Kibana + ES with Custom Realm

Jathin · July 31, 2017, 3:53pm

We have ES with custom realm that is accepting saml token and setting up user/roles based on the token.
Kibana with out x-pack works well as it passes on the saml toke in Authorization header to ES and it works really fine.

I tried to setup xpack as i want to setup monitoring ui, and look at how various ES/LS nodes are performing. I tried to keep this blog post as refernece and setup kibana. in my case there is no act as user as my custom realm is able to translate my token to Es user\role. But when i setup Kibana with Xpack in front, i always get to kibana login screen and authorization header (which has my token) is never sent to ES. I looked at logs and there are no errors. but the token is never sent to ES. I also tried to add the below configuration to kibana, but it does not seem to work.

Can you please help me with this configurations.

joshbressers · July 31, 2017, 4:35pm

It sounds like you aren't using a service account to authenticate Kibana. The service account should take care of the login page you see, then the headers in question will be passed to Elasticsearch. Check the "service account" section in the blog post you reference.

Jathin · July 31, 2017, 6:02pm

So i have 15 roles and each user can have a combination of roles. we have custom realm that parses those roles and translate to es roles. i just need Authorization header thats coming in to be fowarded on to ES and my realm would be smart enough to handle it. if i pass in run as user then roles translation from saml token might get skipped. there is no way to setup custom realm in kibana.. so i just need to forward Auth header to ES.

i tried to use

xpack.monitoring.elasticsearch.requestHeadersWhitelist: [ es-security-runas-user, authorization, Authorization ]

but thats not working.

joshbressers · July 31, 2017, 6:50pm

That all sounds fine, but the Kibana login screen suggests you're not using a service account when connecting the proxy to Kibana.

The proxy must connect to Kibana using a service account that has the run as permission.

Jathin · July 31, 2017, 6:58pm

i do not need any authentication to kibana.. as my proxy will handle login and get saml token in Authorization header, which would just pass thru kibana and on ES my realm would translate to ES roles. Do i need a run as user just so that kibana can pass the authorization header to ES. And if yes, can i use anonymous login user to do that?
my ES setup does not require any auth to write log entries, but require roles to read them.

joshbressers · July 31, 2017, 7:21pm

Right, you need a service account for the initial connection. Search for “service account” in the blog post you mentioned.

Jathin · July 31, 2017, 7:32pm

thanks for help.
But i need to understand this correctly. would i need to set different roles\user from proxy itself?
proxy_set_header es-security-runas-user $http_x_forwarded_user;

This is duplicate effort as all of that is done in Custom realm in ES.
Thanks

joshbressers · July 31, 2017, 11:21pm

The service user is meant to authenticate the proxy to Kibana (like typing in your username and password in the login screen), then the proxy passes the es-security-runas-user header, which the service user transitions to to execute queries in Elasticsearch.

Right now we don't have a nice way to auth a user against kibana without providing a password which is why we need to use the proxy.

In the future we will have a nicer solution to this issue.

Jathin · August 1, 2017, 1:28pm

i got it working now.
i had to add below configurations.

xpack.security.enabled: false
xpack.monitoring.elasticsearch.requestHeadersWhitelist: [ es-security-runas-user, authorization, Authorization ]

auth is skipped in kibana and validated on ES using custom realm.
Not sure of side effects of disabling xpack security plugin in kibana.

system · August 29, 2017, 1:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.