Hi there,
I would like to use a certificate to authenticate the Kibana Server user, but then use basic HTTP authentication with the internal users backend for regular Kibana users (and once I’ve got that working, want to use LDAP as well). I would like to avoid storing a plain text password in the kibana.yml config file.
The certificate’s CN is kibanaserver. When I am presented with the SG login page, it makes no difference what I use as a username and password. It always authenticates me as user ‘CN=kibanaserver’.
Is there a way I can use certificate authentication only for the Kibana Server user, and then use whatever alternative authentication methods for ‘regular’ users?
I am using ES 5.5.1 with plugin v. 5.5.1-15, Kibana plugin v. 5.5.1-4.
I have this in my kibana.yml file:
elasticsearch.ssl.verificationMode: full
searchguard.basicauth.enabled: true
searchguard.cookie.secure: true
searchguard.cookie.password: ‘a-random-32-character-password’
searchguard.session.ttl: 1440000000
searchguard.session.keepalive: true
server.ssl.enabled: true
server.ssl.certificate: ‘/etc/kibana/kibana.cert.pem’
server.ssl.key: ‘/etc/kibana/kibana.key.pem’
elasticsearch.ssl.certificate: ‘/etc/kibana/kibanaserver.cert.pem’
elasticsearch.ssl.key: ‘/etc/kibana/kibana.key.pem’
elasticsearch.ssl.certificateAuthorities: [ ‘/etc/kibana/ca-chain.cert.pem’ ]
``
And this is my authc section of sg_config.yml
authc:
kibana_auth_domain:
enabled: true
order: 1
http_authenticator:
type: clientcert
challenge: false
authentication_backend:
type: noop
basic_internal_auth_domain:
enabled: true
order: 2
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
``