When asking questions, please provide the following information:
* Search Guard and Elasticsearch version: SG 6.5.3-24/6.5.3-17(kibana), E...@6.5.3 / (same for 6.2.3 versions)
* Installed and used enterprise modules, if any: No
* JVM version and operating system version: 1.8, Centos7.3
* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins, if any
xpack.spaces.enabled: false
Hi,
I am seeing something strange. I can use curl with basic auth as any configured SG user (admin/kibanaserver for example) to do a GET on /api/saved_object kibana endpoint, and that works. I can also successfully use certs with curl to do a GET on any elasticsearch endpoint. So it appears that the SG config is working -(both basic auth and clientcert authentication are successfull .. depending on the path). However, if I try to use the same cert that was used in successfully accessing elasticsearch to try to connect to kibana and do a GET on /api/saved_objects, curl responds with a:
{"message":"Session expired","redirectTo":"login"}
It appears to be a bug in the way impersonation works (or not) between the two paths and something needs to be fixed in the search-guard kibana plugin. On the other hand, I would be ecstatic to hear that I configured something wrong..
Insights?
Lars