Searchgurad for Kibana - bypass authentication

62 views
Skip to first unread message

k.zhel...@sap.com

unread,
Mar 20, 2019, 9:11:03 AM3/20/19
to Search Guard Community Forum
When asking questions, please provide the following information:
image: 6.5.4-oss-18
* JVM version and operating system version: 9

Hi, i am using searchguard for Kibana. In my scenario, Kibana is exposed by Ingress. Can i reuse the username and the password from the Ingress, because otherwise i have to have second authentication(One from Ingress and second from Searchguard).

SG

unread,
Mar 20, 2019, 9:26:16 AM3/20/19
to search...@googlegroups.com
I guess proxy authentication will do the trick:

https://docs.search-guard.com/latest/kibana-authentication-proxy
https://docs.search-guard.com/latest/proxy-authentication
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/c0a6eb50-75b6-40d4-9911-8191e84d6db7%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

k.zhel...@sap.com

unread,
Mar 20, 2019, 9:46:41 AM3/20/19
to search...@googlegroups.com
Actually there are 2 users in my Ingress. Every users has different role. How can i send roles with this proxy, when the Ingress doesn't know about the roles.

k.zhel...@sap.com

unread,
Mar 20, 2019, 10:01:01 AM3/20/19
to Search Guard Community Forum
In my case all I need is Kibana to catch the authorization header and to reuse it.

Jochen Kressin

unread,
Mar 20, 2019, 10:13:16 AM3/20/19
to Search Guard Community Forum
If you use Basic Authentication in Kibana and you add HTTP Basic Authentication headers to an HTTP call to Kibana, our plugin will pick the headers up and use them for auth/auth.

k.zhel...@sap.com

unread,
Mar 20, 2019, 10:26:14 AM3/20/19
to Search Guard Community Forum
I think, I use Basic Authentication. Here are my config files.
kibana.yml
sg_config.yml

Jochen Kressin

unread,
Mar 20, 2019, 4:55:40 PM3/20/19
to search...@googlegroups.com
I hope I understood your use case correctly, I am not an expert on Ingress. So when you write:

"In my case all I need is Kibana to catch the authorization header and to reuse it."

So I am assuming that the calls from Ingress to Kibana contain HTTP Basic headers, correct? If this is the case then Kibana should pick them up without the need to configure anything special. 

You would then use the roles mapping feature to assign Search Guard roles to these users:


If auth/auth takes place on Ingress and after that, you just have the (authenticated) username and the (authenticated) roles of the user (no password), then proxy authentication is the way to go:

k.zhel...@sap.com

unread,
Mar 20, 2019, 6:58:57 PM3/20/19
to search...@googlegroups.com
Yes, as you can see in the picture, the call contains HTTP Basic header. 
I already have the role-maping roles in searchgurad, because i can authenticate successfully, but i want actually to bypass the login form from Kibana-Searchguard plugin, because i have one  authentication in front of the Ingress and i have to make second authentication with the same credentials in front of the Kibana-searchguard Login Form.

Screen Shot 2019-03-21 at 0.52.00.png


Jochen Kressin

unread,
Mar 25, 2019, 3:53:16 PM3/25/19
to Search Guard Community Forum
Hi,

so, I think we've found the issue here, it is rooted in the request flow upon first log in. 

In order to skip the login dialogue, can you please try to use a deep link to Kibana for the initial request? Means, instead of using something like:


try:


The plugin will pick up the authentication headers and create the session cookie. This has been tested with 6.6.2, but should also work with 6.5.4.
Reply all
Reply to author
Forward
0 new messages