Kibana Embedded Dashboard Not Logging In after Enabling X-pack security plugin - elasticsearch

I am Wroking with ELK Stack 7.x version, Here I am trying to Embed Dashboard to another html page but I am not able to loggin into embedded dashboard since i configured x-pack security plugin.

You should configure the Anonymous access
xpack.security.authc.providers:
anonymous.anonymous1:
order: 0
credentials:
username: "anonymous_service_account"
password: "anonymous_service_account_password"
Anyone with access to the network Kibana is exposed to will be able to
access Kibana. Make sure that you’ve properly restricted the
capabilities of the anonymous service account so that anonymous users
can’t perform destructive actions or escalate their own privileges.

Related

How can I use a SAML Provider with an nginx proxy to access a VPC-Based Elasticsearch Kibana?

I am trying to provide end-users access to a VPC-Based Elasticsearch Cluster hosted on AWS. Users hit an nginx proxy which re-directs their request to Cognito, Cognito is configured to use AD FS. After a user authenticates Cognito cannot re-direct correctly as cross-origin cookies are not supported. This is documentation I was following DOCUMENTATION
Is there a way to make this system work?

How to Disable Elastic User access in Kibana Dashboard

I am trying to setup Elastic search log management...
I have enabled Free Xpack secutiry for kibana Dashboard authentication and created users with super access for my team members.. Now I would like to disable elastic user login access in kibana Dashboard..
So elastic user access will work only beat's & Logstash configurations.
How can I disable elastic user kibana Dashboard access?
Read this link. Create a separate user with privileges required to only index data and use them in the output plugin for logstash and beats.

AWS kibana after login throws Missing Role error

I've started learning elasticsearch using AWS I followed this article to create elasticsearch and Kibana setup
After completing the setup, tried to log in using my user from user pool, after login I'm getting error "Missing Role"
url https://search-mytestdomain-xxxxxxxxxxxxxxxxxxxxxx.us-east-2.es.amazonaws.com/_plugin/kibana/customerror?type=missingRole#?_g=()
Was looking all over for the fix after following the same guide you linked. Came across this post during my searching and wanted to update my fix for that specific guide is to use Elasticsearch 6.2 when creating the domain.
I haven't tried any other versions but when I switched from ES 7.4 (latest) to 6.2 (which is mentioned in the guide) it worked with no issues.
What worked for me is below on ES 7.4,
Open Identity Pool
Click "Edit identity pool"
Authentication Providers
Authenticated Role Section
Choose role from token
Role resolution: DENY
This document had the answer that worked for me:
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/fgac.html#fgac-walkthrough-iam
The real issue was that the role I was using on the identity pool and elasticsearch cluster did not have a trust relationship policy to allow the identity pool to assume the role. So login was succeeding, but the pool wasn't able to assume the role, and therefore there really was a missing role on the token that Kibana was receiving. Adding the trust relationship policy shown in step 4 of the doc in addition to the policy allowing kibana to assume the role, fixed the missing role issue for me and successfully passed my authenticated user into kibana's main interface.

Google Cloud Logging Authentication / permissions

I am using the Golang library cloud.google.com/go/logging and want to send runtime logging.
Already have a GOOGLE_APPLICATION_CREDENTIALS .json file - and am using google storage and firebase - so I know the credentials are working.
With logging, I get an error "Error 403: The caller does not have permission, forbidden"
The account in the application credentials is a service account and I have been looking at the IAM permissions. There is not an obvious permission for logging (there are other stackdriver permissions, for debug, trace etc but these don't seem to work).
So assuming I am in the right place so far - what permissions does the service account need in order to send logging data to stackdriver logging?
If we look at the API for writing entries to a log we find that the IAM permission logging.logEntries.create is required.
A more detailed article can be found at Access control guide.
This describes a variety of roles including:
roles/logging.logWriter
According to the official documentation:
Using Stackdriver Logging library for Go requires the Cloud IAM Logs
Writer role on Google Cloud. Most Google Cloud environments provide
this role by default.
1.App Engine grants the Logs Writer role by default.
2.On Google Kubernetes Engine, you must add the logging.write access scope when creating the cluster:
3.When using Compute Engine VM instances, add the cloud-platform access scope to each instance.
4.To use the Stackdriver Logging library for Go outside of Google Cloud, including running the library on your own workstation, on your data center's computers, or on the VM instances of another cloud provider, you must supply your Google Cloud project ID and appropriate service account credentials directly to the Stackdriver Logging library for Go.
You can create and obtain service account credentials manually. When specifying the Role field, use the Logs Writer role. For more information on Cloud Identity and Access Management roles, go to Access control guide.
Setting Up Stackdriver Logging for Go
gcloud iam service-accounts list
gcloud projects add-iam-policy-binding my-project-123 \
--member serviceAccount:my-sa-123#my-project-123.iam.gserviceaccount.com \
--role roles/logging.logWriter

searchguard for SSL communication in ELK

Basic username/password authentication for ELK, i was able to achieve using searchguard on windows platform.
Now i am trying to establish secure communication. I have performed the following changes,
In elasticsearch.yml
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: D:\Softwares\ELK\elasticsearch-5.4.0\elasticsearch-5.4.0\config\CN=localhost-keystore.jks
searchguard.ssl.http.keystore_password: 221749a2add117cf889f
searchguard.ssl.http.truststore_filepath: D:\Softwares\ELK\elasticsearch-5.4.0\elasticsearch-5.4.0\config\truststore.jks
searchguard.ssl.http.truststore_password: 6d6cf1cc017dc874960b
searchguard.authcz.admin_dn:
- CN=sgadmin
searchguard.ssl.transport.keystore_filepath: D:\Softwares\ELK\elasticsearch-5.4.0\elasticsearch-5.4.0\config\CN=localhost-keystore.jks
searchguard.ssl.transport.keystore_password: 221749a2add117cf889f
searchguard.ssl.transport.truststore_filepath: D:\Softwares\ELK\elasticsearch-5.4.0\elasticsearch-5.4.0\config\truststore.jks
searchguard.ssl.transport.truststore_password: 6d6cf1cc017dc874960b
In Kibana.yml
elasticsearch.url: "https://localhost:9200"
elasticsearch.username: "admin"
elasticsearch.password: "admin"
If i login to kibana, using http://localhost:5601, it asks for username and password. I dont know what credentails to enter here. i tried admin/admin. Its not working. Before i gave searchguard.ssl.http.... configurations, admin/admin was working fine.
After i added all the searchguard.ssl.http related configuration, the credentails are not working.
I am sure there is some other configuration in kibana.yml w.r.t searchguard configuration. I am not able to find it online. Can any one please help me here on what is missing.
Enabling TLS on the REST layer does not have any impact on user authentication/authorisation. The only difference is:
If you enable TLS on REST layer, only HTTPS access is allowed. You will see an error message if you try to access ES with HTTP
If you disable TLS on REST layer, only HTTP access is allowed. You will see an error message if you try to access ES with HTTPS.
Search Guard will authenticate the credentials against the configured authentication backend in sg_config.yml. If you use the default configuration that ships with Search Guard, it will use the internal user database and the users defined in internal_users.yml. The default "admin" user has full access to all indices and types, so you should be able to use this user to log into Kibana. If you need a user with limited access, the corresponding demo user is "kibanaro". Please refer to internal_users.yml to see all demo users.
Since ES 5.0.2, you need to install the Search Guard Kibana plugin for full authentication and session support. You can find the plugin on the corresponding GitHub repository. You install it like any other Kibana plugin, for example:
bin/kibana-plugin install https://github.com/floragunncom/search-guard-kibana-plugin/releases/download/v5.4.3-3/searchguard-kibana-5.4.3-3.zip
If you do not need advanced stuff like multi-tenancy or JWT Single Sign-on, it should start and work out of the box.
If this does not help, please post the output of your Elasticsearch log files when trying to log in.
Disclaimer: I work for floragunn, makers of Search Guard.

Resources