authentication failed through jwt

[Johnson C]

When asking questions, please provide the following information:

* Search Guard and Elasticsearch version

* Installed and used enterprise modules, if any

* JVM version and operating system version

* Search Guard configuration files

* Elasticsearch log messages on debug level

* Other installed Elasticsearch or Kibana plugins, if any

Version Info:

Elasticsearch version:6.1.1-20.1, Search Guard Version: 6.1.1; Kibana: 6.1.1;

JVM version: 1.8.0_131, Win 10;

Problem:

With some help form this group, finally I enabled the jwt_auth_domain.

But i still can't login kibana through jwt, below is my configuration.

elasticsearch.yml:

######## Start Search Guard Demo Configuration ########

***

######## End Search Guard Demo Configuration ########

searchguard.cache.ttl_minutes: 0

kibana.yml:

elasticsearch.requestHeadersWhitelist: [ authorization, Authorization, jwtheader, jwtparam ]

searchguard.jwt.enabled: true

searchguard.jwt.url_param: jwtparam

searchguard.jwt.header: jwtheader

sg_config.yml:

jwt_auth_domain:

        enabled: true

        http_enabled: true

        transport_enabled: true

        order: 0

        http_authenticator:

          type: jwt

          challenge: false

          config:

            signing_key: "key..."

            jwt_header: "jwtheader"

            jwt_url_parameter: "Authorization"

            roles_key: null

            subject_key: null

        authentication_backend:

          type: noop

Login failed for both ElasticSearch and Kibana, here is three method which I've tried.

1. https://localhost:9200/?authorization=<token>

2. http://localhost:5601/?jwtparam=<token>

3. http://localhost:5601     with header

[Johnson C]

Login by Authorization header to ES, I got this error.

[2018-01-24T10:15:12,353][WARN ][c.f.s.h.HTTPBasicAuthenticator] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'

[2018-01-24T10:15:12,353][WARN ][c.f.s.a.BackendRegistry  ] Authentication finally failed for null

[Johnson C]

After changing Bearer to Baisc, I got this error:

Authentication finally failed for {"alg"

I think this is the header of this jwt token, but why?

ES don't support jwt authorization?

[Johnson C]

After enable error log in ES, it turns out signature not right

http://docs.search-guard.com/latest/troubleshooting-tls

Add the following lines in config/log4j2.properties and restart your node:

logger.searchguard.name = com.floragunn
logger.searchguard.level = debug

This will already print out a lot if helpful information in your log file. If this information is not sufficient, you can also set the log level to trace.

[Johnson C]

Finnaly, I logined by jwt, if you want to use jwt in kibana, you need to disable basic_auth:

elasticsearch.requestHeadersWhitelist: [ authorization, Authorization, jwtheader, jwtparam ]

searchguard.basicauth.enabled: false

searchguard.jwt.enabled: true

searchguard.jwt.url_param: jwtparam

searchguard.jwt.header: jwtheader

But I got another odd problem:

If i logined by admin:

{"message":"no permissions for [indices:data/read/search] and User [name=admin, roles=[sg_all_access], requestedTenant=null]: [security_exception] no permissions for [indices:data/read/search] and User [name=admin, roles=[sg_all_access], requestedTenant=null]","statusCode":403,"error":"Forbidden"}

If i logined by kibanaserver:

Error: Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:data/read/search] and User [name=kibanaserver, roles=[sg_all_access], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:data/read/search] and User [name=kibanaserver, roles=[sg_all_access], requestedTenant=null]"},"status":403}
    at http://localhost:5601/bundles/kibana.bundle.js?v=16350:61:650116
    at Function.Promise.try (http://localhost:5601/bundles/commons.bundle.js?v=16350:56:19076)
    at http://localhost:5601/bundles/commons.bundle.js?v=16350:56:18464
    at Array.map (<anonymous>)
    at Function.Promise.map (http://localhost:5601/bundles/commons.bundle.js?v=16350:56:18422)
    at callResponseHandlers (http://localhost:5601/bundles/kibana.bundle.js?v=16350:61:649694)
    at http://localhost:5601/bundles/kibana.bundle.js?v=16350:61:639054
    at processQueue (http://localhost:5601/bundles/commons.bundle.js?v=16350:35:132456)
    at http://localhost:5601/bundles/commons.bundle.js?v=16350:35:133349
    at Scope.$digest (http://localhost:5601/bundles/commons.bundle.js?v=16350:35:144239)

[SG]

i guess you got confused with backendroles and search guard roles.

User [name=admin, roles=[sg_all_access] -> sg_all_access is a backendrole here, not a search guard role.

see http://docs.search-guard.com/latest/mapping-users-roles#map-users-backend-roles-and-hosts-to-search-guard-roles and http://docs.search-guard.com/latest/role-mapping-modes#mode-backendroles_only

> Login failed for both ElasticSearch and Kibana, here is three method which I've tried.
>
> 1. https://localhost:9200/?authorization=<token>
>
> 2. http://localhost:5601/?jwtparam=<token>
>
> 3. http://localhost:5601 with header
>
>
>
>
>
>
>
>
>

> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/bd8f6913-00ea-4576-a2f9-89395d27853d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.