Unable to remove Search Guard(Kibana)

#1

Hi All,

I tried to remove Search Guard as a try out in my PoC state.
I followed all the steps given in the documentation.

At First I tried to disable it and run Kibana. So I added:

searchguard.disabled: true

in elasticsearch.yml

Commented out Search Guard plugin details in Kibana:

#elasticsearch.url: "https://localhost:9200"
#elasticsearch.username: "kibanaserver"
#elasticsearch.password: "kibanaserver"
#elasticsearch.ssl.verificationMode: none
#elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant" ]

and added

elasticsearch.url: "http://localhost:9200"

in kibana.yml since its not secured now.

But when I open kibana “localhost:5601”. It does open but its completely empty. Even if I try to open any tab (Discover, Management,Dashobard). Funny enough it does have logout tab.

Upon logging out it shows the following screen.

Upon some googling Someone recommended using this in kibana.yml :-
searchguard.basicauth.enabled: false

But the logs says its deprecated after SG v13.

The same is the case if I remove the search-guard-6 from plugins in elasticsearch and comment out the searchguard tags in elasticsearch.yml file.

Can anyone explain why am I still seeing Login screen in Kibana and how to remove it?
Even after disabling SG in elasticsearch.yml and kibana.yml

Elasticsearch Logs

[2019-04-09T10:53:40,409][INFO ][o.e.n.Node               ] [] initializing ...
[2019-04-09T10:53:40,591][INFO ][o.e.e.NodeEnvironment    ] [OCMpWyk] using [1] data paths, mounts [[SOE (C:)]], net usable_space [315.1gb], net total_space [465.7gb], types [NTFS]
[2019-04-09T10:53:40,592][INFO ][o.e.e.NodeEnvironment    ] [OCMpWyk] heap size [990.7mb], compressed ordinary object pointers [true]
[2019-04-09T10:53:41,806][INFO ][o.e.n.Node               ] node name [OCMpWyk] derived from node ID [OCMpWykzRB25TuUGostclg]; set [node.name] to override
[2019-04-09T10:53:41,807][INFO ][o.e.n.Node               ] version[6.2.4], pid[10304], build[ccec39f/2018-04-12T20:37:28.497551Z], OS[Windows 7/6.1/amd64], JVM[Oracle Corporation/Java HotSpot(TM) 64-Bit Server VM/1.8.0_74/25.74-b02]
[2019-04-09T10:53:41,808][INFO ][o.e.n.Node               ] JVM arguments [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.io.tmpdir=C:\Users\path\AppData\Local\Temp\elasticsearch, -XX:+HeapDumpOnOutOfMemoryError, -XX:+PrintGCDetails, -XX:+PrintGCDateStamps, -XX:+PrintTenuringDistribution, -XX:+PrintGCApplicationStoppedTime, -Xloggc:logs/gc.log, -XX:+UseGCLogFileRotation, -XX:NumberOfGCLogFiles=32, -XX:GCLogFileSize=64m, -Delasticsearch, -Des.path.home=C:\Users\path\Desktop\ELK Sandbox\elasticsearch-6.2.4, -Des.path.conf=C:\Users\path\Desktop\ELK Sandbox\elasticsearch-6.2.4\config]
[2019-04-09T10:53:45,562][WARN ][c.f.s.SearchGuardPlugin  ] Search Guard plugin installed but disabled. This can expose your configuration (including passwords) to the public.
[2019-04-09T10:53:45,566][INFO ][o.e.p.PluginsService     ] [OCMpWyk] loaded module [aggs-matrix-stats]
[2019-04-09T10:53:45,567][INFO ][o.e.p.PluginsService     ] [OCMpWyk] loaded module [analysis-common]
[2019-04-09T10:53:45,567][INFO ][o.e.p.PluginsService     ] [OCMpWyk] loaded module [ingest-common]
[2019-04-09T10:53:45,567][INFO ][o.e.p.PluginsService     ] [OCMpWyk] loaded module [lang-expression]
[2019-04-09T10:53:45,568][INFO ][o.e.p.PluginsService     ] [OCMpWyk] loaded module [lang-mustache]
[2019-04-09T10:53:45,568][INFO ][o.e.p.PluginsService     ] [OCMpWyk] loaded module [lang-painless]
[2019-04-09T10:53:45,569][INFO ][o.e.p.PluginsService     ] [OCMpWyk] loaded module [mapper-extras]
[2019-04-09T10:53:45,569][INFO ][o.e.p.PluginsService     ] [OCMpWyk] loaded module [parent-join]
[2019-04-09T10:53:45,570][INFO ][o.e.p.PluginsService     ] [OCMpWyk] loaded module [percolator]
[2019-04-09T10:53:45,570][INFO ][o.e.p.PluginsService     ] [OCMpWyk] loaded module [rank-eval]
[2019-04-09T10:53:45,571][INFO ][o.e.p.PluginsService     ] [OCMpWyk] loaded module [reindex]
[2019-04-09T10:53:45,571][INFO ][o.e.p.PluginsService     ] [OCMpWyk] loaded module [repository-url]
[2019-04-09T10:53:45,572][INFO ][o.e.p.PluginsService     ] [OCMpWyk] loaded module [transport-netty4]
[2019-04-09T10:53:45,572][INFO ][o.e.p.PluginsService     ] [OCMpWyk] loaded module [tribe]
[2019-04-09T10:53:45,573][INFO ][o.e.p.PluginsService     ] [OCMpWyk] loaded plugin [search-guard-6]
[2019-04-09T10:53:51,700][DEBUG][o.e.a.ActionModule       ] Using REST wrapper from plugin com.floragunn.searchguard.SearchGuardPlugin
[2019-04-09T10:53:51,956][INFO ][o.e.d.DiscoveryModule    ] [OCMpWyk] using discovery type [zen]
[2019-04-09T10:53:55,063][INFO ][c.f.s.SearchGuardPlugin  ] 0 Search Guard modules loaded so far: []
[2019-04-09T10:53:55,065][INFO ][o.e.n.Node               ] initialized
[2019-04-09T10:53:55,067][INFO ][o.e.n.Node               ] [OCMpWyk] starting ...
[2019-04-09T10:54:01,404][INFO ][o.e.t.TransportService   ] [OCMpWyk] publish_address {127.0.0.1:9300}, bound_addresses {127.0.0.1:9300}, {[::1]:9300}
[2019-04-09T10:54:04,520][INFO ][o.e.c.s.MasterService    ] [OCMpWyk] zen-disco-elected-as-master ([0] nodes joined), reason: new_master {OCMpWyk}{OCMpWykzRB25TuUGostclg}{CI2JCdCRS9OKhPmKmwPR9A}{127.0.0.1}{127.0.0.1:9300}
[2019-04-09T10:54:04,525][INFO ][o.e.c.s.ClusterApplierService] [OCMpWyk] new_master {OCMpWyk}{OCMpWykzRB25TuUGostclg}{CI2JCdCRS9OKhPmKmwPR9A}{127.0.0.1}{127.0.0.1:9300}, reason: apply cluster state (from master [master {OCMpWyk}{OCMpWykzRB25TuUGostclg}{CI2JCdCRS9OKhPmKmwPR9A}{127.0.0.1}{127.0.0.1:9300} committed version [1] source [zen-disco-elected-as-master ([0] nodes joined)]])
[2019-04-09T10:54:05,580][INFO ][o.e.g.GatewayService     ] [OCMpWyk] recovered [4] indices into cluster_state
[2019-04-09T10:54:08,979][INFO ][o.e.h.n.Netty4HttpServerTransport] [OCMpWyk] publish_address {127.0.0.1:9200}, bound_addresses {127.0.0.1:9200}, {[::1]:9200}
[2019-04-09T10:54:08,980][INFO ][o.e.n.Node               ] [OCMpWyk] started
[2019-04-09T10:54:10,907][INFO ][o.e.c.r.a.AllocationService] [OCMpWyk] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[searchguard][0]] ...]).

Kibana logs:-

C:\Users\path\kibana-6.2.4-windows-x86_64>bin\kibana.bat
  log   [05:46:51.294] [info][status][plugin:kibana@6.2.4] Status changed from uninitialized to green - Ready
  log   [05:46:51.381] [info][status][plugin:elasticsearch@6.2.4] Status changed from uninitialized to yellow - Waiting for Elasticsearch
  log   [05:46:51.391] [info][status][plugin:console@6.2.4] Status changed from uninitialized to green - Ready
  log   [05:46:51.401] [info][status][plugin:metrics@6.2.4] Status changed from uninitialized to green - Ready
  log   [05:46:52.506] [info][status][plugin:timelion@6.2.4] Status changed from uninitialized to green - Ready
  log   [05:46:55.536] [info][status][plugin:searchguard@6.2.4-14] Status changed from uninitialized to yellow- Initialising Search Guard authentication plugin.
  log   [05:46:55.538] [info][status][plugin:searchguard@6.2.4-14] Status changed from yellow to yellow -Default cookie password detected, please set a password in kibana.yml by setting 'searchguard.cookie.password' (min. 32 characters).
  log   [05:46:55.542] [info][status][plugin:searchguard@6.2.4-14] Status changed from yellow to yellow - 'searchguard.cookie.secure' is set to false, cookies are transmitted over unsecure HTTP connection. Consider using HTTPS and set this key to 'true'
  log   [05:46:57.094] [info][status][plugin:searchguard@6.2.4-14] Status changed from yellow to yellow - Search Guard session management enabled.
  log   [05:46:57.096] [info][status][plugin:searchguard@6.2.4-14] Status changed from yellow to yellow - Search Guard copy JWT params disabled
  log   [05:46:57.098] [info][status][plugin:searchguard@6.2.4-14] Status changed from yellow to yellow - Search Guard multitenancy disabled
  log   [05:46:57.411] [info][status][plugin:searchguard@6.2.4-14] Status changed from yellow to yellow - Routes for Search Guard configuration GUI registered.    This is an Enterprise feature.
  log   [05:46:57.519] [info][status][plugin:searchguard@6.2.4-14] Status changed from yellow to yellow - Search Guard system routes registered.
  log   [05:46:57.523] [info][status][plugin:searchguard@6.2.4-14] Status changed from yellow to green - Search Guard plugin initialised.
  log   [05:46:57.583] [info][listening] Server running at http://localhost:5601
  log   [05:46:57.625] [info][status][plugin:elasticsearch@6.2.4] Status changed
 from yellow to green - Ready
0 Likes

assigned jkressin #2
0 Likes

#3

Hi,

the Search Guard plugins for Elasticsearch and Kibana are two different/separate plugins. The Elasticsearch plugin adds access control to your data, while the Kibana plugin adds session management. So if you disable the Elasticsearch plugin, it does not mean that the Kibana plugin is disabled as well. They go “hand-in-hand”.

As to your question on how to disable the Kibana plugin: At the moment there is no real good way to disable the plugin altogether (and I already opened an issue for that in our backlog).

However, there is a workaround for it. You can set

searchguard.auth.type: "proxy"

This means the plugin will just pass all requests to Elasticsearch without applying any session management at all.

0 Likes

#4

Hi,

I tried the above mentioned statement but it displays empty Kibana UI skeleton with no data under tabs.

At First I add below line in elasticsearch.yml. Rest of Es config is same as default:

searchguard.disabled: true

and in kibana.yml, I add below rest all is exactly same as default when downloaded.

server.port: 5601
elasticsearch.url: "http://localhost:9200"
searchguard.auth.type: "proxy"

Not sure what did I miss though.

0 Likes