SG2 With Marvel and proxy_auth_domain

Am 28.06.2016 um 02:02 schrieb djtecha <djtecha@gmail.com>:

[2016-06-27 16:39:25,226][DEBUG][com.floragunn.searchguard.http.XFFResolver] xff resolve /127.0.0.1:44673
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.XFFResolver] xff resolved /127.0.0.1:44673 to /127.0.0.1:44673
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http proxy
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] headers [authorization=Basic REVOKED, Host=localhost:9200, Content-Length=154, Connection=keep-alive]
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] userHeader x-proxy-user, value null
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] rolesHeader x-proxy-roles, value null
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http basic
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User 'daniel.kasen@redfin.com' is in cache? false (cache size: 5)
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] daniel.kasen@redfin.com (1342371120) not cached, return from internal backend directly
[2016-06-27 16:39:25,228][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Unexpected exception com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[daniel.kasen@redfin.com not found]
com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[daniel.kasen@redfin.com not found]

sg_roles_mapping.yml
sg_admin:
  users:
    - admin
    - daniel.kasen@redfin.com

sg_logstash:
  users:
    - logstash

sg_kibana4_server:
  users:
    - kibana

sg_public:
  users:
    - '/((?!daniel.kasen).)*.redfin.com/ '

sg_config.yml

searchguard:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: true
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
        remoteIpHeader: 'x-forwarded-for'
        proxiesHeader: 'x-forwarded-by'
    authc:
      proxy_auth_domain:
        enabled: true
        order: 1
        http_authenticator:
          type: proxy
          challenge: false
          config:
            user_header: "x-proxy-user"
            roles_header: "x-proxy-roles"
        authentication_backend:
          type: noop
      basic_internal_auth_domain:
        enabled: true
        order: 2
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: intern

sg_roles.yml

sg_admin:
  cluster:
    - '*'
  indices:
    '*':
      '*':
        - '*'

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/015ee558-7428-4ab1-b9a8-a4b28b4f0bba%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

On Monday, June 27, 2016 at 5:02:51 PM UTC-7, djtecha wrote:

Is anyone able to get marvel to work without an http basic prompt? I see the username being passed and elevated to sg_admin, but then it tries to continue and use basic_internal_auth_domain. I’ve attached my configs and log.

[2016-06-27 16:39:25,164][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] userHeader x-proxy-user, value daniel.kasen@redfin.com

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] rolesHeader x-proxy-roles, value null

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘daniel.kasen@redfin.com’ is in cache? true (cache size: 5)

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘User [name=daniel.kasen@redfin.com, roles=]’ is authenticated

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=daniel.kasen@redfin.com, roles=]

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested indices:data/read/mget from 127.0.0.1:44671

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.get.MultiGetRequest$Item

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] indicesOptions IndicesOptions[id=48, ignore_unavailable=false, allow_no_indices=false, expand_wildcards_open=false, expand_wildcards_closed

=false, allow_alisases_to_multiple_indices=false, forbid_closed_indices=true]

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] raw indices [.kibana]

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolved [.kibana] to {}

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved aliases and indices: [.kibana]

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved types: [config]

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] mapped roles: [sg_admin]

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_admin

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for *

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match for *: [.kibana]

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for , will check now types []

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for /: [*]

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/mget against /: [*]

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested aliases and indices:

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested resolved types:

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for ‘sg_admin.*’, evaluate other roles

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=daniel.kasen@redfin.com, roles=]

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested indices:data/read/mget[shard] from 127.0.0.1:44671

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.get.MultiGetShardRequest

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] indicesOptions IndicesOptions[id=48, ignore_unavailable=false, allow_no_indices=false, expand_wildcards_open=false, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=false, forbid_closed_indices=true]

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] raw indices [.kibana]

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolved [.kibana] to {}

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved aliases and indices: [.kibana]

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved types: [_all]

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] mapped roles: [sg_admin]

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_admin

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for *

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match for *: [.kibana]

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for , will check now types []

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for /: [*]

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/mget[shard] against /: [*]

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested aliases and indices:

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested resolved types:

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for ‘sg_admin.*’, evaluate other roles

[2016-06-27 16:39:25,226][DEBUG][com.floragunn.searchguard.http.XFFResolver] xff resolve /127.0.0.1:44673

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.XFFResolver] xff resolved /127.0.0.1:44673 to /127.0.0.1:44673

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http proxy

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] headers [authorization=Basic REVOKED, Host=localhost:9200, Content-Length=154, Connection=keep-alive]

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] userHeader x-proxy-user, value null

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] rolesHeader x-proxy-roles, value null

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http basic

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘daniel.kasen@redfin.com’ is in cache? false (cache size: 5)

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] daniel.kasen@redfin.com (1342371120) not cached, return from internal backend directly

[2016-06-27 16:39:25,228][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Unexpected exception com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[daniel.kasen@redfin.com not found]

com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[daniel.kasen@redfin.com not found]

sg_roles_mapping.yml

sg_admin:

users:

• admin

• daniel.kasen@redfin.com

sg_logstash:

users:

• logstash

sg_kibana4_server:

users:

• kibana

sg_public:

users:

• '/((?!daniel.kasen).)*.redfin.com/ ’

sg_config.yml

searchguard:

dynamic:

http:

anonymous_auth_enabled: false

xff:

enabled: true

internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern

remoteIpHeader: ‘x-forwarded-for’

proxiesHeader: ‘x-forwarded-by’

authc:

proxy_auth_domain:

enabled: true

order: 1

http_authenticator:

type: proxy

challenge: false

config:

user_header: “x-proxy-user”

roles_header: “x-proxy-roles”

authentication_backend:

type: noop

basic_internal_auth_domain:

enabled: true

order: 2

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: intern

sg_roles.yml

sg_admin:

cluster:

• ‘*’

indices:

‘*’:

‘*’:

• ‘*’

On Thursday, June 30, 2016 at 4:46:23 PM UTC-7, djtecha wrote:

Right, which is why i’m confused. It appears to do the http basic prompt for me with any plugin (marvel, timelion). Wondering if anyone is able to make these work? I am able to get kibana to work perfectly at this point, just plugins not working. I have nginx to use a simple ‘/’ location block so it’s not as though i’m hitting anything else.

On Monday, June 27, 2016 at 5:02:51 PM UTC-7, djtecha wrote:

Is anyone able to get marvel to work without an http basic prompt? I see the username being passed and elevated to sg_admin, but then it tries to continue and use basic_internal_auth_domain. I’ve attached my configs and log.

[2016-06-27 16:39:25,164][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] userHeader x-proxy-user, value daniel.kasen@redfin.com

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] rolesHeader x-proxy-roles, value null

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘daniel.kasen@redfin.com’ is in cache? true (cache size: 5)

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘User [name=daniel.kasen@redfin.com, roles=]’ is authenticated

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=daniel.kasen@redfin.com, roles=]

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested indices:data/read/mget from 127.0.0.1:44671

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.get.MultiGetRequest$Item

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] indicesOptions IndicesOptions[id=48, ignore_unavailable=false, allow_no_indices=false, expand_wildcards_open=false, expand_wildcards_closed

=false, allow_alisases_to_multiple_indices=false, forbid_closed_indices=true]

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] raw indices [.kibana]

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolved [.kibana] to {}

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved aliases and indices: [.kibana]

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved types: [config]

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] mapped roles: [sg_admin]

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_admin

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for *

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match for *: [.kibana]

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for , will check now types []

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for /: [*]

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/mget against /: [*]

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested aliases and indices:

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested resolved types:

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for ‘sg_admin.*’, evaluate other roles

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=daniel.kasen@redfin.com, roles=]

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested indices:data/read/mget[shard] from 127.0.0.1:44671

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.get.MultiGetShardRequest

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] indicesOptions IndicesOptions[id=48, ignore_unavailable=false, allow_no_indices=false, expand_wildcards_open=false, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=false, forbid_closed_indices=true]

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] raw indices [.kibana]

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolved [.kibana] to {}

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved aliases and indices: [.kibana]

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved types: [_all]

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] mapped roles: [sg_admin]

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_admin

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for *

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match for *: [.kibana]

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for , will check now types []

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for /: [*]

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/mget[shard] against /: [*]

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested aliases and indices:

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested resolved types:

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for ‘sg_admin.*’, evaluate other roles

[2016-06-27 16:39:25,226][DEBUG][com.floragunn.searchguard.http.XFFResolver] xff resolve /127.0.0.1:44673

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.XFFResolver] xff resolved /127.0.0.1:44673 to /127.0.0.1:44673

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http proxy

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] headers [authorization=Basic REVOKED, Host=localhost:9200, Content-Length=154, Connection=keep-alive]

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] userHeader x-proxy-user, value null

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] rolesHeader x-proxy-roles, value null

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http basic

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘daniel.kasen@redfin.com’ is in cache? false (cache size: 5)

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] daniel.kasen@redfin.com (1342371120) not cached, return from internal backend directly

[2016-06-27 16:39:25,228][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Unexpected exception com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[daniel.kasen@redfin.com not found]

com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[daniel.kasen@redfin.com not found]

sg_roles_mapping.yml

sg_admin:

users:

• admin

• daniel.kasen@redfin.com

sg_logstash:

users:

• logstash

sg_kibana4_server:

users:

• kibana

sg_public:

users:

• '/((?!daniel.kasen).)*.redfin.com/ ’

sg_config.yml

searchguard:

dynamic:

http:

anonymous_auth_enabled: false

xff:

enabled: true

internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern

remoteIpHeader: ‘x-forwarded-for’

proxiesHeader: ‘x-forwarded-by’

authc:

proxy_auth_domain:

enabled: true

order: 1

http_authenticator:

type: proxy

challenge: false

config:

user_header: “x-proxy-user”

roles_header: “x-proxy-roles”

authentication_backend:

type: noop

basic_internal_auth_domain:

enabled: true

order: 2

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: intern

sg_roles.yml

sg_admin:

cluster:

• ‘*’

indices:

‘*’:

‘*’:

• ‘*’

On Tue, Jul 26, 2016 at 3:23 PM, djtecha djtecha@gmail.com wrote:

Has anyone been able to get plugins to work in kibana? I’m still stuck and if I look at the header to port 5601 I can see it gets the full request with my name and authorization it just doesn’t want to use it for kibana plugins. Does Kibana hava another routing system to it’s plugins that I’m unaware of, and consequently not passing a header correctly to SG2?

On Thursday, June 30, 2016 at 4:46:23 PM UTC-7, djtecha wrote:

Right, which is why i’m confused. It appears to do the http basic prompt for me with any plugin (marvel, timelion). Wondering if anyone is able to make these work? I am able to get kibana to work perfectly at this point, just plugins not working. I have nginx to use a simple ‘/’ location block so it’s not as though i’m hitting anything else.

On Monday, June 27, 2016 at 5:02:51 PM UTC-7, djtecha wrote:

Is anyone able to get marvel to work without an http basic prompt? I see the username being passed and elevated to sg_admin, but then it tries to continue and use basic_internal_auth_domain. I’ve attached my configs and log.

[2016-06-27 16:39:25,164][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] userHeader x-proxy-user, value daniel.kasen@redfin.com

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] rolesHeader x-proxy-roles, value null

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘daniel.kasen@redfin.com’ is in cache? true (cache size: 5)

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘User [name=daniel.kasen@redfin.com, roles=]’ is authenticated

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=daniel.kasen@redfin.com, roles=]

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested indices:data/read/mget from 127.0.0.1:44671

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.get.MultiGetRequest$Item

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] indicesOptions IndicesOptions[id=48, ignore_unavailable=false, allow_no_indices=false, expand_wildcards_open=false, expand_wildcards_closed

=false, allow_alisases_to_multiple_indices=false, forbid_closed_indices=true]

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] raw indices [.kibana]

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolved [.kibana] to {}

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved aliases and indices: [.kibana]

[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved types: [config]

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] mapped roles: [sg_admin]

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_admin

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for *

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match for *: [.kibana]

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for , will check now types []

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for /: [*]

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/mget against /: [*]

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested aliases and indices:

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested resolved types:

[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for ‘sg_admin.*’, evaluate other roles

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=daniel.kasen@redfin.com, roles=]

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested indices:data/read/mget[shard] from 127.0.0.1:44671

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.get.MultiGetShardRequest

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] indicesOptions IndicesOptions[id=48, ignore_unavailable=false, allow_no_indices=false, expand_wildcards_open=false, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=false, forbid_closed_indices=true]

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] raw indices [.kibana]

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolved [.kibana] to {}

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved aliases and indices: [.kibana]

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved types: [_all]

[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] mapped roles: [sg_admin]

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_admin

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for *

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match for *: [.kibana]

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for , will check now types []

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for /: [*]

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/mget[shard] against /: [*]

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested aliases and indices:

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested resolved types:

[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for ‘sg_admin.*’, evaluate other roles

[2016-06-27 16:39:25,226][DEBUG][com.floragunn.searchguard.http.XFFResolver] xff resolve /127.0.0.1:44673

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.XFFResolver] xff resolved /127.0.0.1:44673 to /127.0.0.1:44673

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http proxy

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] headers [authorization=Basic REVOKED, Host=localhost:9200, Content-Length=154, Connection=keep-alive]

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] userHeader x-proxy-user, value null

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] rolesHeader x-proxy-roles, value null

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http basic

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User ‘daniel.kasen@redfin.com’ is in cache? false (cache size: 5)

[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] daniel.kasen@redfin.com (1342371120) not cached, return from internal backend directly

[2016-06-27 16:39:25,228][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Unexpected exception com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[daniel.kasen@redfin.com not found]

com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[daniel.kasen@redfin.com not found]

sg_roles_mapping.yml

sg_admin:

users:

• admin

• daniel.kasen@redfin.com

sg_logstash:

users:

• logstash

sg_kibana4_server:

users:

• kibana

sg_public:

users:

• '/((?!daniel.kasen).)*.redfin.com/ ’

sg_config.yml

searchguard:

dynamic:

http:

anonymous_auth_enabled: false

xff:

enabled: true

internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern

remoteIpHeader: ‘x-forwarded-for’

proxiesHeader: ‘x-forwarded-by’

authc:

proxy_auth_domain:

enabled: true

order: 1

http_authenticator:

type: proxy

challenge: false

config:

user_header: “x-proxy-user”

roles_header: “x-proxy-roles”

authentication_backend:

type: noop

basic_internal_auth_domain:

enabled: true

order: 2

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: intern

sg_roles.yml

sg_admin:

cluster:

• ‘*’

indices:

‘*’:

‘*’:

• ‘*’

–

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/44b1e38a-23a8-4362-ae83-497b688a3bfc%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.