 6:11:29 AM UTC+2, Sagar Duwal wrote:
I have trying to setup search guard for my elasticsearch cluster. I have been testing searchguard for deployment to project.
I was wondering if we could set a user to have timeout period and after the period, the user is informed to login again. How can this be done?
Also, how can we logout of the session from searchguard at anytime ?
Ok thanks a lot. Also I tested it in incognito mode. And sometimes even after closing the incognito mode, reopening it and browsing the url again doesn’t require username and password now.
Dont know if this is issue with the plugin or not. But using incognito mode each time, I expect old session would be gone.
···
On Tuesday, May 30, 2017 at 9:50:08 PM UTC+5:45, Jochen Kressin wrote:
Thanks, it’s clearer to me now what you’re trying to achieve.
The short answer is: The HTTP Basic Authentication that you’re using is controlled fully by the Browser you are using. There is no such thing as a Search Guard session in our plugin. So the only way to “log out” from Basic Auth is to close the Browser. “Logging Out” here means that the browser forgets about the HTTP Basic credentials you used to log in.
How long these credentials are cached is different from Browser to Browser, but in our experience, it’s cached indefinitely, until the Browser is closed. So in short, apart from closing the browser, there is no way to end the “session” from the outside.
And yes you’re right, searchguard.session.ttl only applies to the Kibana plugin and does not do anything in Search Guard itself.
On Tuesday, May 30, 2017 at 5:30:01 PM UTC+2, Sagar Duwal wrote:
I am not using Search Guard with Kibana. I am trying to specify custom permission (read/write to specific indices only, and so on) to the users registered.
Currently I have Elasticsearch 2.4.4 in my production cluster, and few of the plugins installed. I have a specific marvel cluster separately setup for monitoring
the production clusters.
In my question previously, I meant when a user is logged in with their specific username and password to the browser, how long would the logged in session be
expired. I went through searchguard.session.ttl and keepalive for kibana that does what I require but, since I am not using kibana, this seems useless. I tried
using it either way, but seems useless.
I am testing with authentication with username and password added to sg_internal_users.yml.
I have other plans for authentication.
Also my other question was, if I could logout from the current user I logged in with.
I couldn’t find better detailed documentation regarding this. Thanks
On Tuesday, May 30, 2017 at 1:29:02 PM UTC+5:45, Jochen Kressin wrote:
Hi,
what do you exactly mean by Search Guard session?
What is your setup?
Do you mean the session management in Kibana?
What authentication method(d) are us using?
In order to help you need to provide some more details please.
On Tuesday, May 30, 2017 at 6:11:29 AM UTC+2, Sagar Duwal wrote:
I have trying to setup search guard for my elasticsearch cluster. I have been testing searchguard for deployment to project.
I was wondering if we could set a user to have timeout period and after the period, the user is informed to login again. How can this be done?
Also, how can we logout of the session from searchguard at anytime ?
Yes, the incognito mode usually does not use any Basic Auth Sessions, Cookies etc. from the regular browser window. If the HTTP Basic “session” is not cleared correctly, even when in incognito mode, it’s definitely a browser issue. Like I said, there is no such thing as a Search Guard Session, means Search Guard is completely stateless and expects authentication credentials in every call it receives.
···
On Tuesday, May 30, 2017 at 6:34:47 PM UTC+2, Sagar Duwal wrote:
Ok thanks a lot. Also I tested it in incognito mode. And sometimes even after closing the incognito mode, reopening it and browsing the url again doesn’t require username and password now.
Dont know if this is issue with the plugin or not. But using incognito mode each time, I expect old session would be gone.
On Tuesday, May 30, 2017 at 9:50:08 PM UTC+5:45, Jochen Kressin wrote:
Thanks, it’s clearer to me now what you’re trying to achieve.
The short answer is: The HTTP Basic Authentication that you’re using is controlled fully by the Browser you are using. There is no such thing as a Search Guard session in our plugin. So the only way to “log out” from Basic Auth is to close the Browser. “Logging Out” here means that the browser forgets about the HTTP Basic credentials you used to log in.
How long these credentials are cached is different from Browser to Browser, but in our experience, it’s cached indefinitely, until the Browser is closed. So in short, apart from closing the browser, there is no way to end the “session” from the outside.
And yes you’re right, searchguard.session.ttl only applies to the Kibana plugin and does not do anything in Search Guard itself.
On Tuesday, May 30, 2017 at 5:30:01 PM UTC+2, Sagar Duwal wrote:
I am not using Search Guard with Kibana. I am trying to specify custom permission (read/write to specific indices only, and so on) to the users registered.
Currently I have Elasticsearch 2.4.4 in my production cluster, and few of the plugins installed. I have a specific marvel cluster separately setup for monitoring
the production clusters.
In my question previously, I meant when a user is logged in with their specific username and password to the browser, how long would the logged in session be
expired. I went through searchguard.session.ttl and keepalive for kibana that does what I require but, since I am not using kibana, this seems useless. I tried
using it either way, but seems useless.
I am testing with authentication with username and password added to sg_internal_users.yml.
I have other plans for authentication.
Also my other question was, if I could logout from the current user I logged in with.
I couldn’t find better detailed documentation regarding this. Thanks
On Tuesday, May 30, 2017 at 1:29:02 PM UTC+5:45, Jochen Kressin wrote:
Hi,
what do you exactly mean by Search Guard session?
What is your setup?
Do you mean the session management in Kibana?
What authentication method(d) are us using?
In order to help you need to provide some more details please.
On Tuesday, May 30, 2017 at 6:11:29 AM UTC+2, Sagar Duwal wrote:
I have trying to setup search guard for my elasticsearch cluster. I have been testing searchguard for deployment to project.
I was wondering if we could set a user to have timeout period and after the period, the user is informed to login again. How can this be done?
Also, how can we logout of the session from searchguard at anytime ?
ya I got that when I used curl to my Elasticsearch node in the same tty session. Thanks a lot.
···
On Tuesday, May 30, 2017 at 10:48:18 PM UTC+5:45, Jochen Kressin wrote:
Yes, the incognito mode usually does not use any Basic Auth Sessions, Cookies etc. from the regular browser window. If the HTTP Basic “session” is not cleared correctly, even when in incognito mode, it’s definitely a browser issue. Like I said, there is no such thing as a Search Guard Session, means Search Guard is completely stateless and expects authentication credentials in every call it receives.
On Tuesday, May 30, 2017 at 6:34:47 PM UTC+2, Sagar Duwal wrote:
Ok thanks a lot. Also I tested it in incognito mode. And sometimes even after closing the incognito mode, reopening it and browsing the url again doesn’t require username and password now.
Dont know if this is issue with the plugin or not. But using incognito mode each time, I expect old session would be gone.
On Tuesday, May 30, 2017 at 9:50:08 PM UTC+5:45, Jochen Kressin wrote:
Thanks, it’s clearer to me now what you’re trying to achieve.
The short answer is: The HTTP Basic Authentication that you’re using is controlled fully by the Browser you are using. There is no such thing as a Search Guard session in our plugin. So the only way to “log out” from Basic Auth is to close the Browser. “Logging Out” here means that the browser forgets about the HTTP Basic credentials you used to log in.
How long these credentials are cached is different from Browser to Browser, but in our experience, it’s cached indefinitely, until the Browser is closed. So in short, apart from closing the browser, there is no way to end the “session” from the outside.
And yes you’re right, searchguard.session.ttl only applies to the Kibana plugin and does not do anything in Search Guard itself.
On Tuesday, May 30, 2017 at 5:30:01 PM UTC+2, Sagar Duwal wrote:
I am not using Search Guard with Kibana. I am trying to specify custom permission (read/write to specific indices only, and so on) to the users registered.
Currently I have Elasticsearch 2.4.4 in my production cluster, and few of the plugins installed. I have a specific marvel cluster separately setup for monitoring
the production clusters.
In my question previously, I meant when a user is logged in with their specific username and password to the browser, how long would the logged in session be
expired. I went through searchguard.session.ttl and keepalive for kibana that does what I require but, since I am not using kibana, this seems useless. I tried
using it either way, but seems useless.
I am testing with authentication with username and password added to sg_internal_users.yml.
I have other plans for authentication.
Also my other question was, if I could logout from the current user I logged in with.
I couldn’t find better detailed documentation regarding this. Thanks
On Tuesday, May 30, 2017 at 1:29:02 PM UTC+5:45, Jochen Kressin wrote:
Hi,
what do you exactly mean by Search Guard session?
What is your setup?
Do you mean the session management in Kibana?
What authentication method(d) are us using?
In order to help you need to provide some more details please.
On Tuesday, May 30, 2017 at 6:11:29 AM UTC+2, Sagar Duwal wrote:
I have trying to setup search guard for my elasticsearch cluster. I have been testing searchguard for deployment to project.
I was wondering if we could set a user to have timeout period and after the period, the user is informed to login again. How can this be done?
Also, how can we logout of the session from searchguard at anytime ?