I am using the demo search guard scripts to initialize search guard.
Below are the relevant configuration snippets.
I always get failed to obtain openid endpoint from your Idp. I checked using curl the endpoint is accessible and I get all the keycloak metadata.
I am running kibana and elasticsearch as rpms on centos 7
-
Your Search Guard configuration files
http:
anonymous_auth_enabled: true
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
http_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
openid_connect_url: https://keycloak-host:31809/auth/realms/ABC/.well-known/openid-configuration
subject_key: preferred_username
roles_key: roles
enable_ssl: false
verify_hosts: false
authentication_backend:
type: noop -
Your elasticsearch.yml configuration file
WARNING: revise all the lines below before you go into production
searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=test, C=desearchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: [“SGS_ALL_ACCESS”]
cluster.routing.allocation.disk.threshold_enabled: false
cluster.name: searchguard_demo
node.max_local_storage_nodes: 3
xpack.security.enabled: false
######## End Search Guard Demo Configuration ########If you are using Kibana, please also add:
- Your kibana.yml configuration file
xpack.security.enabled: false
searchguard.cookie.password : “--------------------------------------”
searchguard.auth.type: “openid”
searchguard.openid.connect_url: “https://keycloak-host:31809/auth/realms/ABC/.well-known/openid-configuration”
searchguard.openid.client_id: “kibana”
searchguard.openid.client_secret: “xxxxxxx”
searchguard.cookie.secure: true
Kibana Logs
Jun 27 17:19:41 host-fqdn kibana[28806]: {“type”:“log”,“@timestamp”:“2019-06-27T17:19:41Z”,“tags”:[“error”,“searchguard”],“pid”:28806,“message”:“An error occurred while enabling session management: Error: Failed when trying to obtain the endpoints from your IdP”}
Jun 27 17:19:41 host-fqdn kibana[28806]: {“type”:“log”,“@timestamp”:“2019-06-27T17:19:41Z”,“tags”:[“status”,“plugin:searchguard@7.1.1-35.2.0”,“error”],“pid”:28806,“state”:“red”,“message”:“Status changed from yellow to red - An error occurred during initialisation, please check the logs.”,“prevState”:“yellow”,“prevMsg”:“Initialising Search Guard authentication plugin.”}