how to turn off all http basic authentication or BackendRegistry authentication done by searchguard
659 views
Skip to first unread message
Max Furman
Jul 6, 2016, 6:18:57 PM7/6/16
to Search Guard
I have a proxy layer that does all ssl and basic authentication (for http) already, and therefore would like to turn off said features in search-guard. I've tried setting the various auth_domains to false in the sg_config.yml, but can't seem to get the authentication to turn off. Whats the right way to do this?
Max Furman
Jul 6, 2016, 7:04:01 PM7/6/16
to Search Guard
Below is my sg_config.yml:
Basically, I've turned proxy_auth_domain on and anonymous_auth on, but im still finding that searchguard is 401-ing my requests.
# This is the main configuration file where the authentication and authorization
# backends as well as the http authenticators and other settings will be defined.
#
# The authentication works like that:
#
# If there are no authenticators (authc) defined a implicit one will be created.
# This will authenticate against the internal user database and use HTTP Basic.
#
# If more than one is configured the first one which succeeds wins. If all fail then the request will be unauthenticated
# and a respective exception is thrown and/or the HTTP status is set to 401.
#
# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
# the roles from a given backend for the authenticated user.
#
# For HTTP is possible to allow anonymous authentication. If that is allowed then the http authenticators try to
# find user credentials in the HTTP request and if such where found then the user gets regularly authenticated.
# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "sg_anonymous"
# and one role named "sg_anonymous_backendrole". If you enable anonymous authentication for all http authenticators will not challenge.
#
#
# Notice: If you define more than one authenticator make sure to put non-challenging authenticators like "proxy" or "clientcert"
# at the beginning and the challenging one at the end. If you configure more than one challenging authenticator you have to deal with
# the "challenge" flag. Because its not possible to challenge a client with two different authentication methods (for example
# Kerberos and Basic) only one can have challenge: true. All others need to have challenge: false and that means
# they look into the request and if they found no credentials they will not challenge. You can cope with this situation
# with pre-authentication. That is submitting credentials for non-challenging authenticators within the first request
# (Thats especially easy for Basic authentication).
# Default value of the challenge flag is true.
#
#
#
# HTTP
# basic (challenging)
# proxy (not challenging, needs xff)
# kerberos (challenging) NOT FREE FOR COMMERCIAL
# clientcert (not challenging, needs https)
# Authc
# internal
# noop
# ldap NOT FREE FOR COMMERCIAL USE
# Authz
# ldap NOT FREE FOR COMMERCIAL USE
# noop
searchguard:
dynamic:
http:
anonymous_auth_enabled: true
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
#internalProxies: '.*' # trust all internal proxies, regex pattern
remoteIpHeader: 'x-forwarded-for'
proxiesHeader: 'x-forwarded-by'
#trustedProxies: '.*' # trust all external proxies, regex pattern
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
authc:
kerberos_auth_domain:
enabled: false
order: 4
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# Acceptor (Server) Principal name, must be present in acceptor_keytab_path file
acceptor_principal: 'HTTP/localhost'
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
enabled: false
order: 2
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
enabled: true
order: 1
http_authenticator:
type: proxy
challenge: false
config:
user_header: "X-Company-Staff-User"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
clientcert_auth_domain:
enabled: false
order: 0
http_authenticator:
type: clientcert
challenge: false
authentication_backend:
type: noop
ldap:
enabled: false
order: 3
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: 'ou=groups,dc=example,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(uniqueMember={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: memberOf
# The attribute in a role entry containing the name of that role
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
roles_from_another_ldap:
enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here ...
Max Furman
Jul 6, 2016, 8:08:31 PM7/6/16
to Search Guard
After making sure that the configs are the same on each server in the cluster I am now getting:
[2016-07-06 23:53:25,931][WARN ][gateway ] [nextkibana01-ops] [logstash-2016.07.06][3]: failed to list shard for shard_store on node [VNO0GIHuTsC9Yd1syMxXaQ]
FailedNodeException[total failure in fetching]; nested: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=[]]];
at org.elasticsearch.gateway.AsyncShardFetch$1.onFailure(AsyncShardFetch.java:277)
at org.elasticsearch.action.support.TransportAction$1.onFailure(TransportAction.java:95)
at com.floragunn.searchguard.filter.SearchGuardFilter.apply(SearchGuardFilter.java:135)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:170)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:144)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:85)
at org.elasticsearch.indices.store.TransportNodesListShardStoreMetaData.list(TransportNodesListShardStoreMetaData.java:88)
at org.elasticsearch.gateway.AsyncShardFetch.asyncFetch(AsyncShardFetch.java:267)
at org.elasticsearch.gateway.AsyncShardFetch.fetchData(AsyncShardFetch.java:117)
at org.elasticsearch.gateway.GatewayAllocator$InternalReplicaShardAllocator.fetchData(GatewayAllocator.java:183)
at org.elasticsearch.gateway.ReplicaShardAllocator.processExistingRecoveries(ReplicaShardAllocator.java:77)
at org.elasticsearch.gateway.GatewayAllocator.allocateUnassigned(GatewayAllocator.java:122)
at org.elasticsearch.cluster.routing.allocation.allocator.ShardsAllocators.allocateUnassigned(ShardsAllocators.java:70)
at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:258)
at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:221)
at org.elasticsearch.cluster.routing.allocation.AllocationService.reroute(AllocationService.java:207)
at org.elasticsearch.cluster.routing.RoutingService$2.execute(RoutingService.java:154)
at org.elasticsearch.cluster.ClusterStateUpdateTask.execute(ClusterStateUpdateTask.java:45)
at org.elasticsearch.cluster.service.InternalClusterService.runTasksForExecutor(InternalClusterService.java:468)
at org.elasticsearch.cluster.service.InternalClusterService$UpdateTask.run(InternalClusterService.java:772)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java:231)
at org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:194)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: ElasticsearchException[unauthenticated request internal:cluster/nodes/indices/shard/store for user User [name=_sg_internal, roles=[]]]
So, now I would like to figure out how to give any authenticated user access to everything. So that searchguard is not doing any role checking.
Max Furman
Jul 6, 2016, 9:48:06 PM7/6/16
to Search Guard
In an old version of searchguard I was able to set
searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.AlwaysSucceedAuthenticationBackend
How can I get the same behavior with search-guard-2? I've been fumbling around with the sg_config.yml flipping various flags, but I dont feel like Im getting any closer.
SG
Jul 7, 2016, 2:34:03 AM7/7/16
to search...@googlegroups.com
"noop" is what you looking for
The internal:cluster/nodes/indices/shard/store problem is fixed in Search Guard 2.3.3.2, pls update
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9998e1f5-9dd4-457d-b334-232f83122e34%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
The internal:cluster/nodes/indices/shard/store problem is fixed in Search Guard 2.3.3.2, pls update
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9998e1f5-9dd4-457d-b334-232f83122e34%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Max Furman
Jul 7, 2016, 3:05:53 PM7/7/16
to Search Guard
Sorry, I'm not sure I understand where I'm supposed to add the "noop". I've tried adding the following to my elasticsearch.yml
searchguard.authentication.authentication_backend.impl: noop
but, once I configure the backend_registry using the sgadmin.sh tool, any http request that I make fails w/
[com.floragunn.searchguard.auth.BackendRegistry] Unexpected exception com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[user-name not found]
If you could provide an example of what field and where I should be setting to "noop" that would be really helpful. I see "noop" frequently in the sg_config.yml, but again, im not sure which key needs to be set to noop in order to get the behavior that I am interested in. Again, that behavior is to succeed all http requests w/out doing any verification.
Also, I appreciate the note on 2.3.3.2, just upgraded.
Max Furman
Jul 7, 2016, 5:18:26 PM7/7/16
to Search Guard
If I remove the search-guard-2 plugin I get the desired behavior. I assumed that I needed to have both search-guard-ssl and search-guard-2 plugins installed, but based on my needs I think I only need search-guard-ssl.
Still, it would be good to know how to completely disable search-guard-2 from doing any verification when it is installed.
SG
Jul 12, 2016, 1:11:07 PM7/12/16
to search...@googlegroups.com
If you just need SSL without any kind of authentication or authorization then SG SSL is all you have to install. For that you not need to run sgadmin tool.
But if you also need role based authentication or authorization then you have to install *both* pluginsand you need to run sgadmin tool.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8e631530-c074-4db4-b63f-573fda617b2d%40googlegroups.com.
But if you also need role based authentication or authorization then you have to install *both* pluginsand you need to run sgadmin tool.
Reply all
Reply to author
Forward
0 new messages