Searchgurad for Kibana - bypass authentication

When asking questions, please provide the following information:
image: 6.5.4-oss-18

  • JVM version and operating system version: 9

Hi, i am using searchguard for Kibana. In my scenario, Kibana is exposed by Ingress. Can i reuse the username and the password from the Ingress, because otherwise i have to have second authentication(One from Ingress and second from Searchguard).

I guess proxy authentication will do the trick:


···

Am 20.03.2019 um 14:11 schrieb k.zhelyazkov@sap.com:

When asking questions, please provide the following information:
image: 6.5.4-oss-18
* JVM version and operating system version: 9

Hi, i am using searchguard for Kibana. In my scenario, Kibana is exposed by Ingress. Can i reuse the username and the password from the Ingress, because otherwise i have to have second authentication(One from Ingress and second from Searchguard).

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/c0a6eb50-75b6-40d4-9911-8191e84d6db7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Actually there are 2 users in my Ingress. Every users has different role. How can i send roles with this proxy, when the Ingress doesn’t know about the roles.

In my case all I need is Kibana to catch the authorization header and to reuse it.

If you use Basic Authentication in Kibana and you add HTTP Basic Authentication headers to an HTTP call to Kibana, our plugin will pick the headers up and use them for auth/auth.

···

On Wednesday, March 20, 2019 at 3:01:01 PM UTC+1, k.zhelyazkov@sap.com wrote:

In my case all I need is Kibana to catch the authorization header and to reuse it.

I think, I use Basic Authentication. Here are my config files.

kibana.yml (736 Bytes)

sg_config.yml (561 Bytes)

I hope I understood your use case correctly, I am not an expert on Ingress. So when you write:

“In my case all I need is Kibana to catch the authorization header and to reuse it.”

So I am assuming that the calls from Ingress to Kibana contain HTTP Basic headers, correct? If this is the case then Kibana should pick them up without the need to configure anything special.

You would then use the roles mapping feature to assign Search Guard roles to these users:

https://docs.search-guard.com/latest/mapping-users-roles

If auth/auth takes place on Ingress and after that, you just have the (authenticated) username and the (authenticated) roles of the user (no password), then proxy authentication is the way to go:

https://docs.search-guard.com/latest/kibana-authentication-proxy
https://docs.search-guard.com/latest/proxy-authentication

···

On Wednesday, March 20, 2019 at 3:26:14 PM UTC+1, k.zhelyazkov@sap.com wrote:

I think, I use Basic Authentication. Here are my config files.

Yes, as you can see in the picture, the call contains HTTP Basic header.

I already have the role-maping roles in searchgurad, because i can authenticate successfully, but i want actually to bypass the login form from Kibana-Searchguard plugin, because i have one authentication in front of the Ingress and i have to make second authentication with the same credentials in front of the Kibana-searchguard Login Form.

Hi,

so, I think we’ve found the issue here, it is rooted in the request flow upon first log in.

In order to skip the login dialogue, can you please try to use a deep link to Kibana for the initial request? Means, instead of using something like:

https://kibana.example.com:5601

try:

https://kibana.example.com:5601/app/kibana

The plugin will pick up the authentication headers and create the session cookie. This has been tested with 6.6.2, but should also work with 6.5.4.

···

On Wednesday, March 20, 2019 at 11:58:57 PM UTC+1, k.zhelyazkov@sap.com wrote:

Yes, as you can see in the picture, the call contains HTTP Basic header.

I already have the role-maping roles in searchgurad, because i can authenticate successfully, but i want actually to bypass the login form from Kibana-Searchguard plugin, because i have one authentication in front of the Ingress and i have to make second authentication with the same credentials in front of the Kibana-searchguard Login Form.