Hi Team,
I have trouble setting up Anonymous authentication for Kibana, I use proxy auth (SAML) to allow users to access kibana. When I login with test user username is not set to sg_anonymous, uses the username from x-proxy-user. May I know whether Anonymous authentication works with only basic auth.
I would like a flow as if user is not present in roles_mapping, sg_ananymous should be triggered.
For any further information please do let me know.
Best,
Yash
Can you please post your sg_config.yml and elasticsearch.yml?
@cstaley Thanks for your response, I have attached the required below.
sg_config.yml
_sg_meta:
type: "config"
config_version: 2
sg_config:
dynamic:
#filtered_alias_mode: warn
do_not_fail_on_forbidden: true
kibana:
multitenancy_enabled: true
server_username: 'kibana'
index: '.kibana'
http:
anonymous_auth_enabled: true
xff:
enabled: true
#internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
internalProxies: '.*' # trust all internal proxies, regex pattern
remoteIpHeader: 'x-forwarded-for'
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
description: "Authenticate via proxy"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: proxy
challenge: false
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
elasticsearch.yml
# ---------------------------------- Searchguard ------------------------------- searchguard.config_index_name: searchguard7 searchguard.ssl.transport.enabled: true searchguard.ssl.transport.keystore_filepath: searchguard.ssl.transport.keystore_password: searchguard.ssl.transport.truststore_filepath: searchguard.ssl.transport.truststore_password: searchguard.ssl.transport.enforce_hostname_verification: false #searchguard.ssl.transport.http.enforce_clientauth: optional searchguard.ssl.http.clientauth_mode: OPTIONAL searchguard.ssl.http.enabled: true searchguard.ssl.http.keystore_filepath: searchguard.ssl.http.keystore_password: searchguard.ssl.http.truststore_filepath: searchguard.ssl.http.truststore_password: #searchguard.audit.type: internal_elasticsearch searchguard.authcz.admin_dn: - "" searchguard.ssl.transport.enable_openssl_if_available: true searchguard.ssl.http.enable_openssl_if_available: true searchguard.restapi.roles_enabled: ["SGS_ADMIN"] #searchguard.audit.config.disabled_rest_categories: NONE #searchguard.audit.config.disabled_transport_categories: NONE ########################## x-Pack ######################### xpack.license.self_generated.type: basic #xpack.graph.enabled: false xpack.ml.enabled: false xpack.monitoring.enabled: false ##xpack.reporting.enabled: false xpack.security.enabled: false
That’s not really how anonymous authentication works. Basically the flow is like:
x-proxy-user and x-proxy-roles headers. In case of Basic Auth, it’s the Authorization HTTP header.sg_anonymous with the backend role sg_anonymous_backendroleWhich means that we only fall back to anonymous authentication if no user credentials could be extracted. The question whether a user is actually mapped to a SG role in sg_roles_mapping.yml is not relevant.
Let me know if this helps!
Hi @jkressin ,
In this case I have one kibana instance without proxy auth, this redirect the request to sg_anonymous role.
Thanks for your clarification.
Best,
Yash
Hi @jkressin,
I have issue when I map sg_anonymous_backendrole to guest_tenant I get no date in the kibana. when I used authinfo API I got guest_tenant: false. May I know why I get “false” value for the tenant.
curl -k https://localhost:9200/_searchguard/authinfo?pretty
{
"user" : "User [name=sg_anonymous, backend_roles=[sg_anonymous_backendrole], requestedTenant=null]",
"user_name" : "sg_anonymous",
"user_requested_tenant" : null,
"remote_address" : "[::1]:46488",
"backend_roles" : [
"sg_anonymous_backendrole"
],
"custom_attribute_names" : [ ],
"sg_roles" : [
"SGS_GUEST"
],
"sg_tenants" : {
"sg_anonymous" : true,
"guest_tenant" : false
},
"principal" : null,
"peer_certificates" : "0",
"sso_logout_url" : null
}
sg_role.yml
SGS_ELK_ADMIN:
description: "ELK Admin"
cluster_permissions:
- "SGS_UNLIMITED"
index_permissions:
- index_patterns:
- "*"
allowed_actions:
- "READ"
- index_patterns:
- "?kibana*"
allowed_actions:
- "SGS_UNLIMITED"
tenant_permissions:
- tenant_patterns:
- "elk_admin_tenant"
- "guest_tenant"
allowed_actions:
- "SGS_KIBANA_ALL_WRITE"
SGS_GUEST:
description: "guest only dashboards are accessible"
cluster_permissions:
- "SGS_CLUSTER_COMPOSITE_OPS_RO"
index_permissions:
- index_patterns:
- "*"
allowed_actions:
- "SGS_UNLIMITED"
- index_patterns:
- "?kibana*"
allowed_actions:
- "SGS_UNLIMITED"
tenant_permissions:
- tenant_patterns:
- "guest_tenant"
allowed_actions:
- "SGS_KIBANA_ALL_READ"
sg_roles_mapping.yml
SGS_ELK_ADMIN:
reserved: false
users:
- "admin_user"
description: "Maps ELK admin users to SGS_ELK_ADMIN"
SGS_GUEST:
reserved: false
backend_roles:
- "sg_anonymous_backendrole"
users:
- "guest_user"
description: "Guest users"
In above sg_role.yml I have user admin_user write access to guest_tenant to create dashboards and guest users (sg_anonymous and guest_user) will see the dashboards. When I tried to access via kibana usign sg_anonymous I could tenant available but no data is visible whereas if I login with `guest_user" I could see all the data in the tenant.
I have enabled anonymous auth in kibana and elasticsearch.
If you required any further information please do let me know.
Best,
Yash
Hm, this seems strange.
So to recap: You have created a user guest_user and mapped it to the SGS_GUEST role. And you have mapped the sg_anonymous_backendrole to this very same role.
If you use the guest user it works, but it does not work with the anonymous user, correct?
This seems strange since from the authinfo I can see that anonymout use is indee correctly mapped to the SGS_GUEST role.
(BTW: The SGS prefix means “Search Guard Static” and we use it to prefix the newly introduced built-in roles: Search Guard roles | Security for Elasticsearch | Search Guard)
So, what would be interesting to see is the authinfo call for the guest user, and compare it with the anonymous one. Some questions:
SGS_KIBANA_USER (which replaces the legacy sg_kibana_user role)?The false in the authinfo call means that the tenant is read-only. This is a legacy output that some Kibana functionality still relies on, but which will be removed in some of the next SG versions.
@jkressin Apologies for the delayed response. I have fixed the roles by mapping the backed_roles with SGS_KIBANA_USER. when I try to access the kibana, I could see no dashboards but the dashboard are configured in the tenant. Looks like sg_backend_roles are are looking for apm-* index pattern. Please find the attached.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
