Kibana session doesn’t expired properly when proxy base authentication is enabled as searchguard has no control over the session, referring to older discussion
Could you please help us that , is it possible to know what responses for kibana js requests would make it close the GUI and redirect to the login page (if ever possible), or at least close with a message to relogin-manually.
There is no mechanism in the HTTP specification for the server to tell the browser to stop sending the credentials that the user already presented. There are some hacks but they are not reliable.
our usercase is as below ,
We use proxy-based authentication where ingress is used as proxy which does the authentication and redirects to kibana with user details in the header. In our case, if the kibana session is open for too long time and when the session expires, we get the error related to bundle js when try to do some action(like a filter).
And in this case user will be unaware of the error & will be confused.
posting the screenshot here.
Instead of this as a solution to this problem , is it possible to send certain respoanse code from proxy ,so that can kibana close with a message like ex. “session expired re-login manually” ?
A possible solution could be redirecting the user whose session is expired to some URL. I will raise this question internally and we shall see what can be done.
Given you have already Keycloack, you can setup OpenID connect authentication as a solution.
Hi , Thanks for the above response.
The second point “setup OpenID connect authentication as a solution” would not be valid for our use-case.
We would like to wait for the solution mentioned on the first point ,“A possible solution could be redirecting the user whose session is expired to some URL”.
Hi @srgbnd
Could you please provide any update about the implementation of this point which you have shared in the previously that -“A possible solution could be redirecting the user whose session is expired to some URL”.
Hi @shubha02! I didn’t forget. It is still in the issues queue. Probably we address it in the next 1-2 releases. Recently Kibana makes us busy with the New Platform changes.
Is NGINX somehow integrated with Keycloak? I don’t see any Keycloak integration in Kibana or SG config. It looks like the users are stored in the SG internal database.
After what time approximately the session expires for you?
Hi @srgbnd
Yes, NGINX is integrated with keycloak. The users are not stored in the SG internal database ,we are sending only proxy headers to Kibana.
Below is the NGINX configuration.
kind: Ingress
metadata:
annotations:
XXXX/platform-shared-addresses: |
{"PLATFORM_LOGS_EXTERNAL_ADDRESS": "https://IP/XXXX"}
ingress.citm.XXXX.com/sticky-route-services: $cookie_JSESSIONID|JSESSIONID ip_cookie
kubernetes.io/ingress.class: oam
nginx.ingress.kubernetes.io/configuration-snippet: |
more_clear_headers 'X-Frame-Options';
access_by_lua_block {
local paas = require "paas"
local res = paas.checkAuth()
local roles = ""
local cluster = os.getenv("DOMAIN_NAME"):gsub("^oam", ""):match("([%w%-]+)%..+$")
local compaasAdmin = "c:admin:"..cluster
cluster = string.gsub(cluster, "%-", "%%-")
for i,v in ipairs(res.id_token.groups) do
if v == compaasAdmin then
roles = roles .. "compaas:admin,"
else
local tenant = v:match("n:[a-z]+:"..cluster.."%.[%w%-]+%.([%w%-]+)")
if tenant then
local tenant_type = v:match("n:([a-z]+):")
if tenant_type == "monitor" then
roles = roles .. tenant .. "_monitor,"
else
roles = roles .. tenant .. ","
end
end
end
end
ngx.req.set_header("x-proxy-user", res.id_token.preferred_username)
-- remove last comma from string
ngx.req.set_header("x-proxy-roles", roles:sub(1, -2))
}
nginx.ingress.kubernetes.io/limit-connections: "50"
nginx.ingress.kubernetes.io/limit-rpm: "600"
nginx.ingress.kubernetes.io/limit-rps: "50"
nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
nginx.ingress.kubernetes.io/proxy-send-timeout: "120"
nginx.ingress.kubernetes.io/rewrite-target: /$1
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "false"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
creationTimestamp: "2020-12-16T17:15:45Z"
generation: 1
name: Namespace.XXXX.5601
namespace: XXXX
resourceVersion: "206623"
selfLink: /apis/extensions/v1beta1/namespaces/xxxx/ingresses/Namespace.XXXX.5601
uid: 26393be3-a51c-4bbd-b7a4-76398a4e6d5a
spec:
rules:
- host: XXXX
http:
paths:
- backend:
serviceName: kibana
servicePort: 5601
path: /xxxx/?(.*)
Approximately after 1 hour of time the session getting time out.
Thanks.