We are configuring ELK Shield plugin. The ELK server is integrated with LDAP server which is working fine. For Kibana, we have used Apache reverse proxy.
The problem we are facing is with the configuration of Shield plugin.
We have followed the official documentation but our Kibana dashboard is not coming up and giving error 502.
One more thing , is SSL/TLS encryption mandatory in this case ?
Before configuring Shield , I have gone through its complete documentation.
As a part of configuration , I have followed the steps given in - https://www.elastic.co/guide/en/shield/current/kibana.html
We have not configured SSL/TLS encryption and as per my understanding that is not mandatory.
We will enable it later on.
But after restarting kibana , I get following error -
[root@irldxvm002 kibana]# curl http://9.126.112.35:5601
curl: (52) Empty reply from server
[root@irldxvm002 kibana]# curl http://9.126.112.35:9200
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm="shield""}}],"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm="shield""}},"status":401}
I have gone through the logs of ELK , httpd but did not get any clue.
Let me know if you need any specific details.
I have made some progress and now proxy error has gone. I am getting the login page with https and able to login with with my LDAP credentials but after login I am getting security exception as shown in attached screenshot-
Do you have any errors in your log from startup about invalid roles? Also, if you execute the following to increase logging and authenticate as your user, some messages about role mapping should be logged:
You'll need to look in the log file of the elasticsearch node that you are connecting to. The access log does not contain the role mapping debug output
Thanks for the reply Jay, but I have already configuring "shield.authc: TRACE" in /etc/elasticsearch/logging.yml but it looks like somehow it is not working.
Thanks for pointing out my stupid mistake- I can see debug logs in elasticsearch.log
Though I have done the mapping , I am getting this -
[2016-06-20 17:15:36,590][DEBUG][shield.authc.support ] [Oneg the Prober] the roles [], are mapped from these [ldap] groups [] for realm [ldap/ldap1]
[2016-06-20 17:15:36,591][DEBUG][shield.authc.support ] [Oneg the Prober] the roles [], are mapped from the user [ldap] for realm [uid=xxxx,c=in,ou=bluepages,o=ibm.com/ldap]
[2016-06-20 17:15:36,595][DEBUG][shield.authc.ldap ] [Oneg the Prober] authenticated user [vinodar3@in.ibm.com], with roles []
Thanks , now I am able to login to kibana. But I see following in the elasticsearch logs -
[2016-06-20 18:28:44,428][DEBUG][shield.authc.ldap ] [Man-Brute] authentication failed for user [AVJBYJ744]
ElasticsearchSecurityException[failed to find user [AVJBYJ744] with search base [c=in, ou=bluepages, o=ibm.com] scope [sub_tree]]
at org.elasticsearch.shield.support.Exceptions.authenticationError(Exceptions.java:39)
And now role mapping is working fine -
[2016-06-20 18:28:46,319][DEBUG][shield.authc.ldap ] [Man-Brute] authenticated user [vinodar3@in.ibm.com], with roles [[admin, kibana4_server, power_user, kibana4, my_kibana_user]]
But if I use emai in role mapping file, it does not work. Then I get security exception as soon as I login to kibana.
It is strange that with this configuration everything is working fine but only getting security exception in elasticsearch logs. The log says both successfully authenticated and did not find the user.
I asked other user to login who got security exception but after assigning role in role mapping file he was able to login successfully.
This is the only realm you have enabled? Do you see access_granted for this user in the audit logs?
Currently, we only support the distinguished name of a ldap group or user for role mapping. mail is not part of the DN so it cannot be used for role mapping, but it can be used to find the user in ldap.
What happens is a search is executed to find a user that has the mail attribute value that matches user@in.ibm.com. Once this is found, the DN is retrieved and the user is authenticated via a bind. After the bind, groups are searched for and then roles are mapped based on the DNs of the groups and the DN of the user.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.