Is it possible configure filebeat to communicate with an Elastic Cloud instance using token authentication?
According to the docs, if I'm using a cloud instance I should configure cloud.id and cloud.auth in filebeat.yml
cloud.id: "..."
cloud.auth: "filebeat_setup:YOUR_PASSWORD"
The docs say that cloud.auth should be a username and password from my Elastic Cloud instance. I'd like to use an api_key instead. However, when I configure an API key
output.elasticsearch:
# Authentication credentials - either API key or username/password.
api_key: "key-id:key-value"
and attempt to test my connection,
$ sudo filebeat test output
elasticsearch: https://...:443...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 52.202.123.120, 18.214.74.184, 50.19.154.221
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.2
dial up... OK
talk to server... ERROR 401 Unauthorized: {"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}},"status":401}
It appears that filebeat doesn't acknowledge my API Key
"root_cause":[
{
"type":"security_exception",
"reason":"missing authentication credentials for REST request [/]"
/* ... */
I've had success connecting to my cloud instance with the #elastic/elasticsearch javascript package using this token.
Before I continue to debug this probiem -- is it even possible to use token authentication to connection to Elasticsearch via filebeat? Or does filebeat only support username/password authentication?
The answer to this question turned out to be: Yes, you can use an api_key with filebeat, even if you're using elastic cloud.
While the error message received during my config test
missing authentication credentials for REST request
indicated the authentication was missing, the real problem was the key I had had previous success with had recently expired. I presume filebeat tried the API key, was rejected, and then fell back to trying the user credentials. When those credentials were missing, it gave the above error.
Related
I'm running two keycloak docker instances and configured cluster as specified here https://hub.docker.com/r/jboss/keycloak/
I can able see logs related to clustering and two records in JGROUPSPING table. Also it works when authenticate(openid-connect) through Host1 and get access token/refresh token and able to retrieve new access_token using refresh token via Host2, which means I believe clustering setup is working.
But Im getting 401 error when I make API call to Host2 either using the access token I received from Host1 or access_token I got from Host1's refresh token. It works only when I use access_token received from same host.
My understanding is that these access_tokens doesn't related to cookie it should be working seamlessly. But it fails.
I had a problem with the verification of the access token signature.
The access token are signed by Keycloak with a keystore. If you don't have a certificate and key mounted in the docker, this keystore will be different between the nodes in your cluster, and a token generated by one node will not be valid for another node.
So you have to follow the "Setting up TLS(SSL)" part of the documentation of the docker.
I have a self hosted Elasticsearch cluster running in AWS EKS and I'd like to setup oidc authentication. I followed the instruction: https://www.elastic.co/guide/en/cloud/current/ec-secure-clusters-oidc.html#ec-oidc-client-secret
In the client-secret setting, it mentions
You’ll need to add the client secret to the keystore
so I launched the ES cluster with basic authentication and added the secret to keystore by using the command elasticsearch-keystore add xpack.security.authc.realms.oidc.oidc-realm.rp.client_secret.
After that I update the ES yaml file to include the configuration:
xpack:
security:
authc:
realms:
oidc:
oidc-realm-name:
order: 2
rp.client_id: "client-id"
rp.response_type: "code"
rp.redirect_uri: "<KIBANA_ENDPOINT_URL>/api/security/v1/oidc"
op.issuer: "<check with your OpenID Connect Provider>"
op.authorization_endpoint: "<check with your OpenID Connect Provider>"
op.token_endpoint: "<check with your OpenID Connect Provider>"
op.userinfo_endpoint: "<check with your OpenID Connect Provider>"
op.jwkset_path: "<check with your OpenID Connect Provider>"
claims.principal: sub
claims.groups: "http://example.info/claims/groups"
then I run rollout restart to restart the pod but I got below error when launching the Elasticsearch cluster:
java.lang.IllegalStateException: security initialization failed
Likely root cause: SettingsException[The configuration setting [xpack.security.authc.realms.oidc.oidc-realm.rp.client_secret] is required]
it seems that ES doesn't find the secret I added in Keystore.
Then I realise that it lost the keystore when I run rollout restart to apply the oidc configuration. so my question is what is the right way to add the OIDC on Elasticsearch in K8S?
If you're using Helm for your deployment, the best way is to add it in the values of the chart.
You'll need to create a secret in your cluster, that will be added to the keystore by an InitContainer.
More details on the Helm chart README
I am facing an issue while connecting filebeats with my trial version of elastic cloud.
I am getting below error
ERROR pipeline/output.go:100 Failed to CLOUD_ID): 401 Unauthorized:
{"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user
[USER_EMAIL] for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\"
charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":
"unable to authenticate user ...
I have attached my filebeat.yml too. Please look.
I crossed check my username and password both are correct.
please help!
Here my cloud credentials don’t look right. The syntax for cloud.auth is user:password
It needs to be the cluster credentials, not the cloud account credentials. (Default username is elastic, and you’re presented a randomly generated password when the cluster is created)
I want to push changes to the application hosted on IBM Cloud using CLI. When I try to login I have a proxy error
PS C:\Users\user1\folder1\myapp> cf login
API endpoint: https://api.eu-de.bluemix.net
API endpoint: https://api.eu-de.bluemix.net (API version: 2.128.0)
Not logged in. Use 'cf login' to log in.
FAILED
Error performing request: Get https://login.eu-de.cf.cloud.ibm.com/UAALoginServerWAR/login: Proxy Authentication Required
I set environnement variables HTTPS_PROXY and HTTP_PROXY: http://XXXXXX.XXX:1234
Thanks in advance for any help.
You should be using the https://api.eu-de.cf.cloud.ibm.com API endpoint instead. While mybluemix.net should continue to work, bluemix.net should usually be replaced with the cloud.ibm.com equivalent.
I am using Oracle fusion middleware 12.2.1.3.0
I am trying to create basic proxy service to HTTPS basic authentication secured service.
Can anybody explain step by step how to setup business service?
I have tried all combination but all went wrong.
Proxy service is plain with http transport. There is not authentication, security nor policy.
Pipeline is plain too = only routing to business service.
Business service transport protocol http (there are not other options allowed). URI = https://my.uri.com:443/ws/myService?wsdl
Http transport configuration = Authentication Basic, Service account = myAccount.sa (username/password)
No policies.
Business Service Testing gives me "The invocation resulted in an error: Forbidden."
When I supply username/password into testing window it gives me "Error authenticating the transport username/password: [Security:090938]Authentication failure: The specified user failed to log in. javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User specified user denied"
When I try add oracle/http_basic_auth_over_ssl_client_policy I get "Conflicts found during publish.
[OSB-387194]OWSM Policy 'oracle/http_basic_auth_over_ssl_client_policy' is not allowed since transport authentication is set to 'basic'. If you are trying to attach an HTTP Token Policy make sure that the authentication on transport configuration is set to 'None'. You can either set the authentication mechanism directly on the transport configuration page or attach OWSM HTTP Token Policy."
Any help is appreciated.
Thank you in advance.
You should not add security to BS.
In the Business Configuration tab,put the authentication to 'None' instead of Basic. You should attach security only to Proxy Service and not Business Service.
Hope it helps :)