SearchGuard + SSO + Kibana (5)

Hi team

I am playing with SG and I’ve noticed some issues related with SSO/XFF. Could someone help me to dispel my doubts?

Below you can find my current configuration:

sg_action_groups.yml: |-

ALL:

  - "indices:*"

MANAGE:

  - "indices:monitor/*"

  - "indices:admin/*"

CREATE_INDEX:

  - "indices:admin/create"

  - "indices:admin/mapping/put"

MANAGE_ALIASES:

  - "indices:admin/aliases*"

MONITOR:

  - "indices:monitor/*"

DATA_ACCESS:

  - "indices:data/*"

  - "indices:admin/mapping/put"

WRITE:

  - "indices:data/write*"

  - "indices:admin/mapping/put"

READ:

  - "indices:data/read*"

DELETE:

  - "indices:data/write/delete*"

CRUD:

  - READ

  - WRITE

SEARCH:

  - "indices:data/read/search*"

  - "indices:data/read/msearch*"

  - SUGGEST

SUGGEST:

  - "indices:data/read/suggest*"

INDEX:

  - "indices:data/write/index*"

  - "indices:data/write/update*"

  - "indices:admin/mapping/put"

  # no bulk index

GET:

  - "indices:data/read/get*"

  - "indices:data/read/mget*"

# CLUSTER

CLUSTER_ALL:

  - cluster:*

CLUSTER_MONITOR:

  - cluster:monitor/*

CLUSTER_COMPOSITE_OPS_RO:

  - "indices:data/read/mget"

  - "indices:data/read/msearch"

  - "indices:data/read/mtv"

  - "indices:data/read/coordinate-msearch*"

  - "indices:admin/aliases/exists*"

  - "indices:admin/aliases/get*"

CLUSTER_COMPOSITE_OPS:

  - "indices:data/write/bulk"

  - "indices:admin/aliases*"

  - CLUSTER_COMPOSITE_OPS_RO

KIBANA_SERVER:

  - indices:admin/exists*

  - indices:admin/mapping/put*

  - indices:admin/mappings/fields/get*

  - indices:admin/refresh*

  - indices:admin/validate/query*

  - indices:data/read/get*

  - indices:data/read/mget*

  - indices:data/read/search*

  - indices:data/write/delete*

  - indices:data/write/index*

  - indices:data/write/update*

KIBANA_USER:

  - indices:data/read*

  - indices:admin/mappings/fields/get*

  - indices:admin/validate/query*

  - indices:admin/get*

sg_config.yml: |-

searchguard:

  dynamic:

    http:

      anonymous_auth_enabled: false

      xff:

        enabled: true

        internalProxies: '.*' # trust all internal proxies, regex pattern

        remoteIpHeader:  'x-forwarded-for'

        proxiesHeader:   'x-forwarded-by'

        trustedProxies: '.*' # trust all external proxies, regex pattern

    authc:

      proxy_auth_domain:

        enabled: true

        order: 1

        http_authenticator:

          type: proxy

          challenge: false

          config:

            user_header: "x-proxy-user"

            roles_header: "x-proxy-roles"

        authentication_backend:

          type: noop

      basic_internal_auth_domain:

        enabled: true

        order: 2

        http_authenticator:

          type: basic

          challenge: false

        authentication_backend:

          type: intern

sg_internal_users.yml: |-

smdt:

  hash: $2a$12$MI8K2df5.mN/RulK9oyzG.grdveeiaujppUqMybHbVhnr5uvP59Gi

  #password is: admin

ingestion:

  hash: $2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2

  #password is: logstash

npaboss:

  hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H.

npa1:

  hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H.

npa2:

  hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H.

kibanaserver:

  hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H.

sg_roles.yml: |-

sg_all_access:

  cluster:

    - '*'

  indices:

    '*':

      '*':

        - '*'

sg_transport_client:

  cluster:

      - cluster:monitor/nodes/liveness

      - cluster:monitor/state

sg_kibana_server:

  cluster:

      - CLUSTER_MONITOR

      - CLUSTER_COMPOSITE_OPS

  indices:

    '?kibana':

      '*':

        - ALL

sg_logstash:

  cluster:

    - indices:admin/template/get

    - indices:admin/template/put

    - indices:data/write/bulk*

    - CLUSTER_MONITOR

    - CLUSTER_COMPOSITE_OPS

  indices:

    '*':

      '*':

        - CRUD

        - CREATE_INDEX

    '*beat*':

      '*':

        - CRUD

        - CREATE_INDEX

sg_role_boss:

  cluster:

    - '*'

  indices:

    '*':

      '*':

        - KIBANA_USER

        - '*'

    '?kibana':

      '*':

        - KIBANA_SERVER

sg_role_1:

  cluster:

    - indices:admin/template/get

    - indices:admin/template/put

    - indices:data/write/bulk*

    - CLUSTER_MONITOR

    - CLUSTER_COMPOSITE_OPS

  indices:

    '*-1-*':

      '*':

        - KIBANA_USER

        - ALL

    '?kibana*':

      '*':

        - KIBANA_SERVER

        - ALL

sg_role_2:

  cluster:

    - indices:admin/template/get

    - indices:admin/template/put

    - indices:data/write/bulk*

    - CLUSTER_MONITOR

    - CLUSTER_COMPOSITE_OPS

  indices:

    '*-2-*':

      '*':

        - KIBANA_USER

        - ALL

    '?kibana*':

      '*':

        - KIBANA_SERVER

        - ALL

sg_roles_mapping.yml: |-

sg_logstash:

  users:

    - ingestion

sg_kibana_server:

  users:

    - kibanaserver

sg_all_access:

  users:

    - smdt

sg_role_boss:

  users:

    - npaboss

sg_role_1:

  users:

    - npa1

sg_role_2:

  users:

    - npa2

``

My goal is to set nginx as a reverse proxy :

server {

listen 8080 ssl;

server_name kibana-1.example.org ;

ssl_certificate /etc/secrets/cert;

ssl_certificate_key /etc/secrets/key;

ssl_session_cache shared:ssl:1m;

error_log /var/log/nginx/error.log debug;

auth_ldap “forbidden”;

auth_ldap_servers GROUP1;

location / {

proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;

proxy_set_header x-real_p $remote_addr;

proxy_set_header x-proxy-user “npa1”;

proxy_set_header x-proxy-roles “sg_role_1”;

proxy_set_header host $http_host;

proxy_redirect off;

proxy_pass https://kibana:5601/;

}

}

server {

listen 8080 ssl;

server_name kibana-2.example.org ;

ssl_certificate /etc/secrets/cert;

ssl_certificate_key /etc/secrets/key;

ssl_session_cache shared:ssl:1m;

error_log /var/log/nginx/error.log debug;

auth_ldap “forbidden”;

auth_ldap_servers GROUP2;

location / {

proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;

proxy_set_header x-real_p $remote_addr;

proxy_set_header x-proxy-user “npa2”;

proxy_set_header x-proxy-roles “sg_role_2”;

proxy_set_header host $http_host;

proxy_redirect off;

proxy_pass https://kibana:5601/;

}

}

``

Direct access to ELK works fine:

curl -XGET -k ‘https://es-master:9200/_searchguard/authinfo?pretty=true’ -v -H “x-proxy-user: npa1” -H “x-proxy-roles: sg_role_1” -H “x-forwarded-for: 192.168.1.1”

{

“user” : “User [name=npanl, roles=[sg_role_1]]”,
“remote_address” : “192.168.1.21:37374”,
“sg_roles” : [
“sg_role_1”
],
“principal” : null,
“peer_certificates” : “0”
}

``

I am able to ask for the data in index -1- as well (on port 9200).

I have only issue with kibana… I am not able to use index discovery. I can login to the kibana (dump from the logs):

{“type”:“response”,"@timestamp":“2017-01-30T18:27:02Z”,“tags”:,“pid”:1,“method”:“get”,“statusCode”:404,“req”:{“url”:"/elasticsearch/logstash-/_mapping/field/?_=1485800822220&ignore_unavailable=false&allow_no_indices=false&include_defaults=true",“method”:“get”,“headers”:{“x-forwarded-for”:“10.131.0.1”,“x-real_p”:“10.131.0.1”,“x-proxy-user”:“npa1”,“x-proxy-roles”:“sg_role_1”,“host”:“kibana-1.example.net”,“connection”:“close”,“accept”:"application/json,

text/plain, /",“kbn-version”:“5.1.2”,“user-agent”:"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like

Gecko) Chrome/53.0.2785.21 Safari/537.36

MMS/1.0.2459.0",“referer”:"https://kibana-ccert.yoda.pl.ing.net/app/kibana",“accept-encoding”:"gzip, deflate, sdch,

br",“accept-language”:“en-US,en;q=0.8”},“remoteAddress”:“10.131.0.1”,“userAgent”:“10.131.0.1”,“referer”:"https://kibana-1.example.net/app/kibana"},“res”:{“statusCode”:404,“responseTime”:6,“contentLength”:9},“message”:"GET

/elasticsearch/logstash-/_mapping/field/?_=1485800822220&ignore_unavailable=false&allow_no_indices=false&include_defaults=true

404 6ms - 9.0B"}

``

So far so good. However when I tried to use “Configure pattern”:

Any idea?

First of all: Which exact Search Guard and which exact Elasticsearch/Kibana version you are using?

If you use Kibana 5 you must whitelist your headers in kibana.yml (x-proxy-user, x-proxy-roles, x-forwarded-for)

Please provide also logs on DEBUG level from your elasticsearch node (elasticsearch.log)

···

Am 30.01.2017 um 19:34 schrieb Mariusz Derela <mariusz.derela@gmail.com>:

Hi team

I am playing with SG and I've noticed some issues related with SSO/XFF. Could someone help me to dispel my doubts?

Below you can find my current configuration:

  sg_action_groups.yml: |-
    ALL:
      - "indices:*"
    MANAGE:
      - "indices:monitor/*"
      - "indices:admin/*"
    CREATE_INDEX:
      - "indices:admin/create"
      - "indices:admin/mapping/put"
    MANAGE_ALIASES:
      - "indices:admin/aliases*"
    MONITOR:
      - "indices:monitor/*"
    DATA_ACCESS:
      - "indices:data/*"
      - "indices:admin/mapping/put"
    WRITE:
      - "indices:data/write*"
      - "indices:admin/mapping/put"
    READ:
      - "indices:data/read*"
    DELETE:
      - "indices:data/write/delete*"
    CRUD:
      - READ
      - WRITE
    SEARCH:
      - "indices:data/read/search*"
      - "indices:data/read/msearch*"
      - SUGGEST
    SUGGEST:
      - "indices:data/read/suggest*"
    INDEX:
      - "indices:data/write/index*"
      - "indices:data/write/update*"
      - "indices:admin/mapping/put"
      # no bulk index
    GET:
      - "indices:data/read/get*"
      - "indices:data/read/mget*"
    # CLUSTER
    CLUSTER_ALL:
      - cluster:*
    CLUSTER_MONITOR:
      - cluster:monitor/*
    CLUSTER_COMPOSITE_OPS_RO:
      - "indices:data/read/mget"
      - "indices:data/read/msearch"
      - "indices:data/read/mtv"
      - "indices:data/read/coordinate-msearch*"
      - "indices:admin/aliases/exists*"
      - "indices:admin/aliases/get*"
    CLUSTER_COMPOSITE_OPS:
      - "indices:data/write/bulk"
      - "indices:admin/aliases*"
      - CLUSTER_COMPOSITE_OPS_RO
    KIBANA_SERVER:
      - indices:admin/exists*
      - indices:admin/mapping/put*
      - indices:admin/mappings/fields/get*
      - indices:admin/refresh*
      - indices:admin/validate/query*
      - indices:data/read/get*
      - indices:data/read/mget*
      - indices:data/read/search*
      - indices:data/write/delete*
      - indices:data/write/index*
      - indices:data/write/update*
    KIBANA_USER:
      - indices:data/read*
      - indices:admin/mappings/fields/get*
      - indices:admin/validate/query*
      - indices:admin/get*
  sg_config.yml: |-
    searchguard:
      dynamic:
        http:
          anonymous_auth_enabled: false
          xff:
            enabled: true
            internalProxies: '.*' # trust all internal proxies, regex pattern
            remoteIpHeader: 'x-forwarded-for'
            proxiesHeader: 'x-forwarded-by'
            trustedProxies: '.*' # trust all external proxies, regex pattern
        authc:
          proxy_auth_domain:
            enabled: true
            order: 1
            http_authenticator:
              type: proxy
              challenge: false
              config:
                user_header: "x-proxy-user"
                roles_header: "x-proxy-roles"
            authentication_backend:
              type: noop
          basic_internal_auth_domain:
            enabled: true
            order: 2
            http_authenticator:
              type: basic
              challenge: false
            authentication_backend:
              type: intern
  sg_internal_users.yml: |-
    smdt:
      hash: $2a$12$MI8K2df5.mN/RulK9oyzG.grdveeiaujppUqMybHbVhnr5uvP59Gi
      #password is: admin
    ingestion:
      hash: $2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2
      #password is: logstash
    npaboss:
      hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H.
    npa1:
      hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H.
    npa2:
      hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H.
    kibanaserver:
      hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H.
  sg_roles.yml: |-
    sg_all_access:
      cluster:
        - '*'
      indices:
        '*':
          '*':
            - '*'
    sg_transport_client:
      cluster:
          - cluster:monitor/nodes/liveness
          - cluster:monitor/state
    sg_kibana_server:
      cluster:
          - CLUSTER_MONITOR
          - CLUSTER_COMPOSITE_OPS
      indices:
        '?kibana':
          '*':
            - ALL
    sg_logstash:
      cluster:
        - indices:admin/template/get
        - indices:admin/template/put
        - indices:data/write/bulk*
        - CLUSTER_MONITOR
        - CLUSTER_COMPOSITE_OPS
      indices:
        '*':
          '*':
            - CRUD
            - CREATE_INDEX
        '*beat*':
          '*':
            - CRUD
            - CREATE_INDEX
    sg_role_boss:
      cluster:
        - '*'
      indices:
        '*':
          '*':
            - KIBANA_USER
            - '*'
        '?kibana':
          '*':
            - KIBANA_SERVER
    sg_role_1:
      cluster:
        - indices:admin/template/get
        - indices:admin/template/put
        - indices:data/write/bulk*
        - CLUSTER_MONITOR
        - CLUSTER_COMPOSITE_OPS
      indices:
        '*-1-*':
          '*':
            - KIBANA_USER
            - ALL
        '?kibana*':
          '*':
            - KIBANA_SERVER
            - ALL
    sg_role_2:
      cluster:
        - indices:admin/template/get
        - indices:admin/template/put
        - indices:data/write/bulk*
        - CLUSTER_MONITOR
        - CLUSTER_COMPOSITE_OPS
      indices:
        '*-2-*':
          '*':
            - KIBANA_USER
            - ALL
        '?kibana*':
          '*':
            - KIBANA_SERVER
            - ALL
  sg_roles_mapping.yml: |-
    sg_logstash:
      users:
        - ingestion
    sg_kibana_server:
      users:
        - kibanaserver
    sg_all_access:
      users:
        - smdt
    sg_role_boss:
      users:
        - npaboss
    sg_role_1:
      users:
        - npa1
    sg_role_2:
      users:
        - npa2

My goal is to set nginx as a reverse proxy :

        server {
            listen 8080 ssl;
            server_name kibana-1.example.org ;
            ssl_certificate /etc/secrets/cert;
            ssl_certificate_key /etc/secrets/key;
            ssl_session_cache shared:ssl:1m;
            error_log /var/log/nginx/error.log debug;
            auth_ldap "forbidden";
            auth_ldap_servers GROUP1;
            location / {
                proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
                proxy_set_header x-real_p $remote_addr;
                proxy_set_header x-proxy-user "npa1";
                proxy_set_header x-proxy-roles "sg_role_1";
                proxy_set_header host $http_host;
                proxy_redirect off;
                proxy_pass https://kibana:5601/;
            }
        }
        server {
            listen 8080 ssl;
            server_name kibana-2.example.org ;
            ssl_certificate /etc/secrets/cert;
            ssl_certificate_key /etc/secrets/key;
            ssl_session_cache shared:ssl:1m;
            error_log /var/log/nginx/error.log debug;
            auth_ldap "forbidden";
            auth_ldap_servers GROUP2;
            location / {
                proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
                proxy_set_header x-real_p $remote_addr;
                proxy_set_header x-proxy-user "npa2";
                proxy_set_header x-proxy-roles "sg_role_2";
                proxy_set_header host $http_host;
                proxy_redirect off;
                proxy_pass https://kibana:5601/;
            }
        }

Direct access to ELK works fine:
curl -XGET -k 'https://es-master:9200/_searchguard/authinfo?pretty=true' -v -H "x-proxy-user: npa1" -H "x-proxy-roles: sg_role_1" -H "x-forwarded-for: 192.168.1.1"

{

  "user" : "User [name=npanl, roles=[sg_role_1]]",
  "remote_address" : "192.168.1.21:37374",
  "sg_roles" : [
    "sg_role_1"
  ],
  "principal" : null,
  "peer_certificates" : "0"
}

I am able to ask for the data in index *-1-* as well (on port 9200).

I have only issue with kibana... I am not able to use index discovery. I can login to the kibana (dump from the logs):

{“type”:“response”,"@timestamp":“2017-01-30T18:27:02Z”,“tags”:,“pid”:1,“method”:“get”,“statusCode”:404,“req”:{“url”:"/elasticsearch/logstash-*/_mapping/field/*?_=1485800822220&ignore_unavailable=false&allow_no_indices=false&include_defaults=true",“method”:“get”,“headers”:{“x-forwarded-for”:“10.131.0.1”,“x-real_p”:“10.131.0.1”,“x-proxy-user”:“npa1”,“x-proxy-roles”:“sg_role_1”,“host”:“kibana-1.example.net”,“connection”:“close”,“accept”:“application/json,
text/plain, */*”,“kbn-version”:“5.1.2”,“user-agent”:“Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/53.0.2785.21 Safari/537.36
MMS/1.0.2459.0”,“referer”:“https://kibana-ccert.yoda.pl.ing.net/app/kibana",“accept-encoding”:"gzip, deflate, sdch,
br”,“accept-language”:“en-US,en;q=0.8”},“remoteAddress”:“10.131.0.1”,“userAgent”:“10.131.0.1”,“referer”:“https://kibana-1.example.net/app/kibana"},“res”:{“statusCode”:404,“responseTime”:6,“contentLength”:9},“message”:"GET
/elasticsearch/logstash-*/_mapping/field/*?_=1485800822220&ignore_unavailable=false&allow_no_indices=false&include_defaults=true
404 6ms - 9.0B”}

So far so good. However when I tried to use "Configure pattern":

Any idea?

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/db8d7566-16cb-4f08-9691-3dee058f4a23%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.