Searchguard.basicauth.allowed_usernames not in documentation

mikew · January 7, 2020, 2:16pm

A while back I asked about Limiting who can log in to Kibana to defined list of users

In the release notes for the current version of the Kibana plugin https://docs.search-guard.com/6.x-25/changelog-kibana-6.x-19 it says:

Add option for allowed_usernames - whitelist users #PR 362

Which is great. Thank you for implementing it! I’ve tried using it and it worked as expected. However, it is not mentioned in the documentation at https://docs.search-guard.com/6.x-25/kibana-authentication-http-basic and that discourages me from actually using it. Maybe there’s some gotcha in using it that I’m not aware of. How does it work in combination with searchguard.basicauth.forbidden_usernames ? The obvious thing would seem to be that using one of those settings makes using the other one redundant. But what if both were used by accident and a user was in both lists?

Mike · January 7, 2020, 4:47pm

Hi @mikew,

Yes, I took a stab at this based on your feature request. Again, I need to do my homework on the documentation part, but this is now an official feature.

You are right, using allowed_usernames in conjunction with forbidden_usernames does not make much sense - as soon as you use the allowed_usernames option, ALL users need to be explicitly allowed.
The check for a forbidden username still runs and throws an error if the given username is forbidden though, but not listing that user in the allowed usernames list should have the same effect.

Hope this works for you - otherwise please let me know!

Best Regards
Mike

system · January 28, 2020, 4:46pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.