Unauthorized - Authentication Exception - Kibana

Hello Guys,

I lost a lot of time configuring this tool. I have no idea anymore. Thank you for your help.

I cannot login to kibana, I get the message

error “Unauthorized”
message "Authentication Exception.

I use the non-commercial (community) version.
I would like to log into kibana but manage permissions, roles and users in sg files.

Please take a look at my settings.

roles.yml

SGS_KIBANA_USER:
  backend_roles:
    - hr_department
    - devops
    - andrew

sg_internal_users.yml

andrew:
  hash: "$2y$12$zvrFonvRECTSN6Fo0tZn1OlyPjd0D.nGFcmgJz1DKtL4ZEl1yPFlm"
  reserved: false
  backend_roles:
  - "sg_devops"
  description: "Devops user full access"

sg_roles.yml

sg_devops:
  cluster_permissions:
    - "SGS_CLUSTER_COMPOSITE_OPS"
  index_permissions:
    - index_patterns:
      - "infrastructure"
      allowed_actions:
        - SGS_ALL_ACCESS

sg_config.yml

---

# For more details pls refer to  https://docs.search-guard.com/latest/authentication-authorization

_sg_meta:
  type: "config"
  config_version: 2

sg_config:
  dynamic:
      # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
      # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
      # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
      #filtered_alias_mode: warn
      #do_not_fail_on_forbidden: false
      #kibana:
        # Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
        # In addition to the config options below you need to set do_not_fail_on_forbidden to true (see above).
        # Kibana needs to be configured for multi tenancy as well.
        # See https://docs.search-guard.com/latest/kibana-multi-tenancy for details
        #multitenancy_enabled: true
        #server_username: kibanaserver
        #index: '.kibana'
      http:
        anonymous_auth_enabled: false
        xff:
          enabled: false
          internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
          #internalProxies: '.*' # trust all internal proxies, regex pattern
          #remoteIpHeader:  'x-forwarded-for'
          ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
          ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
          ###### and here https://tools.ietf.org/html/rfc7239
          ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
      authc:
        kerberos_auth_domain:
          http_enabled: false
          transport_enabled: false
          order: 6
          http_authenticator:
            type: kerberos # NOT FREE FOR COMMERCIAL USE
            challenge: true
            config:
              # If true a lot of kerberos/security related debugging output will be logged to standard out
              krb_debug: false
              # If true then the realm will be stripped from the user name
              strip_realm_from_principal: true
          authentication_backend:
            type: noop
        basic_internal_auth_domain:
          description: "Authenticate via HTTP Basic against internal users database"
          http_enabled: true
          transport_enabled: true
          order: 4
          http_authenticator:
            type: basic
            challenge: false
          authentication_backend:
            type: internal
        proxy_auth_domain:
          description: "Authenticate via proxy"
          http_enabled: false
          transport_enabled: false
          order: 3
          http_authenticator:
            type: proxy
            challenge: false
            config:
              user_header: "x-proxy-user"
              roles_header: "x-proxy-roles"
          authentication_backend:
            type: noop
        jwt_auth_domain:
          description: "Authenticate via Json Web Token"
          http_enabled: false
          transport_enabled: false
          order: 0
          http_authenticator:
            type: jwt
            challenge: false
            config:
              signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
              jwt_header: "Authorization"
              jwt_url_parameter: null
              roles_key: null
              subject_key: null
          authentication_backend:
            type: noop
        clientcert_auth_domain:
          description: "Authenticate via SSL client certificates"
          http_enabled: false
          transport_enabled: false
          order: 2
          http_authenticator:
            type: clientcert
            config:
              username_attribute: cn #optional, if omitted DN becomes username
            challenge: false
          authentication_backend:
            type: noop
        ldap:
          description: "Authenticate via LDAP or Active Directory"
          http_enabled: false
          transport_enabled: false
          order: 5
          http_authenticator:
            type: basic
            challenge: false
          authentication_backend:
            # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
            type: ldap # NOT FREE FOR COMMERCIAL USE
            config:
              # enable ldaps
              enable_ssl: false
              # enable start tls, enable_ssl should be false
              enable_start_tls: false
              # send client certificate
              enable_ssl_client_auth: false
              # verify ldap hostname
              verify_hostnames: true
              hosts:
                - localhost:8389
              bind_dn: null
              password: null
              userbase: 'ou=people,dc=example,dc=com'
              # Filter to search for users (currently in the whole subtree beneath userbase)
              # {0} is substituted with the username
              usersearch: '(sAMAccountName={0})'
              # Use this attribute from the user as username (if not set then DN is used)
              username_attribute: null
      authz:
        roles_from_myldap:
          description: "Authorize via LDAP or Active Directory"
          http_enabled: false
          transport_enabled: false
          authorization_backend:
            # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
            type: ldap # NOT FREE FOR COMMERCIAL USE
            config:
              # enable ldaps
              enable_ssl: false
              # enable start tls, enable_ssl should be false
              enable_start_tls: false
              # send client certificate
              enable_ssl_client_auth: false
              # verify ldap hostname
              verify_hostnames: true
              hosts:
                - localhost:8389
              bind_dn: null
              password: null
              rolebase: 'ou=groups,dc=example,dc=com'
              # Filter to search for roles (currently in the whole subtree beneath rolebase)
              # {0} is substituted with the DN of the user
              # {1} is substituted with the username
              # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
              rolesearch: '(member={0})'
              # Specify the name of the attribute which value should be substituted with {2} above
              userroleattribute: null
              # Roles as an attribute of the user entry
              userrolename: disabled
              #userrolename: memberOf
              # The attribute in a role entry containing the name of that role, Default is "name".
              # Can also be "dn" to use the full DN as rolename.
              rolename: cn
              # Resolve nested roles transitive (roles which are members of other roles and so on ...)
              resolve_nested_roles: true
              userbase: 'ou=people,dc=example,dc=com'
              # Filter to search for users (currently in the whole subtree beneath userbase)
              # {0} is substituted with the username
              usersearch: '(uid={0})'
              # Skip users matching a user name, a wildcard or a regex pattern
              #skip_users:
              #  - 'cn=Michael Jackson,ou*people,o=TEST'
              #  - '/\S*/'
        roles_from_another_ldap:
          description: "Authorize via another Active Directory"
          http_enabled: false
          transport_enabled: false
          authorization_backend:
            type: ldap # NOT FREE FOR COMMERCIAL USE
            #config goes here ...
  #    auth_failure_listeners:
  #      ip_rate_limiting:
  #        type: ip
  #        allowed_tries: 10
  #        time_window_seconds: 3600
  #        block_expiry_seconds: 600
  #        max_blocked_clients: 100000
  #        max_tracked_clients: 100000
  #      internal_authentication_backend_limiting:
  #        type: username
  #        authentication_backend: intern
  #        allowed_tries: 10
  #        time_window_seconds: 3600
  #        block_expiry_seconds: 600
  #        max_blocked_clients: 100000
  #        max_tracked_clients: 100000


kibana.yml:

#elasticsearch.ssl.verificationMode: none
elasticsearch.ssl.certificateAuthorities: "/etc/kibana/out/root-ca.pem"

# Activate basic auth
searchguard.auth.type: "basicauth"
# Configure session management
searchguard.cookie.password: "jytdeo5od957amfi48fp78oe6l8046d690gr4436yil98up9843"
elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant" ]

elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"

@andrey

Couple of questions.

Are you able to login using the default admin:admin user?

Is the kibanaserver user still present or was it removed during testing? can you run below command and paste the result here:

curl --insecure -u kibanauser:kibanauser -XGET "https://localhost:9200/_searchguard/authinfo?pretty"

Can you run the same command with user “andrew”?

During testing, would be good idea to disable certificate on kibana:

elasticsearch.ssl.verificationMode: none

1 Like

@sirHusky

I have user admin and kibanaserver.

I tried to log in with them now via admin or kibanaserver after disabling SSL verification. I still get a 401 error

statusCode 401
error “Unauthorized”
message “Authentication Exception”

curl --insecure -kibanaserver:kibanaserver -XGET "https://master-1.elastic.petty.pl:9200/_searchguard/authinfo?pretty"


HTTP/1.1 401 Unauthorized
content-type: text/plain; charset=UTF-8
content-length: 29

Authentication finally failed[r

curl --insecure -admin:admin -XGET "https://master-1.elastic.petty.pl:9200/_searchguard/authinfo?pretty"


{
 "error" : "Content-Type header [application/x-www-form-urlencoded] is not supported",
 "status" : 406
}

sorry, should read -u kibanaserver:kibanaserver, so full command:

curl --insecure -u kibanauser:kibanauser -XGET “https://localhost:9200/_searchguard/authinfo?pretty

1 Like

Same problem.

Error:

obraz

Output

$ curl --insecure -u admin:admin -XGET "https://master-1.elastic.petty.pl:9200/_searchguard/authinfo?pretty"
{
  "user" : "User [name=admin, backend_roles=[admin], requestedTenant=null]",
  "user_name" : "admin",
  "user_requested_tenant" : null,
  "remote_address" : "51.75.34:XX:55246",
  "backend_roles" : [
    "admin"
  ],
  "custom_attribute_names" : [ ],
  "sg_roles" : [
    "SGS_ALL_ACCESS",
    "SGS_OWN_INDEX"
  ],
  "sg_tenants" : {
    "admin_tenant" : true,
    "admin" : true,
    "SGS_GLOBAL_TENANT" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}

@andrey
Can you paste the same (authinfo) output for users kibanaserver and andrew? Also, what is roles.yml file? There should be no such file in config directory, do you mean sg_roles_mapping.yml? Please check the file name and reupload the config using sgadmin.sh script.

Also can you provide elasticsearch.yml config.

Also, can you paste the full logs from kibana and logs from elasticsearch after the login attempt.

1 Like

Thank you for your help. Thanks to your comment I verified everything and corrected it. Now I know which files to edit.

But my problem was with another askept.

I had custom authorization in apache web server (BASIC AUTH). It was a blocker. Because after entering the link I logged in via Basic Auth and then tried to log in to Kibana and got an error with invalid authorization.

In the Elasticsearch logs, I found the logs that showed me the user who was incorrectly trying to log in to Kibana. It was a user from BASIC AUTH… I had a BASIC AUTH user with the same name as the Kibana user (andrew). That is why I could not trace the error.

I removed my custom secure BASIC AUTH from WWW server and logging in via kibana user andrew worked. Your help was also helpful as I corrected my yml configuration and it is clear to me.

Everything is working. Thank you.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.