basic_internal_auth_domain:
http_enabled: false
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
jwt_auth_domain:
http_enabled: true
transport_enabled: false
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: "endocedKey="
jwt_header: "Authorization"
jwt_url_parameter: "jwtoken"
roles_key: null
subject_key: "login"
authentication_backend:
type: noop
http://localhost:5601?jwtoken=eyJhbGciOiJI???cCI6IkpXVCJ9.eyJsb2dpb???0IjoxNTE2MjM5MDI1fQ.g8mW0eCCYIszi???hIoA1YGYg0n7pN1tZqbIKO8
http_enabled: true
The Search Guard license key is not valid for this cluster. Please contact your system administrator.
searchguard.jwt.url_param: "jwtoken"
searchguard.jwt.header: "authorization"
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/87843e38-706f-48ae-970a-1b6da7af33bf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
searchguard.basicauth.enabled: false
searchguard.jwt.enabled: true
searchguard.jwt.url_param: "..."
searchguard.jwt.header: "..."
searchguard.auth.type: "jwt"searchguard.jwt.url_param: "urltoken"searchguard.jwt.header: "authorization"
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
searchguard:
dynamic:
kibana:
multitenancy_enabled: true
server_username: 'kibanaserver'
index: '.kibana'
do_not_fail_on_forbidden: false
license: LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTSEE1MTIKCnsKICAgICJ1aWQiOiAiN0RDMTBGNjItMEY1RC00QzI1LTg0OTktQjEwQUFEODgxNDdCIiwKICAgICJ0eXBlIjogIlRSSUFMIiwKICAgICJpc3N1ZWRfZGF0ZSI6ICIyMDE4LTA1LTA0IiwKI...6ZlFnMlJrMy9PZmdtVWVFZ1lkMnkwZU0KPTRWUTMKLS0tLS1FTkQgUEdQIFNJR05BVFVSRS0tLS0tCg==
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
remoteIpHeader: 'x-forwarded-for'
proxiesHeader: 'x-forwarded-by'
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type:
intern
proxy_auth_domain:
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
jwt_auth_domain:
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: jwt
challenge: false
config:
signing_key: "R2gjZzYzaDgkNXZEXzZHMzg="
jwt_header: "Authorization"
roles_key: null
subject_key: "login"
authentication_backend:
type:
noop
clientcert_auth_domain:
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop
ldap:
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: 'ou=people,dc=example,dc=com'
usersearch: '(sAMAccountName={0})'
username_attribute: null
authz:
roles_from_myldap:
http_enabled: false
transport_enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
config:
enable_ssl: false
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: 'ou=groups,dc=example,dc=com'
rolesearch: '(member={0})'
userroleattribute: null
userrolename: disabled
rolename: cn
resolve_nested_roles: true
userbase: 'ou=people,dc=example,dc=com'
usersearch: '(uid={0})'
roles_from_another_ldap:
enabled: false
authorization_backend:
type: ldap # NOT FREE FOR COMMERCIAL USE
#config goes here ...
* elasticsearch.yml
bootstrap.memory_lock: false
cluster.name: elasticsearch
http.port: 9200
node.data: true
node.ingest: false
node.master: true
node.name: DESKTOP-7DELR8K
path.data: D:\Program Files\Elastic\ElasticSearch\6.2.4\data
path.logs: D:\Program Files\Elastic\ElasticSearch\6.2.4\logs
transport.tcp.port: 9300
script.max_compilations_rate: 150/5m
searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=test,C=de
- CN=spock,OU=client,O=client,L=test,C=de
searchguard.enterprise_modules_enabled: true
searchguard.restapi.roles_enabled: ["sg_all_access", ...]
server.port: 5601
elasticsearch.url: "https://localhost:9200"
kibana.index: ".kibana"
kibana.defaultAppId: "dashboard/27c5ef70-93e4-11e8-ad0a-0dcabb9df641"
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"
elasticsearch.ssl.certificateAuthorities: "D:/Program Files/Elastic/ElasticSearch/6.2.4/config/root-ca.pem"
elasticsearch.ssl.verificationMode: full
elasticsearch.pingTimeout: 1500
elasticsearch.requestTimeout: 30000
elasticsearch.requestHeadersWhitelist: ["sgtenant", "Authorization"]
searchguard.basicauth.enabled: false
searchguard.jwt.enabled: true
searchguard.jwt.header: "Authorization"
searchguard.jwt.url_param: "jwtoken"
searchguard.multitenancy.enabled: true
searchguard.multitenancy.enable_filter: true
searchguard.multitenancy.tenants.enable_global: false
searchguard.multitenancy.tenants.enable_private: false
searchguard.multitenancy.tenants.preferred: ["nTenant","bTenant",]
searchguard.basicauth.enabled: true
searchguard.basicauth.forbidden_usernames: ["kibanaserver", "logstash"]
searchguard.cookie.password: "jkkhk...87ad"
searchguard.readonly_mode.roles: ["sg_Users", "sg_nUsers"]
http://localhost:5601/login?jwtoken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dpbiI6ImFkbWluIiwiaWF0IjoxNTE2MjM5MDI1fQ.g8mW0eCCYIszivhOsEqZhIoA1YGYg0n7pN1tZqbIKO8
basic_internal_auth_domain:
http_enabled: false
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
jwt_auth_domain:
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: jwt
challenge: false
config:
signing_key: "R2gjZzYzaDgkNXZEXzZHMzg="
jwt_header: "Authorization"
roles_key: null
subject_key: "login"
authentication_backend:
type: noop
http://localhost:5601/app/kibana#/home?_g=()&jwtoken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dpbiI6ImFkbWluIiwiaWF0IjoxNTE2MjM5MDI1fQ.g8mW0eCCYIszivhOsEqZhIoA1YGYg0n7pN1tZqbIKO8
https://localhost:9200/_searchguard/authinfo -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dpbiI6ImFkbWluIiwiaWF0IjoxNTE2MjM5MDI1fQ.g8mW0eCCYIszivhOsEqZhIoA1YGYg0n7pN1tZqbIKO8"
{
"user": "User [name=admin, roles=[], requestedTenant=null]",
"user_name": "admin",
"user_requested_tenant": null,
"remote_address": "127.0.0.1:57741",
"backend_roles": [],
"custom_attribute_names": [
"attr.jwt.iat",
"attr.jwt.login"
],
"sg_roles": [
"sg_own_index"
],
"sg_tenants": {
"admin": true
},
"principal": null,
"peer_certificates": "0"
}
So for me it means that problem is only on Kibana side.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
{ "user": "User [name=admin, roles=[], requestedTenant=null]", "user_name": "admin", "user_requested_tenant": null, "remote_address": "127.0.0.1:50521", "backend_roles": [], "custom_attribute_names": [ "attr.jwt.iat", "attr.jwt.login" ], "sg_roles": [ "sg_own_index" ], "sg_tenants": { "admin": true }, "principal": null, "peer_certificates": "0" }
http://localhost:5601/login?jwtoken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dpbiI6ImFkbWluIiwiaWF0IjoxNTE2MjM5MDI1fQ.g8mW0eCCYIszivhOsEqZhIoA1YGYg0n7pN1tZqbIKO8
statusCode: 404 error: "Not Found" message: "Not Found"
string token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dpbiI6ImFkbWluIiwiaWF0IjoxNTE2MjM5MDI1fQ.g8mW0eCCYIszivhOsEqZhIoA1YGYg0n7pN1tZqbIKO8";
string path = "http://localhost:5601";
Uri uri = new Uri(path);
WebRequest wr = WebRequest.Create(uri);
HttpWebRequest req = (HttpWebRequest)wr;
req.PreAuthenticate = true;
req.Headers.Add("Authorization", "Bearer " + token);
req.Accept = "application/json";
WebResponse res = req.GetResponse();
Stream stream = res.GetResponseStream();
if(stream == null)
return;
StreamReader sr = new StreamReader(stream, Encoding.Default);
string json = sr.ReadToEnd();
<script>var hashRoute = '/app/kibana';
var defaultRoute = '/app/kibana';
var hash = window.location.hash;
if (hash.length) {
window.location = hashRoute + hash;
} else {
window.location = defaultRoute;
}</script>
path += "/login?jwtoken=" + token;
Error: 404; message: "Not Found"
searchguard.basicauth.enabled: falsesearchguard.jwt.enabled: "true"searchguard.jwt.url_param: "..."
searchguard.jwt.header: "jwtheader"
# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side# headers, set this value to [] (an empty list).elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant", "jwtheader" ]
searchguard: dynamic: kibana: do_not_fail_on_forbidden: true composite_enabled: true http: anonymous_auth_enabled: false xff: enabled: true #internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern internalProxies: '.*' # trust all internal proxies, regex pattern remoteIpHeader: 'x-forwarded-for' proxiesHeader: 'x-forwarded-by' trustedProxies: '.*' # trust all external proxies, regex pattern ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For ###### and here https://tools.ietf.org/html/rfc7239 authc: basic_internal_auth_domain: enabled: true
order: 0 http_authenticator: type: basic challenge: false authentication_backend: type: intern
jwt_auth_domain: enabled: true order: 1
http_authenticator: type: jwt challenge: false config:
signing_key: "..." jwt_header: "jwtheader" roles_key: roles subject_key: username authentication_backend: type: noop
<script>var hashRoute = '/app/kibana';
var defaultRoute = '/app/kibana';
var hash = window.location.hash;
if (hash.length) {
window.location = hashRoute + hash;
} else {
window.location = defaultRoute;
}</script>
sg_all_access:
readonly: true
backendroles:
- admin
admin:
username: Administrator
readonly: true
hash: $2a$12$VcCDg.TOG
roles:
- admin
sg_all_access:
readonly: true
cluster:
- UNLIMITED
indices:
'*':
'*':
- UNLIMITED
tenants:
admin_tenant: RW