SG2 With Marvel and proxy_auth_domain
125 views
Skip to first unread message
djtecha
Jun 27, 2016, 8:02:51 PM6/27/16
to Search Guard
Is anyone able to get marvel to work without an http basic prompt? I see the username being passed and elevated to sg_admin, but then it tries to continue and use basic_internal_auth_domain. I've attached my configs and log.
[2016-06-27 16:39:25,164][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] userHeader x-proxy-user, value daniel...@redfin.com
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] rolesHeader x-proxy-roles, value null
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User 'daniel...@redfin.com' is in cache? true (cache size: 5)
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User 'User [name=daniel...@redfin.com, roles=[]]' is authenticated
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=daniel...@redfin.com, roles=[]]
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested indices:data/read/mget from 127.0.0.1:44671
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.get.MultiGetRequest$Item
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] indicesOptions IndicesOptions[id=48, ignore_unavailable=false, allow_no_indices=false, expand_wildcards_open=false, expand_wildcards_closed
=false, allow_alisases_to_multiple_indices=false, forbid_closed_indices=true]
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] raw indices [.kibana]
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolved [.kibana] to {}
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved aliases and indices: [.kibana]
[2016-06-27 16:39:25,165][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved types: [config]
[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] mapped roles: [sg_admin]
[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_admin
[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for *
[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match for *: [.kibana]
[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for *, will check now types [*]
[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for */*: [*]
[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/mget against */*: [*]
[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested aliases and indices: []
[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested resolved types: []
[2016-06-27 16:39:25,166][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for 'sg_admin.*', evaluate other roles
[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] evaluate permissions for User [name=daniel...@redfin.com, roles=[]]
[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested indices:data/read/mget[shard] from 127.0.0.1:44671
[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolve [.kibana] from class org.elasticsearch.action.get.MultiGetShardRequest
[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] indicesOptions IndicesOptions[id=48, ignore_unavailable=false, allow_no_indices=false, expand_wildcards_open=false, expand_wildcards_closed=false, allow_alisases_to_multiple_indices=false, forbid_closed_indices=true]
[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] raw indices [.kibana]
[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Resolved [.kibana] to {}
[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved aliases and indices: [.kibana]
[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] requested resolved types: [_all]
[2016-06-27 16:39:25,167][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] mapped roles: [sg_admin]
[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] ---------- evaluate sg_role: sg_admin
[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Try wildcard match for *
[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] Wildcard match for *: [.kibana]
[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] matches for *, will check now types [*]
[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] resolvedActions for */*: [*]
[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] match requested action indices:data/read/mget[shard] against */*: [*]
[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested aliases and indices: []
[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] For index * remaining requested resolved types: []
[2016-06-27 16:39:25,168][DEBUG][com.floragunn.searchguard.configuration.PrivilegesEvaluator] found a match for 'sg_admin.*', evaluate other roles
[2016-06-27 16:39:25,226][DEBUG][com.floragunn.searchguard.http.XFFResolver] xff resolve /127.0.0.1:44673
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.XFFResolver] xff resolved /127.0.0.1:44673 to /127.0.0.1:44673
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http proxy
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] headers [authorization=Basic REVOKED, Host=localhost:9200, Content-Length=154, Connection=keep-alive]
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] userHeader x-proxy-user, value null
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.http.HTTPProxyAuthenticator] rolesHeader x-proxy-roles, value null
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http basic
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] User 'daniel...@redfin.com' is in cache? false (cache size: 5)
[2016-06-27 16:39:25,227][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] daniel...@redfin.com (1342371120) not cached, return from internal backend directly
[2016-06-27 16:39:25,228][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Unexpected exception com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[daniel...@redfin.com not found]
com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[daniel...@redfin.com not found]
sg_roles_mapping.yml
sg_admin:
users:
- admin
sg_logstash:
users:
- logstash
sg_kibana4_server:
users:
- kibana
sg_public:
users:
- '/((?!daniel.kasen).)*.redfin.com/ '
sg_config.yml
searchguard:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: true
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
remoteIpHeader: 'x-forwarded-for'
proxiesHeader: 'x-forwarded-by'
authc:
proxy_auth_domain:
enabled: true
order: 1
http_authenticator:
type: proxy
challenge: false
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
basic_internal_auth_domain:
enabled: true
order: 2
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
sg_roles.yml
sg_admin:
cluster:
- '*'
indices:
'*':
'*':
- '*'
SG
Jun 29, 2016, 11:53:18 AM6/29/16
to search...@googlegroups.com
see inline comments
Above you see the successful proxy authentication
Below it looks like this is another request with no x-proxy-user defined, so the next auth domain (which is basic authentication) tries to login the user:
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/015ee558-7428-4ab1-b9a8-a4b28b4f0bba%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Below it looks like this is another request with no x-proxy-user defined, so the next auth domain (which is basic authentication) tries to login the user:
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/015ee558-7428-4ab1-b9a8-a4b28b4f0bba%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
djtecha
Jun 30, 2016, 7:46:23 PM6/30/16
to Search Guard
Right, which is why i'm confused. It appears to do the http basic prompt for me with any plugin (marvel, timelion). Wondering if anyone is able to make these work? I am able to get kibana to work perfectly at this point, just plugins not working. I have nginx to use a simple '/' location block so it's not as though i'm hitting anything else.
djtecha
Jul 26, 2016, 6:23:12 PM7/26/16
to Search Guard
Has anyone been able to get plugins to work in kibana? I'm still stuck and if I look at the header to port 5601 I can see it gets the full request with my name and authorization it just doesn't want to use it for kibana plugins. Does Kibana hava another routing system to it's plugins that I'm unaware of, and consequently not passing a header correctly to SG2?
Daniel Kasen
Jul 26, 2016, 7:27:13 PM7/26/16
to search...@googlegroups.com
Not sure if this is related but i'm seeing a lot of these in the logs:
[2016-07-26 16:24:02,124][INFO ][com.floragunn.searchguard.auth.BackendRegistry] ElasticsearchSecurityException[xff not done] extracting credentials from proxy
ElasticsearchSecurityException[xff not done]
Current config:
searchguard:
dynamic:
http:
xff:
enabled: true
trustedProxies: '.*'
internalProxies: '.*'
remoteIpHeader: 'x-forwarded-for'
proxiesHeader: 'x-forwarded-by'
authc:
proxy_domain_proxy:
enabled: true
order: 1
http_authenticator:
type: proxy
challenge: false
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
authentication_domain_basic_internal:
enabled: true
order: 2
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/44b1e38a-23a8-4362-ae83-497b688a3bfc%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages