Searchguard setting were not applied in Kibana Error
52 views
Skip to first unread message
Aleksei Saiko
Mar 11, 2019, 9:08:00 AM3/11/19
to Search Guard Community Forum
When asking questions, please provide the following information:
* Search Guard and Elasticsearch version
SG=6.5.1-24.1
ES=6.5.1
* JVM version and operating system version
JVM=1.8.0_162
OS=Ubuntu 18.04.1 LTS
* Search Guard configuration files
from elastisearch.yml
searchguard.ssl.transport.pemcert_filepath: es-encr-001.pem
searchguard.ssl.transport.pemkey_filepath: es-encr-001.key
searchguard.ssl.transport.pemkey_password: aqTmoD7aBrpX
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: false
searchguard.ssl.http.pemcert_filepath: es-encr-001_http.pem
searchguard.ssl.http.pemkey_filepath: es-encr-001_http.key
searchguard.ssl.http.pemkey_password: raAtcE0mTfuk
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.nodes_dn:
- CN=es-encr-001.XXXX.com,OU=IL,O=xxxx Com\, Inc.,DC=XXXX,DC=com
- CN=es-necr-002.XXXX.com,OU=IL,O=xxxx Com\, Inc.,DC=XXXX,DC=com
- CN=es-necr-003.XXXX.com,OU=IL,O=xxxx Com\, Inc.,DC=XXXX,DC=com
searchguard.authcz.admin_dn:
- CN=kirk.XXXX.com,OU=IL,O=XXXX Com\, Inc.,DC=XXXX,DC=com
"elasticsearch.yml" 115L, 4129C
sg_config.yml
searchguard:
dynamic:
http:
anonymous_auth_enabled: false
xff:
internalProxies: '10.xxx.xx.xx' #kibana's IP
remoteIpHeader: 'x-forwarded-for'
proxiesHeader: 'x-forwarded-by'
proxy_auth_domain:
http_enabled: true
transport_enabled: true
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
Kibana.yml:
| --- | |
| # Default Kibana configuration from kibana-docker. | |
| server.port: 5601 | |
| server.host: "0.0.0.0" | |
| server.name: "kibana" | |
| elasticsearch.requestTimeout: 100000 | |
| elasticsearch.username: "admin" | |
| elasticsearch.password: "admin" | |
| searchguard.auth.type: "proxy" | |
| searchguard.proxycache.user_header: x-proxy-user | |
| # The header that identifies the user's role(s) - (required, no default) | |
| searchguard.proxycache.roles_header: x-proxy-roles | |
| # HTTP header field which the proxy uses to forward the IP chain to the endpoint, usually x-forwarded-for. | |
| # (optional, default: x-forwarded-for) | |
| #searchguard.proxycache.proxy_header: x-forwarded-for | |
| # IP where Kibana is running on - (required, no default) | |
| # Used to add it to the x-forwarded-for IP chain (see above) | |
| # This IP must be added as trusted IP in sg_config.yml under | |
| # searchguard.dynamic.http.xff.internalProxies. | |
| # It's also possible to us a environment variable here like ${IP_ADDRESS} | |
| searchguard.proxycache.proxy_header_ip: "10.xxx.xx.xx" | |
| # Redirect to this URL if the user isn't authenticated - (optional, no default) | |
| #searchguard.proxycache.login_endpoint: "https://login.sso.company.com" | |
| searchguard.basicauth.enabled: false | |
| elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant", "x-forwarded-for", "x-proxy-user", "x-proxy-roles" ] | |
* Elasticsearch log messages on debug level
FATAL Error: "searchguard.auth.type", "searchguard.proxycache.user_header", "searchguard.proxycache.roles_header", and "searchguard.proxycache.proxy_header_ip" settings were not applied. Check for spelling errors and ensure that expected plugins are installed.
Hi there,
I installed SG on ELK with the mentioned versions.
It seems working great.
Now, I'm using Lasso (Vouch Proxy) for oauth.
So after authorization via Lasso , I have a pop-up for authorization with SG, and I want to use only Lasso authorization.
I'm receiving this error when running Kibana on K8S - "FATAL Error: "searchguard.auth.type", "searchguard.proxycache.user_header", "searchguard.proxycache.roles_header", and "searchguard.proxycache.proxy_header_ip" settings were not applied. Check for spelling errors and ensure that expected plugins are installed."
Do I have to install SG plugin for Kibana? If yes, do you have a Dockerfile to install Kibana with SG? Also, does this plugin is a free trial?
Thanks,
Aleksei
Jochen Kressin
Mar 12, 2019, 1:30:37 PM3/12/19
to Search Guard Community Forum
Hi,
yes, you need to install the SG Kibana plugin, otherwise there are no security features available.
Search Guard comes with a 60 day trial license which is acticated automatically on startup / SG initialization. All features are fully functioning, and we are happy to send you a trial extension should you need more time for your PoC.
We do not maintain Dockerfiles at the moment, but you can checkout this very good repository here:
Also, if you are running Search Guard on K8S you might be interested in our Helm charts:
They include the Elasticsearch and the Kibana plugin.
Aleksei Saiko
Mar 14, 2019, 11:46:55 AM3/14/19
to Search Guard Community Forum
Hi Jochen,
вторник, 12 марта 2019 г., 19:30:37 UTC+2 пользователь Jochen Kressin написал:
Thx for your answer.
After the 60 day trial, will Kibana plugin becoming non-free?
Thx
вторник, 12 марта 2019 г., 19:30:37 UTC+2 пользователь Jochen Kressin написал:
SG
Mar 17, 2019, 1:22:19 PM3/17/19
to search...@googlegroups.com
After the 60 days trial Kibana will warn you that you need to obtain and install a license.
If you do not want to buy the enterprise license that disable the enterprise features and the warning will disappear.
To see which feature is Enterprise or Community pls have a look here:
https://search-guard.com/product/
Kibana Plugin itself is licensed under Apache 2 so the Kibana plugin does never become non-free.
If you disable the enterprise features some menu items will disappear.
Pls refer to https://docs.search-guard.com/latest/search-guard-community-edition how to disable the enterprise features.
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/baebe650-a760-470f-a128-fb1c8c400172%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
If you do not want to buy the enterprise license that disable the enterprise features and the warning will disappear.
To see which feature is Enterprise or Community pls have a look here:
https://search-guard.com/product/
Kibana Plugin itself is licensed under Apache 2 so the Kibana plugin does never become non-free.
If you disable the enterprise features some menu items will disappear.
Pls refer to https://docs.search-guard.com/latest/search-guard-community-edition how to disable the enterprise features.
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/baebe650-a760-470f-a128-fb1c8c400172%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Aleksei Saiko
Mar 21, 2019, 10:02:43 AM3/21/19
to search...@googlegroups.com
Thanks for your answer!
вс, 17 мар. 2019 г. в 19:22, SG <in...@search-guard.com>:
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/79A368C3-5759-4DD2-B06A-5382B654A401%40search-guard.com.
Reply all
Reply to author
Forward
0 new messages