We have ES with custom realm that is accepting saml token and setting up user/roles based on the token.
Kibana with out x-pack works well as it passes on the saml toke in Authorization header to ES and it works really fine.
I tried to setup xpack as i want to setup monitoring ui, and look at how various ES/LS nodes are performing. I tried to keep this blog post as refernece and setup kibana. in my case there is no act as user as my custom realm is able to translate my token to Es user\role. But when i setup Kibana with Xpack in front, i always get to kibana login screen and authorization header (which has my token) is never sent to ES. I looked at logs and there are no errors. but the token is never sent to ES. I also tried to add the below configuration to kibana, but it does not seem to work.
It sounds like you aren't using a service account to authenticate Kibana. The service account should take care of the login page you see, then the headers in question will be passed to Elasticsearch. Check the "service account" section in the blog post you reference.
So i have 15 roles and each user can have a combination of roles. we have custom realm that parses those roles and translate to es roles. i just need Authorization header thats coming in to be fowarded on to ES and my realm would be smart enough to handle it. if i pass in run as user then roles translation from saml token might get skipped. there is no way to setup custom realm in kibana.. so i just need to forward Auth header to ES.
i do not need any authentication to kibana.. as my proxy will handle login and get saml token in Authorization header, which would just pass thru kibana and on ES my realm would translate to ES roles. Do i need a run as user just so that kibana can pass the authorization header to ES. And if yes, can i use anonymous login user to do that?
my ES setup does not require any auth to write log entries, but require roles to read them.
thanks for help.
But i need to understand this correctly. would i need to set different roles\user from proxy itself? proxy_set_header es-security-runas-user $http_x_forwarded_user;
This is duplicate effort as all of that is done in Custom realm in ES.
Thanks
The service user is meant to authenticate the proxy to Kibana (like typing in your username and password in the login screen), then the proxy passes the es-security-runas-user header, which the service user transitions to to execute queries in Elasticsearch.
Right now we don't have a nice way to auth a user against kibana without providing a password which is why we need to use the proxy.
In the future we will have a nicer solution to this issue.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.