[SHIELD] Kibana to Elasticsearch

security

#1

Hi Everyone,

I stuck on an issue connection Kibana and Elasticsearch with Shield.

Shield version is 2.4
Kibana version is 4.6.1
Elasticsearch version is 2.4

I have configured an ldap for authentication in elasticsearch.

From now, I can see I error when I try to log into kibana with a user:
[security_exception] action [cluster:monitor/nodes/info] is unauthorized for user [kibana-server]

In ElasticSearch logs I have:

[2016-11-28 15:48:34,746][DEBUG][indices.cluster ] [node_serverlog] [logstash-2016.11.22] adding mapping [logs] (source suppressed due to length, use TRACE level if needed)
[2016-11-28 15:48:34,761][DEBUG][shield.authc.support ] [node_serverlog] the roles [[]], are mapped from these [ldap] groups [[]] for realm [ldap/ldap1]
[2016-11-28 15:48:34,762][DEBUG][shield.authc.support ] [node_serverlog] the roles [[]], are mapped from the user [ldap] for realm [uid=kibana-server,ou=xxxx,ou=yyyyyy,ou=zzzzzz,dc=exemple,dc=com/ldap]
[2016-11-28 15:48:34,779][DEBUG][shield.authc.ldap ] [node_serverlog] authenticated user [kibana-server], with roles [[]]
[2016-11-28 15:48:34,796][DEBUG][netty.handler.ssl.SslHandler] Failed to clean up SSLEngine.

In Kibana logs I have:

{"type":"log","@timestamp":"2016-11-28T14:48:21Z","tags":["error","elasticsearch"],"pid":573,"message":"Request error, retrying -- connect ECONNREFUSED 192.116.9.16:9200"}
{"type":"log","@timestamp":"2016-11-28T14:48:21Z","tags":["status","plugin:elasticsearch@1.0.0","error"],"pid":573,"state":"red","message":"Status changed from red to red - Unable to connect to Elasticsearch at https://node:9200.","prevState":"red","prevMsg":"[security_exception] action [cluster:monitor/nodes/info] is unauthorized for user [kibana-server]"}
{"type":"log","@timestamp":"2016-11-28T14:48:34Z","tags":["status","plugin:elasticsearch@1.0.0","error"],"pid":573,"state":"red","message":"Status changed from red to red - [security_exception] action [cluster:monitor/nodes/info] is unauthorized for user [kibana-server]","prevState":"red","prevMsg":"Unable to connect to Elasticsearch at https://oslxlog22.sogecap.socgen:9200."}

Is this a SSL issue or a role mapping issue? I'm a bit lost... :disappointed_relieved:

I thank you for any help anyone can give me on this issue...

Best Regards,
Del


(Thomas Neirynck) #2

Hi @Del

could you share your configuration .yml files?

Perhaps first thing to check into; for LDAP integration, check that your distinguished names match your config.

https://www.elastic.co/guide/en/x-pack/current/ldap-realm.html#mapping-roles-ldap


#3

Hello @thomasneirynck,

Thanks for your reply!

Here are my .yml config files


role_mapping.yml
kibana4_server:

  • "cn=kibana-server, ou=xxx,ou=yyy,ou=zzz,dc=exemple,dc=com "

kibana_user:

  • " cn=un_groupe_anonymis√© , ou=xxx,ou=yyy,ou=zzz,dc=exemple,dc=com "

roles.yml

kibana4_server:
cluster:
- monitor
indices:
- names: '.kibana'
privileges:
- all

kibana_user:
cluster:
- monitor
indices:
- names: 'logstash-'
privileges:
- view_index_metadata
- read
- names: 'kibana-int'
privileges:
- view_index_metadata
- read
- names: '.kibana
'
privileges:
- manage
- read
- index


Shield configuration in elasticsearch.yml

shield.http.ssl: true

LDAP

shield:
authc:
realms:
ldap1:
type: ldap
order: 0
url: "ldap://serverldap:1389"
bind_dn: "uid=kibana-server,ou=xxx,ou=yyy,ou=zzz,dc=exemple,dc=com"
bind_password: "un_secret_anonymisé"
user_search:
base_dn: "ou=xxx,ou=yyy,ou=zzz,dc=exemple,dc=com "
attribute: uid
group_search:
base_dn: "cn=grp-ES, ou=xxx,ou=yyy,ou=zzz,dc=exemple,dc=com "
attribute: uid
files:
role_mapping: "/appservers/conf/shield/role_mapping.yml"
unmapped_groups_as_roles: true

Writing my config files makes me having a question : Is it ok to have same ldap group in elasticsearch.yml and role_mapping.yml?

Thanks a lot for your help!

Best Regards,
Del


#4

Ok

I have chance to move forward, and get the user map to a role.

In fact, I did have user 'kibana-server' declared in kibana.yml. I just delete these 2lines and I was able to get the user map to [my_kibana_user] role.

But always have 'Failed to clean up SSLEngine'.
I was thinking of cert issue, so I did make new cert and keystore. But now It appears that I can't establish the connection from kibana to elasticsearch
-> Do I need to create new topic?

Thks a lot in advance.

Del


(Harsh Jain) #5

I see two things..
your kibana4-server should have access to '.kibana*' index. You have '.kibana'
Also the port for the ldap server is usually 386 for non-ssl, and 636 for ssl enabled.

Please check these two. I think this is an issue with the role/role_mapping/Ldap. SSL seems fine.


#6

damn you rock @imHarshj !

you have good eyes

I move again one step forward :smile:

now I have:
[2016-11-29 17:05:51,629][DEBUG][shield.authc.ldap ] [node_oslxlog22] authenticated user [kibana-server], with roles [[kibana4_server]]
[2016-11-29 17:05:51,630][DEBUG][rest.suppressed ] path: /kibana4-int/config/_search, params: {index=kibana4-int, type=config}
ElasticsearchSecurityException[action [indices:data/read/search] is unauthorized for user [kibana-server]]

I see there's other topics with this same problem.

Again thanks a lot for your help !

Best Regards,
Del


(Harsh Jain) #7

In the elasticsearch.yml, do you have:
elasticsearch.username: "kibana-server"
elasticsearch.password: "yourpassword"

Restart kibana/elasticsearch service if you haven't. Seems like the role/role_mapping are setup right.


#8

Hello,

I now have it. I will let you know if it works better.

Thanks @imHarshj


#9

Hello,

Just a little confirmation, It works much better now.
Thanks a lot guys for your help!

I just have a little with ldap group authentication (to restrict the index view and who can log in)
I posted another topic with that issue.


(system) #10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.