Logging in to Kibana 8 without security for LDAP auth ES cluster

Chel · January 30, 2023, 4:50pm

Hi, We have 8.5.2 cluster running with LDAP authentication(xpack security) with basic license. Earlier Versions of Kibana in 7.x

we use the same username and password of elastic to login to kibana but in 8.x versions looks it needs a same elastic uname/pwd to be created agin using _security/user API with the same password of elastic so it passes both kibana and ES authentication.

Can we disable security in Kibana alone to use the same userid/password of elastic to login like in 7.x version of Kibana?

leandrojmp · January 30, 2023, 5:15pm

Something is wrong, the LDAP integration does not work with the basic license, you need a paid license to use it.

What is the result of GET _license ?

It is not clear what is the issue, to log in Kibana you need to use a username and password, these credentials are stored in Elasticsearch, every client need a username and password or API Key.

What changed in Kibana version 8 is that you now can use a service account to configure the user that Kibana will use to connect to Elasticsearch.

Can you provide more context about what is your issue?

Chel · January 30, 2023, 5:31pm

@leandrojmp We are using Elastic basic license (not paid) with httpd proxy LDAP system.
With 7.17 version if we are connecting via kibana it will let us in with the Elastic username and password (any service account associated with the AD group)

But the new 8.x version of Kibana is not allowing us to login with the same uname/password of Elastic.

Earlier teams use their own id to login if they are part of AD group but with 8.x we need to get the uname and password of individuals and added to users for enabling login to them.

Is there any workaround for configuring a service account to kibana so that they can login with their own id and also will single kibana allows multiple logins ? or

is there a way to disable security in kibana alone ?

We don't want the existing system to be disturbed and upgrade to 8.x seamlessly

Chel · January 30, 2023, 5:33pm

{
  "license" : {
    "status" : "active",
    "uid" : "f937d78e-7a86-46d4-80c7-8a63a1c515fb",
    "type" : "basic",
    "issue_date" : "2022-05-27T09:49:14.974Z",
    "issue_date_in_millis" : 1653644954974,
    "max_nodes" : 1000,
    "max_resource_units" : null,
    "issued_to" : "es-test",
    "issuer" : "elasticsearch",
    "start_date_in_millis" : -1
  }
}

leandrojmp · January 30, 2023, 7:00pm

So your issue is not in Kibana, but with your proxy, you need to check on the proxy software you are using as Kibana has no knowledge of it.

What is the error you are getting? Please share the Kibana log.

Not possible, there is no security in Kibana, the security is configured in Elasticsearch, not in Kibana, Kibana acts as a client to Elasticsearch and the authentication and authorization is done by Elasticsearch.

The service account I mentioned is used by Kibana to authenticate to Elasticsearch, not the users, the users still need.

I'm trying to understand your infrastructure, it looks like in version 7 you didn't have security enabled and the access was controlled by your httpd proxy, but in version 8 security is enabled by default.

Can you share your current kibana.yml and elasticsearch.yml ?

tonyk · January 30, 2023, 8:55pm

Hello Leandrojmp. I am working on this issue with Chel and can provide some infra context.

Below is the Kibana.yml

server.port: 5601
server.host: 0.0.0.0
elasticsearch.hosts: ["https://full_qualified_name.com:443"]
elasticsearch.username: "ad_service_account1"
elasticsearch.password: "super_secure_password"
elasticsearch.ssl.verificationMode: "none"
xpack.reporting.roles.enabled: false

And here is the Elasticsearch.yaml file

network.host: 0.0.0.0
cluster.name: UNIQUE_CLUSTER_NAME
node.roles: [ master, data, ingest, remote_cluster_client]
node.store.allow_mmap: false
discovery.seed_providers: file
bootstrap.memory_lock: true

action.destructive_requires_name: true

path.data: /data/elasticsearch
path.logs: /var/log/elasticsearch

#Security and TLS configuration
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /etc/elasticsearch/instance/instance.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/instance/instance.crt
xpack.security.transport.ssl.certificate_authorities: [ "/etc/elasticsearch/ca/ca.crt" ]
xpack.security.http.ssl.enabled: false

#disable geoip download
ingest.geoip.downloader.enabled: false

You are correct in your assessment that our version 7x did not have the xpack.security plugin enabled and it seems with version 8x (8.5.2) it defaults to true.

We also do have an http service running on each of the Elasticsearch nodes and they are configured to authenticate users that exist in a specific AD group. The "ad_service_account1" above in the kibana.yml file is in the needed AD group. However, before we were able to log into the Kibana UI with the "ad_service_account1" id, we first had to create that user in Elastic with the security user api (Create or update users API | Elasticsearch Guide [8.5] | Elastic) and assign the user to the admin role.

Is there any way to use the standard "kibana_system" user in the Kibana.yml file and still allow users that exist in an AD group access to the Kibana UI??

leandrojmp · January 30, 2023, 9:34pm

These are two different things, Kibana is an Elasticsearch client, the settings elasticsearch.username and elasticsearch.password are the settings where you configure the username and password that Kibana as a client will use to write on its own indices in Elasticsearch.

This is used when you have security enabled and Kibana users still need to authenticate in Elasticsearch.

On the documentation you have this about those settings:

elasticsearch.username and elasticsearch.password
If your Elasticsearch is protected with basic authentication, these settings provide the username and password that the Kibana server uses to perform maintenance on the Kibana index at startup. Kibana users still need to authenticate with Elasticsearch, which is proxied through the Kibana server.

You said you didn't had security enabled in version 7, so you were not authenticating in Elasticsearch, only in your httpd proxy.

Were you using the elasticsearch.username and elastiscearch.password in your settings to talk with the http service running on the Elasticsearch nodes?

No, if you enable security in elasticsearch the users needs to authenticate in elasticsearch, with the basic license the only authentication realm available is the native one, you can't integrate with an active directory without a paid license, so all your users will need to be created in the native realm.

The kibana_system user is used by kibana to write and read in elasticsearch, not to authenticate users. To authenticate users Kibana acts as a proxy as described in the documentation.

tonyk · January 30, 2023, 10:29pm

Ok, I think I understand. We are currently using Elasticsearch basic authentication and have 2 user IDs setup in Elasticsearch (admin/normal). We have the https service running on all Elasticsearch nodes as well and that is excepting all API calls. The LDAP authentication (AD group membership), is configured in the https service and that will proxy the api call to use the appropriate Elasticsearch user credentials to Elasticsearch service.

Chel · February 1, 2023, 9:08am

one clarification on the users as We are adding users by

bin/elasticsearch-users useradd jacknich -p theshining -r network,monitoring

but the same user is not getting reflected if we get user like below

https://host/_security/user

So we use the POST request of /_security/user with username and password which we created earlier then kibana is allowing us to login.

Is this the way we can use it or bin/elasticsearch-users useradd will help ?

leandrojmp · February 1, 2023, 12:43pm

The elasticsearch-users command only works if you are using the file-based user authentication, which uses the file realm.

If you use this command and you have more than one node, you will need to make sure that all the users are defined in every node.

This is explained in this documentation.

The documentation also mentions this:

You should also be aware that you cannot add or manage users in the file realm via the user APIs

So, the _secruity/user API will not reflect the users added using the elasticsearch-users.

Any reason to use the file realm? You could use the nativel realm which is enabled by default and add your users using the API or Kibana.

chelambarasan_rajend · February 3, 2023, 7:47am

Thanks for responding. It makes clear now. I was confusing between file and native realm. Closing this thread. Resolved.

system · March 3, 2023, 7:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.