Searchguard and kibana
212 views
Skip to first unread message
Fabrice Bacchella
Mar 16, 2018, 9:55:37 AM3/16/18
to Search Guard Community Forum
I have a searchguard setup using aperos' CAS (https://www.apereo.org/projects/cas), so using proxy authentication. It works well. I have kibana working on it too. So far so good.
But I don't have access to the configuration GUI, no mater how I try. I have no error log nowhere, in the navigator javascript console, kibana stdout or ES logs
My kibana.yaml is:
elasticsearch.url: "http://myIP:9200"
server.host: "127.0.0.1"
elasticsearch.username: "admin"
elasticsearch.password: "admin"
elasticsearch.requestHeadersWhitelist: [ "authorization", "x-forwarded-for", "x-forwarded-host", , "x-forwarded-server", "x-forwarded-by", "x-proxy-user", "x-proxy-roles", "x-remote-user", "cas_memberof", "CAS_uid" ]
searchguard.basicauth.enabled: false
elasticsearch.ssl.certificateAuthorities: [ "/etc/pki/tls/certs/myCA.pem" ]
logging.verbose: true
logging.useUTC: false
path.data: /data/kibana/data
pid.file: /data/kibana/run/kibana.pid
searchguard.cookie.secure: false
elasticsearch.ssl.verificationMode: none
ops.interval: 500000
I'm running kibana with:
sudo -u kibana /usr/share/kibana/bin/../node/bin/node --use-openssl-ca --no-warnings /usr/share/kibana/bin/../src/cli -c /data/kibana/conf/kibana.yml
And get nothing, not a single error message.
When SG starts, it says:
log [14:52:04.919] [debug][plugins] Initializing plugin searc...@6.2.2
log [14:52:05.451] [info][status][plugin:searc...@6.2.2] Status changed from uninitialized to yellow - Search Guard session management is disabled.
log [14:52:05.451] [info][status][plugin:searc...@6.2.2] Status changed from yellow to yellow - Search Guard multitenancy disabled
log [14:52:05.452] [info][status][plugin:searc...@6.2.2] Status changed from yellow to yellow - Search Guard copy JWT params disabled
log [14:52:05.591] [info][status][plugin:searc...@6.2.2] Status changed from yellow to yellow - Search Guard configuration GUI enabled
log [14:52:05.615] [info][status][plugin:searc...@6.2.2] Status changed from yellow to yellow - Search Guard system routes registered.
log [14:52:05.615] [info][status][plugin:searc...@6.2.2] Status changed from yellow to green - Search Guard plugin initialised.
So I'm looking for an hint for more debug, a place too look that will help to find the problem. Any help from someone ?
SG
Mar 16, 2018, 10:47:53 AM3/16/18
to search...@googlegroups.com
Pls. post your elasticsearch.yml and the output of
curl -Ss http://myIP:9200/_searchguard/license
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/a967316b-7d8f-44d7-9828-1441670d1e2c%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
curl -Ss http://myIP:9200/_searchguard/license
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/a967316b-7d8f-44d7-9828-1441670d1e2c%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Fabrice Bacchella
Mar 16, 2018, 10:52:51 AM3/16/18
to search...@googlegroups.com
cluster.name: Sysop-Logstash
node.name: XXX
path.data: /data/elasticsearch/indices
path.logs: /data/elasticsearch/logs
discovery.zen.ping.unicast.hosts: ["XX", "XX", "XX"]
discovery.zen.minimum_master_nodes: 2
network.host: 0.0.0.0
http.cors.enabled: true
http.cors.allow-origin: "*"
# Needed to true because of kibana
rest.action.multi.allow_explicit_index: true
node.master: true
node.data: true
node.ingest: true
searchguard.enterprise_modules_enabled: false
searchguard.allow_unsafe_democertificates: false
searchguard.allow_default_init_sgindex: false
######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.pemkey_filepath: host.key
searchguard.ssl.transport.pemcert_filepath: host.cert
searchguard.ssl.transport.pemtrustedcas_filepath: alldsca.crt
searchguard.ssl.transport.enforce_hostname_verification: true
searchguard.ssl.transport.resolve_hostname: true
searchguard.ssl.transport.enabled: true
searchguard.ssl.http.enabled: false
searchguard.authcz.admin_dn:
- 'XXX,CN=sgadmin'
searchguard.nodes_dn:
- CN=XX
- CN=XX
- CN=XX
node.max_local_storage_nodes: 3
xpack.security.enabled: false
searchguard.restapi.roles_enabled: ["sg_all_access"]
# For CAS
http.max_header_size: 64kb
######## End Search Guard Demo Configuration ########
curl -sS -L --negotiate -u : -L http://localhost:9200/_searchguard/license | jq .
{
"_nodes": {
"total": 3,
"successful": 3,
"failed": 0
},
"cluster_name": "Sysop-Logstash",
"sg_license": {
"msgs": [
"No license required because enterprise modules not enabled."
],
"license_required": false
},
"modules": {
"HTTP_CLIENTCERT_AUTHENTICATOR": {
"default_implementation": "com.floragunn.searchguard.http.HTTPClientCertAuthenticator",
"gitsha1": "a73761a7204d9da260d43044ee682518b7d9b179",
"buildTime": "2018-02-21T22:43:07Z",
"is_enterprise": "false",
"actual_implementation": "com.floragunn.searchguard.http.HTTPClientCertAuthenticator",
"description": "HTTP Client Certificate Authenticator",
"type": "HTTP_CLIENTCERT_AUTHENTICATOR",
"version": "6.2.2-21.0"
},
"INTERNAL_USERS_AUTHENTICATION_BACKEND": {
"default_implementation": "com.floragunn.searchguard.auth.internal.InternalAuthenticationBackend",
"gitsha1": "a73761a7204d9da260d43044ee682518b7d9b179",
"buildTime": "2018-02-21T22:43:07Z",
"is_enterprise": "false",
"actual_implementation": "com.floragunn.searchguard.auth.internal.InternalAuthenticationBackend",
"description": "Internal users authorization backend",
"type": "INTERNAL_USERS_AUTHENTICATION_BACKEND",
"version": "6.2.2-21.0"
},
"NOOP_AUTHENTICATION_BACKEND": {
"default_implementation": "com.floragunn.searchguard.auth.internal.NoOpAuthenticationBackend",
"gitsha1": "a73761a7204d9da260d43044ee682518b7d9b179",
"buildTime": "2018-02-21T22:43:07Z",
"is_enterprise": "false",
"actual_implementation": "com.floragunn.searchguard.auth.internal.NoOpAuthenticationBackend",
"description": "Noop authentication backend",
"type": "NOOP_AUTHENTICATION_BACKEND",
"version": "6.2.2-21.0"
},
"HTTP_PROXY_AUTHENTICATOR": {
"default_implementation": "com.floragunn.searchguard.http.HTTPProxyAuthenticator",
"gitsha1": "a73761a7204d9da260d43044ee682518b7d9b179",
"buildTime": "2018-02-21T22:43:07Z",
"is_enterprise": "false",
"actual_implementation": "com.floragunn.searchguard.http.HTTPProxyAuthenticator",
"description": "HTTP Proxy Authenticator",
"type": "HTTP_PROXY_AUTHENTICATOR",
"version": "6.2.2-21.0"
},
"HTTP_BASIC_AUTHENTICATOR": {
"default_implementation": "com.floragunn.searchguard.http.HTTPBasicAuthenticator",
"gitsha1": "a73761a7204d9da260d43044ee682518b7d9b179",
"buildTime": "2018-02-21T22:43:07Z",
"is_enterprise": "false",
"actual_implementation": "com.floragunn.searchguard.http.HTTPBasicAuthenticator",
"description": "HTTP Basic Authenticator",
"type": "HTTP_BASIC_AUTHENTICATOR",
"version": "6.2.2-21.0"
}
},
"compatibility": {
"modules_mismatch": false
}
}
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/25941ECF-5236-473D-A48A-0AF15666B8F7%40search-guard.com.
SG
Mar 16, 2018, 10:54:24 AM3/16/18
to search...@googlegroups.com
you are using the community edition but the config gui is a commercial feature
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/7D438A35-0274-45B1-8CC0-9C3C5014A041%40orange.fr.
Fabrice Bacchella
Mar 16, 2018, 10:58:19 AM3/16/18
to search...@googlegroups.com
Oups, sorry my bad, I missed that.
Fabrice Bacchella
Mar 16, 2018, 10:59:18 AM3/16/18
to search...@googlegroups.com
But then the log file is wrong:
>>> log [14:52:05.591] [info][status][plugin:searc...@6.2.2] Status changed from yellow to yellow - Search Guard configuration GUI enabled
It should say GUI disabled.
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/C3D5124D-4717-489E-A5C1-D25986987709%40orange.fr.
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
SG
Mar 16, 2018, 11:11:44 AM3/16/18
to search...@googlegroups.com
can you file an issue on github for that?
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/462C79EE-98DC-427E-AE6B-0C7057D430B4%40orange.fr.
Fabrice Bacchella
Mar 16, 2018, 11:42:01 AM3/16/18
to search...@googlegroups.com
https://github.com/floragunncom/search-guard/issues/461
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/5523E6B4-A76E-4E93-B15D-A15136FBF4CB%40search-guard.com.
Reply all
Reply to author
Forward
0 new messages