Elasticsearch version:
7.10.2
Server OS version:
ubuntu-18.04
Kibana version (if relevant):
7.10.2
Browser version (if relevant):
Chrome 89.0.4389.82
SearchGuard Plugins version
49.0.0
Describe the issue:
In Kibana 7.10.2 we see ‘u’ userpic and ‘user’ shown if click on it.
Before be used 6.8.4 and there was real user name passed with x-proxy-user
header in left bottom corner of Kibana.
Everything else works good.
Here is ‘_searchguard/authinfo’ of 6.8.4 (username passed with header is ‘admin’):
{
"user" : "User [name=admin, roles=[offline_access, admin, uma_authorization, user], requestedTenant=null]",
"user_name" : "admin",
"user_requested_tenant" : null,
"remote_address" : "127.0.0.1:52974",
"backend_roles" : [
"offline_access",
"admin",
"uma_authorization",
"user"
],
"custom_attribute_names" : [ ],
"sg_roles" : [
"sg_all_access",
"sg_kibana_user",
"sg_own_index"
],
"sg_tenants" : {
"admin_tenant" : true,
"admin" : true
},
"principal" : null,
"peer_certificates" : "0",
"sso_logout_url" : null
}
And for 7.10.2:
{
"user" : "User [name=admin, backend_roles=[offline_access, admin, uma_authorization, user], requestedTenant=null]",
"user_name" : "admin",
"user_requested_tenant" : null,
"remote_address" : "127.0.0.1:33528",
"backend_roles" : [
"offline_access",
"admin",
"uma_authorization",
"user"
],
"custom_attribute_names" : [ ],
"attribute_names" : [ ],
"sg_roles" : [
"SGS_ALL_ACCESS",
"SGS_KIBANA_USER",
],
"sg_tenants" : {
"admin" : true,
"SGS_GLOBAL_TENANT" : true
},
"principal" : null,
"peer_certificates" : "0",
"sso_logout_url" : null
}
Expected behavior:
User able to see username passed to Kibana with some header as in 6.8.4
Provide configuration:
There is 7.10.2 config
elasticsearch/config/elasticsearch.yml
network.host: 0.0.0.0
cluster.name: elasticsearch
cluster.initial_master_nodes: -elasticsearch-master-0
discovery.seed_hosts: elasticsearch-discovery.project
elasticsearch-discovery.project
node.name: ${HOSTNAME}
node.processors: 2
searchguard.enterprise_modules_enabled: false
searchguard.ssl.http.clientauth_mode: OPTIONAL
searchguard.ssl.transport.pemcert_filepath: certificates/node.pem
searchguard.ssl.transport.pemkey_filepath: certificates/node.key
searchguard.ssl.transport.pemtrustedcas_filepath: certificates/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: certificates/node_http.pem
searchguard.ssl.http.pemkey_filepath: certificates/node_http.key
searchguard.ssl.http.pemtrustedcas_filepath: certificates/root-ca.pem
searchguard.nodes_dn:
- CN=node,O=project
searchguard.authcz.admin_dn:
- CN=sgadmin,O=project
action.auto_create_index: true
xpack.ml.enabled: ${XPACK_ML_ENABLED:false}
xpack.monitoring.enabled: ${XPACK_MONITORING_ENABLED:true}
xpack.security.enabled: ${XPACK_SECURITY_ENABLED:false}
xpack.watcher.enabled: ${XPACK_WATCHER_ENABLED:false}
elasticsearch/plugins/search-guard-7/sgconfig/sg_config.yml
_sg_meta:
type: "config"
config_version: 2
sg_config:
dynamic:
filtered_alias_mode: "warn"
disable_rest_auth: false
disable_intertransport_auth: false
respect_request_indices_options: false
license: null
auth_failure_listeners: {}
do_not_fail_on_forbidden: true
multi_rolespan_enabled: false
hosts_resolver_mode: "ip-only"
transport_userrname_attribute: null
do_not_fail_on_forbidden_empty: true
field_anonymization_salt2: null
kibana:
multitenancy_enabled: false
server_username: "system.kibanaserver"
index: ".kibana"
rbac_enabled: false
http:
anonymous_auth_enabled: false
xff:
enabled: true
internalProxies: ".*"
remoteIpHeader: "x-forwarded-for"
authc:
proxy_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
challenge: false
type: "proxy"
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
authentication_backend:
type: "noop"
config: {}
skip_users: []
clientcert_auth_domain:
http_enabled: true
transport_enabled: false
order: 0
http_authenticator:
challenge: false
type: "clientcert"
config:
username_attribute: "cn"
authentication_backend:
type: "noop"
config: {}
skip_users: []
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 2
http_authenticator:
challenge: true
type: "basic"
config: {}
authentication_backend:
type: "intern"
config: {}
skip_users: []
authz:
roles_from_another_ldap:
http_enabled: false
transport_enabled: false
authorization_backend:
type: "ldap"
config: {}
skipped_users: []
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
type: "ldap"
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- "localhost:8389"
bind_dn: null
password: null
rolebase: "ou=groups,dc=example,dc=com"
rolesearch: "(member={0})"
userroleattribute: null
userrolename: "disabled"
rolename: "cn"
resolve_nested_roles: true
userbase: "ou=people,dc=example,dc=com"
usersearch: "(uid={0})"
skipped_users: []