[Google Oauth2 Sign-In] User impersonation alternative using OAuth2 Proxy

MihaiS · May 24, 2017, 10:32am

Hello,

I wanted to share to the community a different approach to this great guide https://www.elastic.co/blog/user-impersonation-with-x-pack-integrating-third-party-auth-with-kibana.

After playing a little bit with Nginx and OAuth2 Proxy I have managed to avoid the user impersonation and give the admin the chance to create accounts for each user in the organization with their associated roles.

Notes:

Parts of this guide are taken from the user impersonation guide (see link above)
This guide requires you to manually create the accounts in advance with the same predefined password (work in progress for an automatic creation solution).
The following guide is based on a installation of Elasticsearch + Kibana 5.4 (SSL configuration enabled on port 8443) + X-Pack plugin from DEB files on a Debian 8.x machine.
This guide does not cover the security aspects. These should be taken care by you, using your own solutions to properly secure Elasticsearch, Kibana, Oauth2_proxy and Nginx

After X-Pack plugin installation, uncomment and modify or add the following lines in /etc/kibana/kibana.yml and restart the Kibana service:

     elasticsearch.requestHeadersWhitelist: [ authorization ]
     xpack.monitoring.elasticsearch.requestHeadersWhitelist: [ authorization ]

Install and configure OAuth2 Proxy

Download prebuilt binary for OAuth2 Proxy: https://github.com/bitly/oauth2_proxy/releases
Put the binary from the archive in the /usr/local/bin folder

Create configuration folders:

        # mkdir /etc/oauth2_proxy
        # mkdir /etc/oauth2_proxy/templates    (optional)

Create the configuration file for the oauth2_proxy service (/etc/oauth2_proxy/oauth2_proxy.cfg):

     https_address = "kibana.example.com:443"
     
     ## TLS Settings
     tls_cert_file = "/etc/kibana/certs/example.com.crt"
     tls_key_file = "/etc/kibana/certs/example.com.key"

     # the OAuth Redirect URL.
     redirect_url = "https://kibana.example.com/oauth2/callback"
     # the http url of the upstream endpoint (nginx in our case)
     upstreams = [
     "http://127.0.0.1:8080/"
     ]
     email_domains = [
     "example.com"     
     ]
     ## The OAuth Client ID, Secret
     client_id = "<google oauth2 client ID>"
     client_secret = "<google oauth2 client secret>"
     cookie_name = "_oauth2_proxy"
     cookie_secret = "secretsecret"
     cookie_secure = true

Check the tutorial at https://github.com/bitly/oauth2_proxy#google-auth-provider in order to create the Google project for authentication in order to obtain the google client_id and client_secret

Create the systemd script in order to start the OAuth2_Proxy service (/usr/lib/systemd/system/oauth2_proxy.service):

     [Unit]
     Description=oauth2_proxy daemon service
     After=syslog.target network.target

     [Service]
     ExecStart=/usr/local/bin/oauth2_proxy -config=/etc/oauth2_proxy/oauth2_proxy.cfg
     #If you want to use custom templates
     #ExecStart=/usr/local/bin/oauth2_proxy -config=/etc/oauth2_proxy/oauth2_proxy.cfg --custom-templates-dir=/etc/oauth2_proxy/templates
     ExecReload=/bin/kill -HUP $MAINPID

     KillMode=process
     Restart=always

     [Install]
     WantedBy=multi-user.target

Optional: create the template files sign_in.html and error.html in the etc/oauth2_proxy/templates folder based on the ones defined here https://github.com/bitly/oauth2_proxy/blob/master/templates.go
Enable the Oauth2 Proxy service:
```
     # systemctl enable oauth2_proxy
```
Start the service:
```
     # systemctl start oauth2_proxy
```

Build, install, configure and start NGINX

Install packages required to make builds from source:

        # apt-get install build-essential libc6 libpcre3 libpcre3-dev libpcrecpp0 libssl1.0.0 libssl-dev zlib1g zlib1g-dev lsb-base

Create the folder where the nginx will be built:

        # mkdir /usr/src/nginx
        # cd /usr/src/nginx

Download the source packages:

        # wget http://nginx.org/download/nginx-1.13.0.tar.gz
        # wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz 
        # wget https://github.com/openresty/set-misc-nginx-module/archive/v0.31.tar.gz

Extract the packages:

         # tar -xzf nginx-1.13.0.tar.gz
         # tar -xzf v0.3.0.tar.gz
         # tar -xzf v0.31.tar.gz

Build and install nginx:

        # cd /usr/src/nginx/nginx-1.13.0
         # ./configure --prefix=/opt/nginx \
 			 --with-http_ssl_module \
 			 --add-module=/usr/src/nginx/ngx_devel_kit-0.3.0 \
 			 --add-module=/usr/src/nginx/set-misc-nginx-module-0.31
         # make -j2
         # make install

Create the systemd service script (/lib/systemd/system/nginx.service):

     [Unit]
     Description=The NGINX HTTP and reverse proxy server
     After=syslog.target network.target remote-fs.target nss-lookup.target

     [Service]
     Type=forking
     PIDFile=/opt/nginx/logs/nginx.pid
     ExecStartPre=/opt/nginx/sbin/nginx -t
     ExecStart=/opt/nginx/sbin/nginx
     ExecReload=/bin/kill -s HUP $MAINPID
     ExecStop=/bin/kill -s QUIT $MAINPID
     PrivateTmp=true

     [Install]
     WantedBy=multi-user.target

..................................................

MihaiS · May 24, 2017, 10:33am

Create NGINX configuration folders:

      # mkdir /opt/nginx/conf/conf.d
      # mkdir /opt/nginx/conf/sites-available/
      # mkdir /opt/nginx/conf/sites-enabled/

Update the NGINX configuration file (/opt/nginx/conf/nginx.conf)

      user  nobody;
      worker_processes  1;
      error_log  logs/error.log;
      error_log  logs/error.log  notice;
      error_log  logs/error.log  info;
      pid        logs/nginx.pid;
      events {
         worker_connections  1024;
      }

         http {
              include       mime.types;
              default_type  application/octet-stream;
              access_log  logs/access.log  main;
              sendfile        on;
              #tcp_nopush     on;
              #keepalive_timeout  0;
              keepalive_timeout  65;
              gzip  on;
              include /opt/nginx/conf/conf.d/*.conf;
              include /opt/nginx/conf/sites-enabled/*;
          }

Create the NGINX proxy configuration file (/opt/nginx/conf/sites-available/oauth2_proxy):

      server {
              listen 80;
              server_name kibana.example.com;

              # redirect http->https while we're at it
              rewrite ^ https://$server_name$request_uri? permanent;
          }
          server {
              listen 127.0.0.1:8080;
              server_name localhost;

              location / {
                  # The location of the Kibana server
                  proxy_pass https://kibana.example.com:8443/;

                  # Create the base64 encoded authentication string
      
                  set $auth_string  "${remote_user}:<SuperSecuredSecretPassword>";
                  set_encode_base64 $encoded_string $auth_string;

                  proxy_set_header Authorization "Basic $encoded_string";

                  # Simple rewrite to get us back to oauth2_proxy 's login page if someone uses Kibana's Logout             button.
                  rewrite /login https://kibana.example.com/oauth2/sign_in redirect;
              }

Create a symlink of the file /opt/nginx/conf/sites-available/oauth2_proxy in the folder /opt/nginx/conf/sites-enabled
Enable the NGINX service
```
     # systemctl enable nginx
```
Start the NGINX service
```
      # systemctl start nginx
```

Create the Kibana usernames identicals to the ones from the email addresses:

Connect to Kibana server using the address https://kibana.example.com:8443 with a superuser account and create the users as in the following example:

  # for the email address (hosted on Google) user.name@example.com, create the kibana user user.name with the password <SuperSecuredSecretPassword> (the same as in the nginx configuration file)
  # use the same password for all the other users you will create

warkolm · May 25, 2017, 9:53am

Thanks for sharing!

system · June 22, 2017, 9:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.