I just defined the user in Elasticsearch (through Kibana UI) and want to test the user can reach and authorize in Elastic.
What endpoint can I use for testing a user is known to Elastic from the user's perspective? (no high privileges admin API)
All I tries required some kind of roles, requests looked like:
curl --basic --user user:pass https://evil.com:9200/_cat/indices
UPDTE With curl -v I see 401 / 403 to differentiate if password is correct, I'd like to have some endpoint that returns 200 for the correct password and 401 for incorrect or non existing user...
If I am understanding right so you just want to check if kibana is opening only with defined username and password or not.
So you can just hit
https://your_ip or kibana_ip_whichever_given:5601
or
http://your_ip or kibana_ip_whichever_given:5601
if you have used xpack.security in it then try https otherwise try it with http
You can use the X-Pack API to test if the user is known to the Elasticsearch cluster, without requiring high privileges. The API is available at the endpoint /_xpack/security/user/<username> and will return a 200 status code if the user is known and an error code (e.g. 401 or 403) if the user is not known or not authorized.
for more... https://discuss.elastic.co/t/216937
Related
How does a Lambda Authorizer detect if an IAM user has been Disable?
We have a two client servers of Iterable and Punchh. The first one uses a payload of just the base64 token of the username : password while the other server uses the username and password (password is masked).
These 2 servers are pushing (POST method) events down to our API Gateway. To avoid any ,malicious packets being sent down to the gateway, we use an IAM test user (dd_transfer in the example figures below) that can be disbaled once malicious packets are discovered. Thus the IAM test user should now be denied access to the API Gateways where both Punchh and Iterable are pushing their payloads.
When I have an active test user, they are allowed access to the API gateway whenever Punchh or Iterable webhooks push(Post) data. However when that same user is Disabled (password is null) in IAM, that user should not be allowed to access to the gateway. Unfortunately, the 2 external servers are still allowed access once the IAM test user has been deactivated/disabled. I don't want to program and search through a credentials report csv file using boto3 that's encoded to base64. This would expose too much account user info - very risky. Is there another way for the Lambda Authorizer function to determine when an IAM user has been deactivated?
Here are the screen shots below for code, gateway , and servers.
Note that the payloads for the two servers are represented differently. Punchh webhook admin page uses password and username while Iterable webhook admin page uses only the base64 encoded token.
Thanks
Lambda Authorizer Code
API Gateway Method (Note: Post and Get Method Requests are identical)
Lambda Authorizer configuration
Punchh Webhook page
Iterable Webhook Page
I found a safe way to determine whether the dd_transfer user is enabled or not and that is with using the GetLoginProfile API. https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.get_login_profile
If there is a valid password for dd_transfer, then a LoginProfile object will be displayed in the response message, a 200 response code is returned, and the access to the API Gateway will be given when the policy is generated (‘Allow’).
However if the password is null because the dd_transfer has been disabled, a NoSuchEntity exception will be returned indicating that the Login Profile for User dd_transfer cannot be found. It’s blunt but at least I don’t have to worry about access being given to allow malicious events to bypass our API Gateway and into S3 buckets.
I have added a try/catch block to gracefully handle the error by calling the generate Policy function passing the ‘Deny’ parameter in order to generate the Deny Access policy.
It’s a lot less work than using the Credential Report API and then BASE 64 decoding each record in the text/csv file to look for dd_transfer’s entry. The csv file doesn’t expose actual raw data like passwords etc but GetLoginProfile takes less to write up. Then in the exception handler, I would make a call to the generate the Deny Policy.
I'm using Docker to setup some services and Traefik 2 acts as a reverse proxy for these services.
So far I was using Basic Auth to protect the access to the services, but I'm trying to get rid of the user/pass prompt.
Looking at the Traefik's documentation, I found the "ForwardAuth" middleware which seems fine. I'm planning to use it to replace Basic Auth, but a full implementation example is not provided as an example, and I'm having a hard time trying to set it up.
So far, thanks to Traefik forward-auth, I'm successfully calling a specific URL on a remote server in charge of the authentication (this server is developped with Spring Boot by myself). I understand that if the authentication server answers 200, it means "authentication success" while another code means "authentication failure".
Yet, I'm currently unable to write the authentication code on the remote server as I don't know how to check if I must return 200 or something else. Especially I don't know how to communicate information between Traefik and the authentication server.
Basically, the problems I have are:
I can't ask the user for his/her username/password using Traefik
When the authentication server receives the request from Traefik, it has no way to define that the source request was a previously authenticated user
The following picture shows most of my concerns:
What I'd like to achieve is the following behavior:
The user tries to access to the Docker services without entering any username/password
Traefik determines that the user is not authenticated, thanks to forward-auth it asks the authentication server for authentication
The authentication server determines that the user is not authenticated, the user is redirected to the login page
The user enters his/her username/password on the authentication server
The user is redirected to the Docker services
Traefik determines that the user is authenticated
So far, I can successfully achieve step 1 to 5, but I don't know how to achieve step 6.
Is this the right way to use ForwardAuth?
If it is, are there some headers I must use to transfer the auth information? If not, is it possible to achieve what I want using ForwardAuth?
As far as i understand, traefik also forwards Any headers accompaning the original request. If you are not filtering Any. see docs traefik forward-auth.
How might I authenticate GET requests to an elasticsearch API using Jmeter GUI. I know using curl I can authenticate using something like
curl -u user:password http://www.example.com
but Jmeter only has the following options
The Authorization Manager lets you specify one or more user logins for web pages that are restricted using server authentication. You see this type of authentication when you use your browser to access a restricted page, and your browser displays a login dialog box. JMeter transmits the login information when it encounters this type of page.
Some developer posted an example of basic auth here.
I've installed Shield plugin for ES and configured users with roles. But when I try to index some data with configured user, I always received this error:
[2015-11-22 10:31:58,795][INFO ][rest.suppressed ] /app-nginx-stats-2015-11-22/http-stats Params: {}
ElasticsearchSecurityException[unable to authenticate user [es_admin] for REST request [/app-nginx-stats-2015-11-22/http-stats]]
at org.elasticsearch.shield.support.Exceptions.authenticationError(Exceptions.java:39)
I know about issue with # in password so I've changed it to 123456 - doesn't help.
I also executed esusers list on ES node and I see my users in the output.
So what other common mistakes could lead to "unable to authenticate user" error? Or how can I debug such issues?
I'm trying to implement a oAuth login flow in a bash script.
The request I need to send to my API is:
curl -X GET 'http://account.lab.fiware.org/oauth2/authorize?response_type=token&client_id=my_client_id&redirect_uri=my_redirect_uri&state=testing'
I keep getting a 301 Moved Permanently Apache message referencing to the same address..
When trying the same url from my browser - it does work.
Is there a way that I can copy the browser behaviour with curl?
So, once the above request has been made I will be able to see the redirect location in order to get the token from?
that OAuth2 grant is thought to be used from a web browser. You have other grant types that can be user from server side. Take a look to:
http://fiware-idm.readthedocs.org/en/latest/oauth2.html#oauth2-authentication
BR