I tried to install SeachGuard on ES 6.2.2 , CentOS 7, i used the demo certificates in the ZIP file.

I manage to login with kibanaserver and admin users. I still have a small problem when i click on the “Discover” tab, but i learned this has to do because i need to create a special SG user.

So i wanted to create this user with the GUI.

With admin, is see the SearchGuard GUI tab, however, when i want to change something and click on any icon, i am redirected to the logon page again.

(fyi I have also XPACK installed, but the demo license is expired and i only use the free monitor part. However, installing SG with XPACK installed was a nightmare)

I seem not to have access to the SG index (??) but i don’t see any warnings in kibana.log or elasticsearch.log

fyi i changed the kibana user to admin/admin just to give him full access, but this doesn’t help. Same problem with kibanaserver user

elasticsearch.yml

searchguard.ssl.transport.pemcert_filepath: certs/esnode.pem

searchguard.ssl.transport.pemkey_filepath: certs/esnode-key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: certs/root-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: certs/esnode.pem

searchguard.ssl.http.pemkey_filepath: certs/esnode-key.pem

searchguard.ssl.http.pemtrustedcas_filepath: certs/root-ca.pem

searchguard.allow_unsafe_democertificates: true

searchguard.allow_default_init_sgindex: true

searchguard.authcz.admin_dn:

• CN=kirk,OU=client,O=client,L=test,C=de

searchguard.restapi.roles_enabled: [“sg_all_access”, …]

kibana.yml

Kibana is served by a back end server. This setting specifies the port to use.

#server.port: 5601

Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.

The default is ‘localhost’, which usually means remote machines will not be able to connect.

To allow connections from remote users, set this parameter to a non-loopback address.

server.host: “159.114.111.223”

Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects

the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests

to Kibana. This setting cannot end in a slash.

#server.basePath: “”

The maximum payload size in bytes for incoming server requests.

#server.maxPayloadBytes: 1048576

The Kibana server’s name. This is used for display purposes.

#server.name: “your-hostname”

The URL of the Elasticsearch instance to use for all your queries.

elasticsearch.url: “https://159.114.111.223:9200”

When this setting’s value is true Kibana uses the hostname specified in the server.host

setting. When the value of this setting is false, Kibana uses the hostname of the host

that connects to this Kibana instance.

#elasticsearch.preserveHost: true

Kibana uses an index in Elasticsearch to store saved searches, visualizations and

dashboards. Kibana creates a new index if the index doesn’t already exist.

#kibana.index: “.kibana”

The default application to load.

#kibana.defaultAppId: “home”

If your Elasticsearch is protected with basic authentication, these settings provide

the username and password that the Kibana server uses to perform maintenance on the Kibana

index at startup. Your Kibana users still need to authenticate with Elasticsearch, which

is proxied through the Kibana server.

elasticsearch.username: “admin”

elasticsearch.password: “admin”

Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.

These settings enable SSL for outgoing requests from the Kibana server to the browser.

#server.ssl.enabled: false

#server.ssl.certificate: /path/to/your/server.crt

#server.ssl.key: /path/to/your/server.key

Optional settings that provide the paths to the PEM-format SSL certificate and key files.

These files validate that your Elasticsearch backend uses the same key files.

#elasticsearch.ssl.certificate: /path/to/your/client.crt

#elasticsearch.ssl.key: /path/to/your/client.key

Optional setting that enables you to specify a path to the PEM file for the certificate

authority for your Elasticsearch instance.

elasticsearch.ssl.certificateAuthorities: [ “/local/etc/elasticsearch/certs/root-ca.pem” ]

To disregard the validity of SSL certificates, change this setting’s value to ‘none’.

elasticsearch.ssl.verificationMode: none

Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of

the elasticsearch.requestTimeout setting.

#elasticsearch.pingTimeout: 1500

Time in milliseconds to wait for responses from the back end or Elasticsearch. This value

must be a positive integer.

#elasticsearch.requestTimeout: 30000

List of Kibana client-side headers to send to Elasticsearch. To send no client-side

headers, set this value to (an empty list).

#elasticsearch.requestHeadersWhitelist: [ authorization ]

Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten

by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.

#elasticsearch.customHeaders: {}

Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.

#elasticsearch.shardTimeout: 0

Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.

#elasticsearch.startupTimeout: 5000

Specifies the path where Kibana creates the process ID file.

#pid.file: /var/run/kibana.pid

Enables you specify a file where Kibana stores log output.

logging.dest: /local/var/log/kibana/kibana.log

Set the value of this setting to true to suppress all logging output.

#logging.silent: false

Set the value of this setting to true to suppress all logging output other than error messages.

#logging.quiet: false

Set the value of this setting to true to log all events, including system usage information

and all requests.

#logging.verbose: false

Set the interval in milliseconds to sample system and process performance

metrics. Minimum is 100ms. Defaults to 5000.

#ops.interval: 5000

The default locale. This locale can be used in certain circumstances to substitute any missing

translations.

#i18n.defaultLocale: “en”

#X-PACK

xpack.monitoring.enabled: true

xpack.graph.enabled: false

xpack.ml.enabled: false

xpack.security.enabled: false

xpack.watcher.enabled: false

fyi

sudo -u kibana ./kibana-plugin list

network_vis@5.5.0-1

searchguard@6.2.2-14

x-pack@6.2.2

···

Op woensdag 29 augustus 2018 00:38:25 UTC+2 schreef Geert Nijs:

I tried to install SeachGuard on ES 6.2.2 , CentOS 7, i used the demo certificates in the ZIP file.

I manage to login with kibanaserver and admin users. I still have a small problem when i click on the “Discover” tab, but i learned this has to do because i need to create a special SG user.

So i wanted to create this user with the GUI.

With admin, is see the SearchGuard GUI tab, however, when i want to change something and click on any icon, i am redirected to the logon page again.

(fyi I have also XPACK installed, but the demo license is expired and i only use the free monitor part. However, installing SG with XPACK installed was a nightmare)

I seem not to have access to the SG index (??) but i don’t see any warnings in kibana.log or elasticsearch.log

fyi i changed the kibana user to admin/admin just to give him full access, but this doesn’t help. Same problem with kibanaserver user

elasticsearch.yml

searchguard.ssl.transport.pemcert_filepath: certs/esnode.pem

searchguard.ssl.transport.pemkey_filepath: certs/esnode-key.pem

searchguard.ssl.transport.pemtrustedcas_filepath: certs/root-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: certs/esnode.pem

searchguard.ssl.http.pemkey_filepath: certs/esnode-key.pem

searchguard.ssl.http.pemtrustedcas_filepath: certs/root-ca.pem

searchguard.allow_unsafe_democertificates: true

searchguard.allow_default_init_sgindex: true

searchguard.authcz.admin_dn:

• CN=kirk,OU=client,O=client,L=test,C=de

searchguard.restapi.roles_enabled: [“sg_all_access”, …]

kibana.yml

Kibana is served by a back end server. This setting specifies the port to use.

#server.port: 5601

Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.

The default is ‘localhost’, which usually means remote machines will not be able to connect.

To allow connections from remote users, set this parameter to a non-loopback address.

server.host: “159.114.111.223”

Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects

the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests

to Kibana. This setting cannot end in a slash.

#server.basePath: “”

The maximum payload size in bytes for incoming server requests.

#server.maxPayloadBytes: 1048576

The Kibana server’s name. This is used for display purposes.

#server.name: “your-hostname”

The URL of the Elasticsearch instance to use for all your queries.

elasticsearch.url: “https://159.114.111.223:9200”

When this setting’s value is true Kibana uses the hostname specified in the server.host

setting. When the value of this setting is false, Kibana uses the hostname of the host

that connects to this Kibana instance.

#elasticsearch.preserveHost: true

Kibana uses an index in Elasticsearch to store saved searches, visualizations and

dashboards. Kibana creates a new index if the index doesn’t already exist.

#kibana.index: “.kibana”

The default application to load.

#kibana.defaultAppId: “home”

If your Elasticsearch is protected with basic authentication, these settings provide

the username and password that the Kibana server uses to perform maintenance on the Kibana

index at startup. Your Kibana users still need to authenticate with Elasticsearch, which

is proxied through the Kibana server.

elasticsearch.username: “admin”

elasticsearch.password: “admin”

Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.

These settings enable SSL for outgoing requests from the Kibana server to the browser.

#server.ssl.enabled: false

#server.ssl.certificate: /path/to/your/server.crt

#server.ssl.key: /path/to/your/server.key

Optional settings that provide the paths to the PEM-format SSL certificate and key files.

These files validate that your Elasticsearch backend uses the same key files.

#elasticsearch.ssl.certificate: /path/to/your/client.crt

#elasticsearch.ssl.key: /path/to/your/client.key

Optional setting that enables you to specify a path to the PEM file for the certificate

authority for your Elasticsearch instance.

elasticsearch.ssl.certificateAuthorities: [ “/local/etc/elasticsearch/certs/root-ca.pem” ]

To disregard the validity of SSL certificates, change this setting’s value to ‘none’.

elasticsearch.ssl.verificationMode: none

Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of

the elasticsearch.requestTimeout setting.

#elasticsearch.pingTimeout: 1500

Time in milliseconds to wait for responses from the back end or Elasticsearch. This value

must be a positive integer.

#elasticsearch.requestTimeout: 30000

List of Kibana client-side headers to send to Elasticsearch. To send no client-side

headers, set this value to (an empty list).

#elasticsearch.requestHeadersWhitelist: [ authorization ]

Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten

by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.

#elasticsearch.customHeaders: {}

Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.

#elasticsearch.shardTimeout: 0

Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.

#elasticsearch.startupTimeout: 5000

Specifies the path where Kibana creates the process ID file.

#pid.file: /var/run/kibana.pid

Enables you specify a file where Kibana stores log output.

logging.dest: /local/var/log/kibana/kibana.log

Set the value of this setting to true to suppress all logging output.

#logging.silent: false

Set the value of this setting to true to suppress all logging output other than error messages.

#logging.quiet: false

Set the value of this setting to true to log all events, including system usage information

and all requests.

#logging.verbose: false

Set the interval in milliseconds to sample system and process performance

metrics. Minimum is 100ms. Defaults to 5000.

#ops.interval: 5000

The default locale. This locale can be used in certain circumstances to substitute any missing

translations.

#i18n.defaultLocale: “en”

#X-PACK

xpack.monitoring.enabled: true

xpack.graph.enabled: false

xpack.ml.enabled: false

xpack.security.enabled: false

xpack.watcher.enabled: false

ok, so i got rid of the “warning No right” messages when clicking on “Discover” and “Timelion” tabs in Kibana, by adding more rights to the kibanaserver user:

sg_kibana_server:

indices:

‘*’:

‘*’:

• indices:data/read/field_caps*

• indices:data/read/search*

• indices:admin/validate/query*

That helped.

That got me thinking, it seems that the Kibana GUI always uses the kibanaserver rights, even when i am logged on with another user (??).

My SG GUI doesn’t work, maybe because also the kibanaserver user doesn’t have API access by default (admin has)

So i added kibanaserver to sg_all_access:

sg_all_access:

readonly: true

backendroles:

• admin

• kibanaserver

uploaded with sgadmin,

but that didn’t seem to help…

···

ok, i solved it !

this was it:

searchguard.restapi.roles_enabled: [“sg_all_access”, “sg_kibana_server”, …]

sg_kibana_server role for kibanaserver user needs to be added for API access…(even if you logon with admin/admin for example)

···

Well actually, no, that should not be the case. The behavior you are describing is also pretty strange.

First, the kibanaserver user should work out of the box with the predefined permissions we ship. It is only required for internal communication between KI and ES.

Then you write:

“That got me thinking, it seems that the Kibana GUI always uses the kibanaserver rights, even when i am logged on with another user”

This seems to be the main issue here. The GUI always uses the currently logged in user, not the kibana server user. Same is true for querying indices, for example:

• indices:data/read/field_caps*

``

is only required for the logged in user, not the kibanaserver user. All in all a bit mysterious.

You wrote:

“With admin, is see the SearchGuard GUI tab, however, when i want to change something and click on any icon, i am redirected to the logon page again.”

Never seen this behavior before. If you do not have permission to use the GUI, an error should be displayed, not a redirect.

This entries here in kibana.yml:

elasticsearch.username: “admin”
elasticsearch.password: “admin”

``

should be:

elasticsearch.username: “kibanaserver”
elasticsearch.password: “kibanaserver”

``

So taking all that together, there must be something fundamentally wrong with either the installation or the configuration. Can you post the sg config files you use here as well?

Another thing, you write:

“fyi I have also XPACK installed, but the demo license is expired and i only use the free monitor part. However, installing SG with XPACK installed was a nightmare)”

What was it that made it a nightmare for you? Usually you just install both plugins, and then use the built-in role for monitoring:

https://docs.search-guard.com/latest/search-guard-xpack-monitoring

What did not work for you?

···

On Wednesday, August 29, 2018 at 5:21:08 AM UTC-4, Geert Nijs wrote:

ok, i solved it !

this was it:

searchguard.restapi.roles_enabled: [“sg_all_access”, “sg_kibana_server”, …]

sg_kibana_server role for kibanaserver user needs to be added for API access…(even if you logon with admin/admin for example)