[Google Oauth2 Sign-In] User impersonation alternative using OAuth2 Proxy

Elastic Stack Kibana
1

Hello,

I wanted to share to the community a different approach to this great guide https://www.elastic.co/blog/user-impersonation-with-x-pack-integrating-third-party-auth-with-kibana.

After playing a little bit with Nginx and OAuth2 Proxy I have managed to avoid the user impersonation and give the admin the chance to create accounts for each user in the organization with their associated roles.

Notes:

  • Parts of this guide are taken from the user impersonation guide (see link above)
  • This guide requires you to manually create the accounts in advance with the same predefined password (work in progress for an automatic creation solution).
  • The following guide is based on a installation of Elasticsearch + Kibana 5.4 (SSL configuration enabled on port 8443) + X-Pack plugin from DEB files on a Debian 8.x machine.
  • This guide does not cover the security aspects. These should be taken care by you, using your own solutions to properly secure Elasticsearch, Kibana, Oauth2_proxy and Nginx

  1. After X-Pack plugin installation, uncomment and modify or add the following lines in /etc/kibana/kibana.yml and restart the Kibana service:

         elasticsearch.requestHeadersWhitelist: [ authorization ]
     xpack.monitoring.elasticsearch.requestHeadersWhitelist: [ authorization ]

  2. Install and configure OAuth2 Proxy

  • Download prebuilt binary for OAuth2 Proxy: https://github.com/bitly/oauth2_proxy/releases

  • Put the binary from the archive in the /usr/local/bin folder

  • Create configuration folders:

            # mkdir /etc/oauth2_proxy
        # mkdir /etc/oauth2_proxy/templates    (optional)

  • Create the configuration file for the oauth2_proxy service (/etc/oauth2_proxy/oauth2_proxy.cfg):

         https_address = "kibana.example.com:443"
     
     ## TLS Settings
     tls_cert_file = "/etc/kibana/certs/example.com.crt"
     tls_key_file = "/etc/kibana/certs/example.com.key"

     # the OAuth Redirect URL.
     redirect_url = "https://kibana.example.com/oauth2/callback"
     # the http url of the upstream endpoint (nginx in our case)
     upstreams = [
     "http://127.0.0.1:8080/"
     ]
     email_domains = [
     "example.com"     
     ]
     ## The OAuth Client ID, Secret
     client_id = "<google oauth2 client ID>"
     client_secret = "<google oauth2 client secret>"
     cookie_name = "_oauth2_proxy"
     cookie_secret = "secretsecret"
     cookie_secure = true

  • Check the tutorial at https://github.com/bitly/oauth2_proxy#google-auth-provider in order to create the Google project for authentication in order to obtain the google client_id and client_secret

  • Create the systemd script in order to start the OAuth2_Proxy service (/usr/lib/systemd/system/oauth2_proxy.service):

         [Unit]
     Description=oauth2_proxy daemon service
     After=syslog.target network.target

     [Service]
     ExecStart=/usr/local/bin/oauth2_proxy -config=/etc/oauth2_proxy/oauth2_proxy.cfg
     #If you want to use custom templates
     #ExecStart=/usr/local/bin/oauth2_proxy -config=/etc/oauth2_proxy/oauth2_proxy.cfg --custom-templates-dir=/etc/oauth2_proxy/templates
     ExecReload=/bin/kill -HUP $MAINPID

     KillMode=process
     Restart=always

     [Install]
     WantedBy=multi-user.target

  • Optional: create the template files sign_in.html and error.html in the etc/oauth2_proxy/templates folder based on the ones defined here https://github.com/bitly/oauth2_proxy/blob/master/templates.go

  • Enable the Oauth2 Proxy service:

         # systemctl enable oauth2_proxy

  • Start the service:

         # systemctl start oauth2_proxy
  1. Build, install, configure and start NGINX

  • Install packages required to make builds from source:

            # apt-get install build-essential libc6 libpcre3 libpcre3-dev libpcrecpp0 libssl1.0.0 libssl-dev zlib1g zlib1g-dev lsb-base

  • Create the folder where the nginx will be built:

            # mkdir /usr/src/nginx
        # cd /usr/src/nginx

  • Download the source packages:

            # wget http://nginx.org/download/nginx-1.13.0.tar.gz
        # wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz 
        # wget https://github.com/openresty/set-misc-nginx-module/archive/v0.31.tar.gz

  • Extract the packages:

             # tar -xzf nginx-1.13.0.tar.gz
         # tar -xzf v0.3.0.tar.gz
         # tar -xzf v0.31.tar.gz

  • Build and install nginx:

            # cd /usr/src/nginx/nginx-1.13.0
         # ./configure --prefix=/opt/nginx \
 			 --with-http_ssl_module \
 			 --add-module=/usr/src/nginx/ngx_devel_kit-0.3.0 \
 			 --add-module=/usr/src/nginx/set-misc-nginx-module-0.31
         # make -j2
         # make install

  • Create the systemd service script (/lib/systemd/system/nginx.service):

         [Unit]
     Description=The NGINX HTTP and reverse proxy server
     After=syslog.target network.target remote-fs.target nss-lookup.target

     [Service]
     Type=forking
     PIDFile=/opt/nginx/logs/nginx.pid
     ExecStartPre=/opt/nginx/sbin/nginx -t
     ExecStart=/opt/nginx/sbin/nginx
     ExecReload=/bin/kill -s HUP $MAINPID
     ExecStop=/bin/kill -s QUIT $MAINPID
     PrivateTmp=true

     [Install]
     WantedBy=multi-user.target

..................................................

2

  • Create NGINX configuration folders:

          # mkdir /opt/nginx/conf/conf.d
      # mkdir /opt/nginx/conf/sites-available/
      # mkdir /opt/nginx/conf/sites-enabled/

  • Update the NGINX configuration file (/opt/nginx/conf/nginx.conf)

          user  nobody;
      worker_processes  1;
      error_log  logs/error.log;
      error_log  logs/error.log  notice;
      error_log  logs/error.log  info;
      pid        logs/nginx.pid;
      events {
         worker_connections  1024;
      }

         http {
              include       mime.types;
              default_type  application/octet-stream;
              access_log  logs/access.log  main;
              sendfile        on;
              #tcp_nopush     on;
              #keepalive_timeout  0;
              keepalive_timeout  65;
              gzip  on;
              include /opt/nginx/conf/conf.d/*.conf;
              include /opt/nginx/conf/sites-enabled/*;
          }

  • Create the NGINX proxy configuration file (/opt/nginx/conf/sites-available/oauth2_proxy):

          server {
              listen 80;
              server_name kibana.example.com;

              # redirect http->https while we're at it
              rewrite ^ https://$server_name$request_uri? permanent;
          }
          server {
              listen 127.0.0.1:8080;
              server_name localhost;

              location / {
                  # The location of the Kibana server
                  proxy_pass https://kibana.example.com:8443/;

                  # Create the base64 encoded authentication string
      
                  set $auth_string  "${remote_user}:<SuperSecuredSecretPassword>";
                  set_encode_base64 $encoded_string $auth_string;

                  proxy_set_header Authorization "Basic $encoded_string";

                  # Simple rewrite to get us back to oauth2_proxy 's login page if someone uses Kibana's Logout             button.
                  rewrite /login https://kibana.example.com/oauth2/sign_in redirect;
              }

  • Create a symlink of the file /opt/nginx/conf/sites-available/oauth2_proxy in the folder /opt/nginx/conf/sites-enabled

  • Enable the NGINX service

         # systemctl enable nginx

  • Start the NGINX service

          # systemctl start nginx
  1. Create the Kibana usernames identicals to the ones from the email addresses:

  • Connect to Kibana server using the address https://kibana.example.com:8443 with a superuser account and create the users as in the following example:

      # for the email address (hosted on Google) user.name@example.com, create the kibana user user.name with the password <SuperSecuredSecretPassword> (the same as in the nginx configuration file)
  # use the same password for all the other users you will create
3

Thanks for sharing!

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.