[Google Oauth2 Sign-In] User impersonation alternative using OAuth2 Proxy


(Mihai Siminica) #1

Hello,

I wanted to share to the community a different approach to this great guide https://www.elastic.co/blog/user-impersonation-with-x-pack-integrating-third-party-auth-with-kibana.

After playing a little bit with Nginx and OAuth2 Proxy I have managed to avoid the user impersonation and give the admin the chance to create accounts for each user in the organization with their associated roles.

Notes:

  • Parts of this guide are taken from the user impersonation guide (see link above)
  • This guide requires you to manually create the accounts in advance with the same predefined password (work in progress for an automatic creation solution).
  • The following guide is based on a installation of Elasticsearch + Kibana 5.4 (SSL configuration enabled on port 8443) + X-Pack plugin from DEB files on a Debian 8.x machine.
  • This guide does not cover the security aspects. These should be taken care by you, using your own solutions to properly secure Elasticsearch, Kibana, Oauth2_proxy and Nginx

  1. After X-Pack plugin installation, uncomment and modify or add the following lines in /etc/kibana/kibana.yml and restart the Kibana service:

         elasticsearch.requestHeadersWhitelist: [ authorization ]
         xpack.monitoring.elasticsearch.requestHeadersWhitelist: [ authorization ]
    
  2. Install and configure OAuth2 Proxy

  • Download prebuilt binary for OAuth2 Proxy: https://github.com/bitly/oauth2_proxy/releases

  • Put the binary from the archive in the /usr/local/bin folder

  • Create configuration folders:

            # mkdir /etc/oauth2_proxy
            # mkdir /etc/oauth2_proxy/templates    (optional)
    
  • Create the configuration file for the oauth2_proxy service (/etc/oauth2_proxy/oauth2_proxy.cfg):

         https_address = "kibana.example.com:443"
         
         ## TLS Settings
         tls_cert_file = "/etc/kibana/certs/example.com.crt"
         tls_key_file = "/etc/kibana/certs/example.com.key"
    
         # the OAuth Redirect URL.
         redirect_url = "https://kibana.example.com/oauth2/callback"
         # the http url of the upstream endpoint (nginx in our case)
         upstreams = [
         "http://127.0.0.1:8080/"
         ]
         email_domains = [
         "example.com"     
         ]
         ## The OAuth Client ID, Secret
         client_id = "<google oauth2 client ID>"
         client_secret = "<google oauth2 client secret>"
         cookie_name = "_oauth2_proxy"
         cookie_secret = "secretsecret"
         cookie_secure = true
    
  • Check the tutorial at https://github.com/bitly/oauth2_proxy#google-auth-provider in order to create the Google project for authentication in order to obtain the google client_id and client_secret

  • Create the systemd script in order to start the OAuth2_Proxy service (/usr/lib/systemd/system/oauth2_proxy.service):

         [Unit]
         Description=oauth2_proxy daemon service
         After=syslog.target network.target
    
         [Service]
         ExecStart=/usr/local/bin/oauth2_proxy -config=/etc/oauth2_proxy/oauth2_proxy.cfg
         #If you want to use custom templates
         #ExecStart=/usr/local/bin/oauth2_proxy -config=/etc/oauth2_proxy/oauth2_proxy.cfg --custom-templates-dir=/etc/oauth2_proxy/templates
         ExecReload=/bin/kill -HUP $MAINPID
    
         KillMode=process
         Restart=always
    
         [Install]
         WantedBy=multi-user.target
    
  • Optional: create the template files sign_in.html and error.html in the etc/oauth2_proxy/templates folder based on the ones defined here https://github.com/bitly/oauth2_proxy/blob/master/templates.go

  • Enable the Oauth2 Proxy service:

         # systemctl enable oauth2_proxy
    
  • Start the service:

         # systemctl start oauth2_proxy
    
  1. Build, install, configure and start NGINX
  • Install packages required to make builds from source:

            # apt-get install build-essential libc6 libpcre3 libpcre3-dev libpcrecpp0 libssl1.0.0 libssl-dev zlib1g zlib1g-dev lsb-base
    
  • Create the folder where the nginx will be built:

            # mkdir /usr/src/nginx
            # cd /usr/src/nginx
    
  • Download the source packages:

            # wget http://nginx.org/download/nginx-1.13.0.tar.gz
            # wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz 
            # wget https://github.com/openresty/set-misc-nginx-module/archive/v0.31.tar.gz 
    
  • Extract the packages:

             # tar -xzf nginx-1.13.0.tar.gz
             # tar -xzf v0.3.0.tar.gz
             # tar -xzf v0.31.tar.gz
    
  • Build and install nginx:

            # cd /usr/src/nginx/nginx-1.13.0
             # ./configure --prefix=/opt/nginx \
     			 --with-http_ssl_module \
     			 --add-module=/usr/src/nginx/ngx_devel_kit-0.3.0 \
     			 --add-module=/usr/src/nginx/set-misc-nginx-module-0.31
             # make -j2
             # make install
    
  • Create the systemd service script (/lib/systemd/system/nginx.service):

         [Unit]
         Description=The NGINX HTTP and reverse proxy server
         After=syslog.target network.target remote-fs.target nss-lookup.target
    
         [Service]
         Type=forking
         PIDFile=/opt/nginx/logs/nginx.pid
         ExecStartPre=/opt/nginx/sbin/nginx -t
         ExecStart=/opt/nginx/sbin/nginx
         ExecReload=/bin/kill -s HUP $MAINPID
         ExecStop=/bin/kill -s QUIT $MAINPID
         PrivateTmp=true
    
         [Install]
         WantedBy=multi-user.target
    

..................................................


(Mihai Siminica) #2
  • Create NGINX configuration folders:

          # mkdir /opt/nginx/conf/conf.d
          # mkdir /opt/nginx/conf/sites-available/
          # mkdir /opt/nginx/conf/sites-enabled/
    
  • Update the NGINX configuration file (/opt/nginx/conf/nginx.conf)

          user  nobody;
          worker_processes  1;
          error_log  logs/error.log;
          error_log  logs/error.log  notice;
          error_log  logs/error.log  info;
          pid        logs/nginx.pid;
          events {
             worker_connections  1024;
          }
    
             http {
                  include       mime.types;
                  default_type  application/octet-stream;
                  access_log  logs/access.log  main;
                  sendfile        on;
                  #tcp_nopush     on;
                  #keepalive_timeout  0;
                  keepalive_timeout  65;
                  gzip  on;
                  include /opt/nginx/conf/conf.d/*.conf;
                  include /opt/nginx/conf/sites-enabled/*;
              }
    
  • Create the NGINX proxy configuration file (/opt/nginx/conf/sites-available/oauth2_proxy):

          server {
                  listen 80;
                  server_name kibana.example.com;
    
                  # redirect http->https while we're at it
                  rewrite ^ https://$server_name$request_uri? permanent;
              }
              server {
                  listen 127.0.0.1:8080;
                  server_name localhost;
    
                  location / {
                      # The location of the Kibana server
                      proxy_pass https://kibana.example.com:8443/;
    
                      # Create the base64 encoded authentication string
          
                      set $auth_string  "${remote_user}:<SuperSecuredSecretPassword>";
                      set_encode_base64 $encoded_string $auth_string;
    
                      proxy_set_header Authorization "Basic $encoded_string";
    
                      # Simple rewrite to get us back to oauth2_proxy 's login page if someone uses Kibana's Logout             button.
                      rewrite /login https://kibana.example.com/oauth2/sign_in redirect;
                  }
    
  • Create a symlink of the file /opt/nginx/conf/sites-available/oauth2_proxy in the folder /opt/nginx/conf/sites-enabled

  • Enable the NGINX service

         # systemctl enable nginx
    
  • Start the NGINX service

          # systemctl start nginx
    
  1. Create the Kibana usernames identicals to the ones from the email addresses:
  • Connect to Kibana server using the address https://kibana.example.com:8443 with a superuser account and create the users as in the following example:

      # for the email address (hosted on Google) user.name@example.com, create the kibana user user.name with the password <SuperSecuredSecretPassword> (the same as in the nginx configuration file)
      # use the same password for all the other users you will create

(Mark Walkom) #3

Thanks for sharing!


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.