searchguard for SSL communication in ELK - elasticsearch

Basic username/password authentication for ELK, i was able to achieve using searchguard on windows platform.
Now i am trying to establish secure communication. I have performed the following changes,
In elasticsearch.yml
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: D:\Softwares\ELK\elasticsearch-5.4.0\elasticsearch-5.4.0\config\CN=localhost-keystore.jks
searchguard.ssl.http.keystore_password: 221749a2add117cf889f
searchguard.ssl.http.truststore_filepath: D:\Softwares\ELK\elasticsearch-5.4.0\elasticsearch-5.4.0\config\truststore.jks
searchguard.ssl.http.truststore_password: 6d6cf1cc017dc874960b
searchguard.authcz.admin_dn:
- CN=sgadmin
searchguard.ssl.transport.keystore_filepath: D:\Softwares\ELK\elasticsearch-5.4.0\elasticsearch-5.4.0\config\CN=localhost-keystore.jks
searchguard.ssl.transport.keystore_password: 221749a2add117cf889f
searchguard.ssl.transport.truststore_filepath: D:\Softwares\ELK\elasticsearch-5.4.0\elasticsearch-5.4.0\config\truststore.jks
searchguard.ssl.transport.truststore_password: 6d6cf1cc017dc874960b
In Kibana.yml
elasticsearch.url: "https://localhost:9200"
elasticsearch.username: "admin"
elasticsearch.password: "admin"
If i login to kibana, using http://localhost:5601, it asks for username and password. I dont know what credentails to enter here. i tried admin/admin. Its not working. Before i gave searchguard.ssl.http.... configurations, admin/admin was working fine.
After i added all the searchguard.ssl.http related configuration, the credentails are not working.
I am sure there is some other configuration in kibana.yml w.r.t searchguard configuration. I am not able to find it online. Can any one please help me here on what is missing.

Enabling TLS on the REST layer does not have any impact on user authentication/authorisation. The only difference is:
If you enable TLS on REST layer, only HTTPS access is allowed. You will see an error message if you try to access ES with HTTP
If you disable TLS on REST layer, only HTTP access is allowed. You will see an error message if you try to access ES with HTTPS.
Search Guard will authenticate the credentials against the configured authentication backend in sg_config.yml. If you use the default configuration that ships with Search Guard, it will use the internal user database and the users defined in internal_users.yml. The default "admin" user has full access to all indices and types, so you should be able to use this user to log into Kibana. If you need a user with limited access, the corresponding demo user is "kibanaro". Please refer to internal_users.yml to see all demo users.
Since ES 5.0.2, you need to install the Search Guard Kibana plugin for full authentication and session support. You can find the plugin on the corresponding GitHub repository. You install it like any other Kibana plugin, for example:
bin/kibana-plugin install https://github.com/floragunncom/search-guard-kibana-plugin/releases/download/v5.4.3-3/searchguard-kibana-5.4.3-3.zip
If you do not need advanced stuff like multi-tenancy or JWT Single Sign-on, it should start and work out of the box.
If this does not help, please post the output of your Elasticsearch log files when trying to log in.
Disclaimer: I work for floragunn, makers of Search Guard.

Related

failed to authenticate user [elastic] after enabling xpack.security in elasticsearch

I Use Kibana 7.11.1 stack. this problem is related to elasticsearch alone.
I added xpack.security.enabled: true to elasticsearch.yml and ran elasticsearch-setup-passwords auto
to set the default users password. but now when I start elasticsearch I keep seeing the message:
[o.e.x.s.a.AuthenticationService] [SERVER_NAME] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]
i see this only when elasticsearch service is up, so I assumed that I need to set the new elastic user password in elasticsearch.yml file, but i have no idea how..
any ideas ?
thanks
The error message indicates that the credentials with which you are trying to authenticate do not match the saved username and password.
After turning on the xpack.security.enabled setting, you can set the built-in user credentials, using the below command
bin/elasticsearch-setup-passwords interactive
I missed one service that is part of the kibana stack. the elastic-agent.
so the database wasn't trying to connect to itself! :) elastic-agent was trying to connect to elasticsearch without the proper credentials.
once i resolved that and restart elastic-agent, the problem resolved.

Kibana Embedded Dashboard Not Logging In after Enabling X-pack security plugin

I am Wroking with ELK Stack 7.x version, Here I am trying to Embed Dashboard to another html page but I am not able to loggin into embedded dashboard since i configured x-pack security plugin.
You should configure the Anonymous access
xpack.security.authc.providers:
anonymous.anonymous1:
order: 0
credentials:
username: "anonymous_service_account"
password: "anonymous_service_account_password"
Anyone with access to the network Kibana is exposed to will be able to
access Kibana. Make sure that you’ve properly restricted the
capabilities of the anonymous service account so that anonymous users
can’t perform destructive actions or escalate their own privileges.

AWS kibana after login throws Missing Role error

I've started learning elasticsearch using AWS I followed this article to create elasticsearch and Kibana setup
After completing the setup, tried to log in using my user from user pool, after login I'm getting error "Missing Role"
url https://search-mytestdomain-xxxxxxxxxxxxxxxxxxxxxx.us-east-2.es.amazonaws.com/_plugin/kibana/customerror?type=missingRole#?_g=()
Was looking all over for the fix after following the same guide you linked. Came across this post during my searching and wanted to update my fix for that specific guide is to use Elasticsearch 6.2 when creating the domain.
I haven't tried any other versions but when I switched from ES 7.4 (latest) to 6.2 (which is mentioned in the guide) it worked with no issues.
What worked for me is below on ES 7.4,
Open Identity Pool
Click "Edit identity pool"
Authentication Providers
Authenticated Role Section
Choose role from token
Role resolution: DENY
This document had the answer that worked for me:
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/fgac.html#fgac-walkthrough-iam
The real issue was that the role I was using on the identity pool and elasticsearch cluster did not have a trust relationship policy to allow the identity pool to assume the role. So login was succeeding, but the pool wasn't able to assume the role, and therefore there really was a missing role on the token that Kibana was receiving. Adding the trust relationship policy shown in step 4 of the doc in addition to the policy allowing kibana to assume the role, fixed the missing role issue for me and successfully passed my authenticated user into kibana's main interface.

Setup authorizers.xml for secured Nifi server

I am trying to setup a simple https security using certificates for my Nifi server. I am able to setup the secure connection by setting
nifi.security.keystore=.../nifiuser.jks and installing certifcates etc.
When I access through Web UI , i get :
No applicable policies could be found. Contact the system administrator.
I think i need to configure "authorizers.xml" but I dont know how. I just want "nifiuser" to have all admin rights.
Please help! Thank you
There are a lot of docs and posts that describe how to do this:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#authorizer-configuration
https://bryanbende.com/development/2018/10/23/apache-nifi-secure-cluster-setup
https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-cluster-setup/

Accessing cassandra without hardcoded username password

I have an existing Datastax Cassandra setup that is working. We just added authentication to the system and now we can log in with our AD accounts. This is very nice and certainly works. However applications need to use a hard-coded username/password in order to connect.
In SQL Server we were able to setup a user to run the service as and then it would connect and work through AD. However in Cassandra it is not the same.
If I don't want to include usernames and especially passwords in my app.config files what are my options?
You can use authentication via LDAP with DSE (Datastax Enterprise), so the authentication stage is done with LDAP instead of the internal authentication in DSE which you're using at the moment. Note that my comments here apply to DSE5.0 onwards but you can use LDAP auth with earlier versions of DSE from 4.6 onwards.
The documentation (link below) covers this. The basic steps are as follows:
Configure your authenticator in the cassandra.yaml to use the DSE authenticator
authenticator: com.datastax.bdp.cassandra.auth.DseAuthenticator
Create an internal role in cassandra to map to the LDAP group(s) in your LDAP server using the CREATE ROLE command
Ensure all the users you need to use map to the relevant LDAP group (part of your LDAP config)
Configure your dse.yaml to have the correct settings for your LDAP server
Restart the DSE process for the settings to take effect
The following documentation gives some good examples and background information:
https://docs.datastax.com/en/latest-dse/datastax_enterprise/unifiedAuth/unifiedAuthConfig.html
https://docs.datastax.com/en/latest-dse/datastax_enterprise/sec/authLdapConfig.html
Note: when configuring the dse.yaml note the comment in the docs regarding user_search_filter:
When using Active Directory set the filter to (sAMAccountName={0})

Resources