-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PKI Authentication support for Kibana #6119
Comments
The server authenticating and the user authenticating are two totally different systems. Kibana will only prompt for a username and password if Elasticsearch returns a 401. It looks like in your case a 401 is not being returned. I don't know enough about shield to know if you can configure PKI for certain users and username/password auth for others, but that's what you're trying todo here. I'd recommend filing a support ticket with Elastic to find out more about configuring Shield |
Hi, I work in support :) You can ping me on Slack if you want more details. But I already discussed this with @jaymode and one question I have. Is if Kibana always sends what is defined in |
Gotcha. I see what you're getting at here. Filing as a bug |
To summarize the issue here: If PKI authentication is defined for the Kibana serverside user, via
The PKI information should be used only for requests to ES made by the kibana server user; it should not be used for end-user requests. Today, this PKI information is attached to all requests, which is the issue. |
any news on that? |
@floragunncom No news, other than this is high on our priority list and will be worked on very soon. |
This is fixed in 5.2 onward. See #7341 if you're interested in PKI support for Kibana end-users. |
For anyone coming across this thread, this does not appear to be fixed. @skearns64 excellent summary above (#6119 (comment)) still appears to be the behaviour in v6.2.1. |
@nick-george would you mind elaborating upon your setup and the behavior that you're seeing that leads you to believe this is still broken in 6.2.1? |
Hi Brandon, Apologies for the last message lacking any detail. Below is a post that I made to the Searchguard mailing list recently, including some of the response. While it isn't using X-Pack, I believe the underlying issue is exactly the same. It seems that if Kibana is configured to use PKI to authenticate to Elasticsearch, then all users of Kibana inherit Kibana's permissions, and won't have their own.
I got a response from a Searchguard developer, which contained the following information.
Many thanks, |
Thanks for the clarification @nick-george, I'm looking into this in more depth and I'll let you know what I find. |
Hey @nick-george this will be resolved by the #17804. The old behavior was problematic when running Kibana without our X-Pack Security plugin or with the X-Pack Security plugin if the realms order in Elasticsearch has PKI taking precedence to the basic authentication. |
Many thanks for this Brandon, looking forward to trying it out! |
If I try to use PKI authentication for the kibana4 server user by using this configuration in the kibana.yml:
On the Elasticsearch side, I have setup PKI authentication for the DN in the certificate. This is my Shield config:
When I go to http://kibana:5601 I am never prompted for a password. But I do see that the Kibana server successfully authenticates:
If I stop Kibana, comment out the ssl.cert and key settings and set a username and password, start Kibana and refresh the browser I am prompted for a username and password. It seems like Kibana is not configured to prompt for a username & password when elasticsearch.username & elasticsearch.password is not set. I tested this on Kibana 4.1.1 and Kibana 4.3.1 and I had the same behavior. This is so that the Kibana server authentications with PKI and you don't need to store any password in kibana.yml and the user gets prompted from the browser to login.
The text was updated successfully, but these errors were encountered: