Creating generic user

[djtecha]

Hello,

 I'm trying to figure out how I can have a generic read only user pass through for kibana. I've added the following that I got from the latest commits for SG-2-2.3.2.0-beta2

sg_roles.yml:

sg_users:

  indices:

    '*':

      '*':

        - READ

sg_roles_mapping.yml

sg_public:

  users:

    - '*'

I even tried ensuring the sg_* name was the same in both files, but I keep getting blocked when I try to log in to kibana with an undefined user. Along with trying to simply curl the ES cluster. Not sure if i'm doing this wrong, but i'm stuck and any help would be appreciated. 

[djtecha]

Ahh nevermind. See I have to edit the sg_config and enable the domain_proxy section. Though, kibana keeps making me do basic auth after I've logged in using google sso. Even though I can just pass it a random user/pass combo.

[SG]

can you share you configs?

> Am 17.05.2016 um 00:08 schrieb djtecha <djt...@gmail.com>:
>
> Ahh nevermind. See I have to edit the sg_config and enable the domain_proxy section. Though, kibana keeps making me do basic auth after I've logged in using google sso. Even though I can just pass it a random user/pass combo.
>

> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/310ba11f-713b-4498-94e6-c0d3fbe39a2f%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[djtecha]

sg_config:

searchguard:

  dynamic:

    http:

      xff:

        enabled: false

        internalProxies: 192\.168\.0\.10|192\.168\.0\.11

        remoteIpHeader: "x-forwarded-for"

        proxiesHeader: "x-forwarded-by"

        trustedProxies: "proxy1|proxy2"

      authenticator:

        type: com.floragunn.searchguard.http.HTTPBasicAuthenticator

    authcz:

      authentication_domain_basic_internal:

        enabled: true

        order: 0

        authentication_backend:

          type: com.floragunn.searchguard.auth.internal.InternalAuthenticationBackend

        authorization_backend:

          type: com.floragunn.searchguard.auth.internal.NoOpAuthorizationBackend

      #authentication_ldap:

        #enabled: true

        #order: 1

        #authentication_backend:

          #type: com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend

          #config:

            #host: ["",""]

        #authorization_backend:

          #type: com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend

      authentication_domain_proxy:

        enabled: true

        order: 1

        authentication_backend:

          type: com.floragunn.searchguard.auth.internal.NoOpAuthenticationBackend

        authorization_backend:

          type: com.floragunn.searchguard.auth.internal.NoOpAuthorizationBackend

sg_roles.yml

sg_public:

  cluster:

    - CLUSTER_ALL

  indices:

    '*':

      '*':

        - ALL

sg_roles_mapping.yml

sg_public:

  users:

    - '*'

That should let any user see all indices regardless of if they have a login.

[SG]

i suggest

searchguard:
dynamic:
http:
anonymous_auth_enabled: true

xff:
enabled: false
internalProxies: 192\.168\.0\.10|192\.168\.0\.11
remoteIpHeader: "x-forwarded-for"
proxiesHeader: "x-forwarded-by"
trustedProxies: "proxy1|proxy2"
authenticator:

type: basic
authcz:

authentication_domain_proxy:
enabled: true
order: 1
authentication_backend:

type: intern
authorization_backend:
type: noop

> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/64ad6081-106e-44c8-b4fc-1969b3f4c61c%40googlegroups.com.