Is anyone able to get marvel to work without an http basic prompt? I see the username being passed and elevated to sg_admin, but then it tries to continue and use basic_internal_auth_domain. I’ve attached my configs and log.
[2016-06-27 16:39:25,164][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] userHeader x-proxy-user, value daniel.kasen@redfin.com
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] rolesHeader x-proxy-roles, value null
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘daniel.kasen@redfin.com’ is in cache? true (cache size: 5)
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘User [name=daniel.kasen@redfin.com, roles=]’ is authenticated
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=daniel.kasen@redfin.com, roles=]
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested indices:data/read/mget from 127.0.0.1:44671
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.get.MultiGetRequest$Item
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] indicesOptions IndicesOptions[id=48, ignore_unavailable=false, allow_no_indices=false, expand_wildcards_open=false, expand_wildcards_closed
=false, allow_alisases_to_multiple_indices=false, forbid_closed_indices=true]
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] raw indices [.kibana]
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolved [.kibana] to {}
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved aliases and indices: [.kibana]
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved types: [config]
[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] mapped roles: [sg_admin]
[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_admin
[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for *
[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match for *: [.kibana]
[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for , will check now types []
[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for /: [*]
[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/mget against /: [*]
[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested aliases and indices:
[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested resolved types:
[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for ‘sg_admin.*’, evaluate other roles
[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=daniel.kasen@redfin.com, roles=]
[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested indices:data/read/mget[shard] from 127.0.0.1:44671
[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.get.MultiGetShardRequest
[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] indicesOptions IndicesOptions[id=48, ignore_unavailable=false, allow_no_indices=false, expand_wildcards_open=false, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=false, forbid_closed_indices=true]
[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] raw indices [.kibana]
[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolved [.kibana] to {}
[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved aliases and indices: [.kibana]
[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved types: [_all]
[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] mapped roles: [sg_admin]
[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_admin
[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for *
[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match for *: [.kibana]
[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for , will check now types []
[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for /: [*]
[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/mget[shard] against /: [*]
[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested aliases and indices:
[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested resolved types:
[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for ‘sg_admin.*’, evaluate other roles
[2016-06-27 16:39:25,226][DEBUG][com.floragunn.searchguard.http.XFFResolver] xff resolve /127.0.0.1:44673
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.XFFResolver] xff resolved /127.0.0.1:44673 to /127.0.0.1:44673
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http proxy
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] headers [authorization=Basic REVOKED, Host=localhost:9200, Content-Length=154, Connection=keep-alive]
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] userHeader x-proxy-user, value null
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] rolesHeader x-proxy-roles, value null
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http basic
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘daniel.kasen@redfin.com’ is in cache? false (cache size: 5)
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] daniel.kasen@redfin.com (1342371120) not cached, return from internal backend directly
[2016-06-27 16:39:25,228][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Unexpected exception com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[daniel.kasen@redfin.com not found]
com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[daniel.kasen@redfin.com not found]
sg_roles_mapping.yml
sg_admin:
users:
-
admin
sg_logstash:
users:
- logstash
sg_kibana4_server:
users:
- kibana
sg_public:
users:
- '/((?!daniel.kasen).)*.redfin.com/ ’
sg_config.yml
searchguard:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: true
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
authc:
proxy_auth_domain:
enabled: true
order: 1
http_authenticator:
type: proxy
challenge: false
config:
user_header: “x-proxy-user”
roles_header: “x-proxy-roles”
authentication_backend:
type: noop
basic_internal_auth_domain:
enabled: true
order: 2
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
sg_roles.yml
sg_admin:
cluster:
- ‘*’
indices:
‘*’:
‘*’:
- ‘*’