sg_config.yml anonymous user

With the latest release 2.3.3 BETA 3 how does one go about allow anonymous users? I tried changing anonymous_auth_enabled: false to true but I still get:

[2016-05-31 14:54:13,115][DEBUG][com.floragunn.searchguard.http.XFFResolver] xff resolve /10.0.11.193:53199

[2016-05-31 14:54:13,115][DEBUG][com.floragunn.searchguard.http.XFFResolver] no xff done true,false,class org.elasticsearch.http.netty.NettyHttpRequest,{}

[2016-05-31 14:54:13,115][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http {} basic

[2016-05-31 14:54:13,120][INFO ][com.floragunn.searchguard.auth.BackendRegistry] java.lang.IllegalArgumentException: password must not be null or empty extracting credentials from basic

[2016-05-31 14:54:13,120][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Authentication finally failed

Are there any examples on how to get something like the following working?

sg_roles_mapping.yml

sg_public:

users:

  • ‘*’

can you send your sg_config.yml?

Something like that should work with beta3

searchguard:
  dynamic:
    http:
      anonymous_auth_enabled: true
      xff:
        enabled: false
        internalProxies: 192\.168\.0\.10|192\.168\.0\.11
        remoteIpHeader: "x-forwarded-for"
        proxiesHeader: "x-forwarded-by"
        trustedProxies: "proxy1|proxy2"
    authc:
      authentication_domain_basic_internal:
        enabled: true
        order: 0
        http_authenticator:
          type: basic
        authentication_backend:
          type: intern

···

Am 31.05.2016 um 23:55 schrieb djtecha <djtecha@gmail.com>:

With the latest release 2.3.3 BETA 3 how does one go about allow anonymous users? I tried changing anonymous_auth_enabled: false to true but I still get:

[2016-05-31 14:54:13,115][DEBUG][com.floragunn.searchguard.http.XFFResolver] xff resolve /10.0.11.193:53199
[2016-05-31 14:54:13,115][DEBUG][com.floragunn.searchguard.http.XFFResolver] no xff done true,false,class org.elasticsearch.http.netty.NettyHttpRequest,{}
[2016-05-31 14:54:13,115][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http {} basic
[2016-05-31 14:54:13,120][INFO ][com.floragunn.searchguard.auth.BackendRegistry] java.lang.IllegalArgumentException: password must not be null or empty extracting credentials from basic
[2016-05-31 14:54:13,120][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Authentication finally failed

Are there any examples on how to get something like the following working?

sg_roles_mapping.yml
sg_public:
  users:
    - '*'

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ac1a7020-5ed3-473c-a686-969c67101851%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

I I tried with that exact sg_config.yml and get the same error when I try to use an undefined username. Before something like:

sg_public:

users:

  • ‘*’

would let me do this after checking that the username wasn’t defined.

···

On Wed, Jun 1, 2016 at 3:44 AM, SG info@search-guard.com wrote:

can you send your sg_config.yml?

Something like that should work with beta3

searchguard:

dynamic:

http:

  anonymous_auth_enabled: true

  xff:

    enabled: false

    internalProxies: 192\.168\.0\.10|192\.168\.0\.11

    remoteIpHeader: "x-forwarded-for"

    proxiesHeader: "x-forwarded-by"

    trustedProxies: "proxy1|proxy2"

authc:

  authentication_domain_basic_internal:

    enabled: true

    order: 0

    http_authenticator:

      type: basic

    authentication_backend:

      type: intern

Am 31.05.2016 um 23:55 schrieb djtecha djtecha@gmail.com:

With the latest release 2.3.3 BETA 3 how does one go about allow anonymous users? I tried changing anonymous_auth_enabled: false to true but I still get:

[2016-05-31 14:54:13,115][DEBUG][com.floragunn.searchguard.http.XFFResolver] xff resolve /10.0.11.193:53199

[2016-05-31 14:54:13,115][DEBUG][com.floragunn.searchguard.http.XFFResolver] no xff done true,false,class org.elasticsearch.http.netty.NettyHttpRequest,{}

[2016-05-31 14:54:13,115][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http {} basic

[2016-05-31 14:54:13,120][INFO ][com.floragunn.searchguard.auth.BackendRegistry] java.lang.IllegalArgumentException: password must not be null or empty extracting credentials from basic

[2016-05-31 14:54:13,120][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Authentication finally failed

Are there any examples on how to get something like the following working?

sg_roles_mapping.yml

sg_public:

users:

- '*'

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ac1a7020-5ed3-473c-a686-969c67101851%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/945A49BF-9674-4903-A45F-675845335FBF%40search-guard.com.
For more options, visit https://groups.google.com/d/optout.

sorry, but cannot reproduce this

···

Am 01.06.2016 um 18:04 schrieb Daniel Kasen <djtecha@gmail.com>:

I I tried with that exact sg_config.yml and get the same error when I try to use an undefined username. Before something like:

sg_public:
  users:
    - '*'

would let me do this after checking that the username wasn't defined.

On Wed, Jun 1, 2016 at 3:44 AM, SG <info@search-guard.com> wrote:
can you send your sg_config.yml?

Something like that should work with beta3

searchguard:
  dynamic:
    http:
      anonymous_auth_enabled: true
      xff:
        enabled: false
        internalProxies: 192\.168\.0\.10|192\.168\.0\.11
        remoteIpHeader: "x-forwarded-for"
        proxiesHeader: "x-forwarded-by"
        trustedProxies: "proxy1|proxy2"
    authc:
      authentication_domain_basic_internal:
        enabled: true
        order: 0
        http_authenticator:
          type: basic
        authentication_backend:
          type: intern

> Am 31.05.2016 um 23:55 schrieb djtecha <djtecha@gmail.com>:
>
> With the latest release 2.3.3 BETA 3 how does one go about allow anonymous users? I tried changing anonymous_auth_enabled: false to true but I still get:
>
> [2016-05-31 14:54:13,115][DEBUG][com.floragunn.searchguard.http.XFFResolver] xff resolve /10.0.11.193:53199
> [2016-05-31 14:54:13,115][DEBUG][com.floragunn.searchguard.http.XFFResolver] no xff done true,false,class org.elasticsearch.http.netty.NettyHttpRequest,{}
> [2016-05-31 14:54:13,115][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http {} basic
> [2016-05-31 14:54:13,120][INFO ][com.floragunn.searchguard.auth.BackendRegistry] java.lang.IllegalArgumentException: password must not be null or empty extracting credentials from basic
> [2016-05-31 14:54:13,120][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Authentication finally failed
>
>
>
> Are there any examples on how to get something like the following working?
>
> sg_roles_mapping.yml
> sg_public:
> users:
> - '*'
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
> To post to this group, send email to search-guard@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ac1a7020-5ed3-473c-a686-969c67101851%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/945A49BF-9674-4903-A45F-675845335FBF%40search-guard.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAArf3714O16SQUZ3vJ_2THwc-tf0yStreVj-kiNdLgks2B-rKg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Ok, so I got this working with RC1 using the proxy method. I’m almost there but am a little confused on how you would set up users to have access through kibana. I have nginx passing the correct username and see it being matched via “[2016-06-10 14:51:49,997][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=testuser, roles=]” But when I then try to restrict sg_public at all kibana barfs on me about not having admin index stuff. I tried just adding the ‘*’ as a user to the kibana4 group which lets me see everything again but with no restrictions by index or type. Is there an example of an anonymous user being set up in the sg_roles.yml that anyone could help me with?

···

On Monday, June 6, 2016 at 7:36:15 AM UTC-7, SG wrote:

sorry, but cannot reproduce this

Am 01.06.2016 um 18:04 schrieb Daniel Kasen djt...@gmail.com:

I I tried with that exact sg_config.yml and get the same error when I try to use an undefined username. Before something like:

sg_public:

users:

- '*'

would let me do this after checking that the username wasn’t defined.

On Wed, Jun 1, 2016 at 3:44 AM, SG in...@search-guard.com wrote:

can you send your sg_config.yml?

Something like that should work with beta3

searchguard:

dynamic:

http:
  anonymous_auth_enabled: true
  xff:
    enabled: false
    internalProxies: 192\.168\.0\.10|192\.168\.0\.11
    remoteIpHeader: "x-forwarded-for"
    proxiesHeader: "x-forwarded-by"
    trustedProxies: "proxy1|proxy2"
authc:
  authentication_domain_basic_internal:
    enabled: true
    order: 0
    http_authenticator:
      type: basic
    authentication_backend:
      type: intern

Am 31.05.2016 um 23:55 schrieb djtecha djt...@gmail.com:

With the latest release 2.3.3 BETA 3 how does one go about allow anonymous users? I tried changing anonymous_auth_enabled: false to true but I still get:

[2016-05-31 14:54:13,115][DEBUG][com.floragunn.searchguard.http.XFFResolver] xff resolve /10.0.11.193:53199

[2016-05-31 14:54:13,115][DEBUG][com.floragunn.searchguard.http.XFFResolver] no xff done true,false,class org.elasticsearch.http.netty.NettyHttpRequest,{}

[2016-05-31 14:54:13,115][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http {} basic

[2016-05-31 14:54:13,120][INFO ][com.floragunn.searchguard.auth.BackendRegistry] java.lang.IllegalArgumentException: password must not be null or empty extracting credentials from basic

[2016-05-31 14:54:13,120][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Authentication finally failed

Are there any examples on how to get something like the following working?

sg_roles_mapping.yml

sg_public:

users:

- '*'

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ac1a7020-5ed3-473c-a686-969c67101851%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/945A49BF-9674-4903-A45F-675845335FBF%40search-guard.com.

For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAArf3714O16SQUZ3vJ_2THwc-tf0yStreVj-kiNdLgks2B-rKg%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

Is this issue still valid?

···

Am 10.06.2016 um 23:56 schrieb djtecha <djtecha@gmail.com>:

Ok, so I got this working with RC1 using the proxy method. I'm almost there but am a little confused on how you would set up users to have access through kibana. I have nginx passing the correct username and see it being matched via "[2016-06-10 14:51:49,997][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=testuser, roles=]" But when I then try to restrict sg_public at all kibana barfs on me about not having admin index stuff. I tried just adding the '*' as a user to the kibana4 group which lets me see everything again but with no restrictions by index or type. Is there an example of an anonymous user being set up in the sg_roles.yml that anyone could help me with?

On Monday, June 6, 2016 at 7:36:15 AM UTC-7, SG wrote:
sorry, but cannot reproduce this

> Am 01.06.2016 um 18:04 schrieb Daniel Kasen <djt...@gmail.com>:
>
> I I tried with that exact sg_config.yml and get the same error when I try to use an undefined username. Before something like:
>
> sg_public:
> users:
> - '*'
>
> would let me do this after checking that the username wasn't defined.
>
> On Wed, Jun 1, 2016 at 3:44 AM, SG <in...@search-guard.com> wrote:
> can you send your sg_config.yml?
>
> Something like that should work with beta3
>
> searchguard:
> dynamic:
> http:
> anonymous_auth_enabled: true
> xff:
> enabled: false
> internalProxies: 192\.168\.0\.10|192\.168\.0\.11
> remoteIpHeader: "x-forwarded-for"
> proxiesHeader: "x-forwarded-by"
> trustedProxies: "proxy1|proxy2"
> authc:
> authentication_domain_basic_internal:
> enabled: true
> order: 0
> http_authenticator:
> type: basic
> authentication_backend:
> type: intern
>
> > Am 31.05.2016 um 23:55 schrieb djtecha <djt...@gmail.com>:
> >
> > With the latest release 2.3.3 BETA 3 how does one go about allow anonymous users? I tried changing anonymous_auth_enabled: false to true but I still get:
> >
> > [2016-05-31 14:54:13,115][DEBUG][com.floragunn.searchguard.http.XFFResolver] xff resolve /10.0.11.193:53199
> > [2016-05-31 14:54:13,115][DEBUG][com.floragunn.searchguard.http.XFFResolver] no xff done true,false,class org.elasticsearch.http.netty.NettyHttpRequest,{}
> > [2016-05-31 14:54:13,115][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http {} basic
> > [2016-05-31 14:54:13,120][INFO ][com.floragunn.searchguard.auth.BackendRegistry] java.lang.IllegalArgumentException: password must not be null or empty extracting credentials from basic
> > [2016-05-31 14:54:13,120][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Authentication finally failed
> >
> >
> >
> > Are there any examples on how to get something like the following working?
> >
> > sg_roles_mapping.yml
> > sg_public:
> > users:
> > - '*'
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Search Guard" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> > To post to this group, send email to search...@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ac1a7020-5ed3-473c-a686-969c67101851%40googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/945A49BF-9674-4903-A45F-675845335FBF%40search-guard.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAArf3714O16SQUZ3vJ_2THwc-tf0yStreVj-kiNdLgks2B-rKg%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/7038b51f-5a48-4e40-a34e-5401c8c659a4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.