Hi,
We have a large Kubernetes setup that uses ELK for logging. Filebeat->Logstash->Elasticsearch->Kibana (searchguard turned on).
After upgrading Elasticsearch to 6.4 from 5.6 (Kibana still at 5.6) Kibana started prompting us for basic authentication information in an execution path that used to utilize header information from successful login from corporate login page.
Then we turned on KIbana 6.4 and got same behavior. This makes us think that it is Elasticsearch is causing this. I posted our Searchguard plugin configuration below, the Elasticsearch searchguard configuration, and our Kibana configuration (unchanged from version upgrades).
If anyone can shed light it would be greatly appreciated, we have been looking at this for a few days and are stumped.
We do not see any difference in logs in the 5.6 and 6.4 flows.
Searchguard plugin config:
searchguard:
dynamic:
http:
xff:
enabled: false
internalProxies: 192.168.0.10|192.168.0.11
remoteIpHeader: "x-forwarded-for"
proxiesHeader: "x-forwarded-by"
trustedProxies: "proxy1|proxy2"
authc:
authenticaton_internal:
enabled: true
order: 0
authentication_backend:
type: internal
http_authenticator:
type: basic
authentication_gl:
enabled: true
order: 1
authentication_backend:
type: com.proprietary.searchguard.auth.oursauthstuff.GlobalLoginAuthenticationBackend
http_authenticator:
type: com.proprietary.searchguard.auth.oursauthstuff.HTTPGlobalLoginAuthenticator
authentication_ourauthstuff:
enabled: true
order: 2
authentication_backend:
type: com.proprietary.searchguard.auth.oursauthstuff.OurAuthenticationBackend
http_authenticator:
type: basic
authz:
authorization_ourauthstuff:
enabled: true
order: 0
authorization_backend:
type: com.proprietary.searchguard.auth.oursauthstuff.K8sOurStuffAuthorizationBackend
---------------------------------
Searchguard configuration on Elasticsearch nodes
elasticsearch.yml: |
cluster.name: mycluster
node:
name: ${HOSTNAME}
master: false
data: true
ingest: ${INGEST_NODE:true}
max_local_storage_nodes: 1
network:
host: 0.0.0.0
path:
data: /usr/share/elasticsearch/data
logs: /usr/share/elasticsearch/logs
bootstrap:
memory_lock: true
system_call_filter: false
http:
enabled: true
compression: true
cors:
enabled: false
port: 9200
transport:
tcp:
port: 9300
discovery.zen:
minimum_master_nodes: 3
ping_timeout: 3s
ping.unicast.hosts: "elasticsearch-discovery-internal-svc.ourstuff"
# Disable X-Pack components
xpack.security.enabled: false
xpack.watcher.enabled: false
xpack.ml.enabled: false
xpack.graph.enabled: false
thread_pool:
bulk:
queue_size: 600
#SGAAF Config
searchguard:
enterprise_modules_enabled: false
ssl:
transport:
enable_openssl_if_available: true
enabled: true
keystore_type: JKS
keystore_filepath: <keystore path -- removed for posting>
keystore_password: ${KEYSTORE_PASSWORD}
truststore_type: JKS
truststore_filepath: <truststore path -- removed for posting>
truststore_password: ${TRUSTSTORE_PASSWORD}
enforce_hostname_verification: false
http:
enable_openssl_if_available: true
enabled: true
keystore_type: JKS
keystore_filepath: <keystore path -- removed for posting>
keystore_password: ${KEYSTORE_PASSWORD}
truststore_type: JKS
truststore_filepath: <truststore path -- removed for posting>
truststore_password: ${TRUSTSTORE_PASSWORD}
# Admin users
authcz.admin_dn:
- <removed for posting>
Below is our kibana.yml configuration (cleansed for this post):
server:
host: "0.0.0.0"
name: kibana
basePath: "/kibana"
xpack.reporting.encryptionKey: <removed for posting>
xpack.apm.ui.enabled: false
xpack.grokdebugger.enabled: false
xpack.searchprofiler.enabled: false
xpack.security.enabled: false
xpack.graph.enabled: false
xpack.ml.enabled: false
xpack.watcher.enabled: false
searchguard.basicauth.login.title: "Kibana Login"
searchguard.basicauth.login.subtitle: "Please enter your Global Login credentials."
elasticsearch:
url: "https://elasticsearch-http-internal-svc.com-ourstuff-elkpaas:9200"
preserveHost: true
ssl:
verificationMode: none
requestTimeout: 3000000
pingTimeout: 3000000
requestHeadersWhitelist: ['authorization', 'cookie']
kibana:
index: ".kibana"
defaultAppId: "discover"
ops.interval: 5000
console.enabled: false