Automatic login with JWT

Security
1

I am unable to login to Kibana using JWT explained in this article and this thread.
My configurations are as follow:

docker-compose.yml

version: '3'
services:
  odfe-node1:
image: amazon/opendistro-for-elasticsearch:1.2.0
container_name: odfe-node1
environment:
  - cluster.name=odfe-cluster
  - node.name=odfe-node1
  - discovery.seed_hosts=odfe-node1,odfe-node2
  - cluster.initial_master_nodes=odfe-node1,odfe-node2
  - bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
  - "ES_JAVA_OPTS=-Xms512m -Xmx512m" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
ulimits:
  memlock:
    soft: -1
    hard: -1
  nofile:
    soft: 65536 # maximum number of open files for the Elasticsearch user, set to at least 65536 on modern systems
    hard: 65536
volumes:
  - ./config/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
  - ./config/esnode.pem:/usr/share/elasticsearch/config/esnode.pem
  - ./config/esnode-key.pem:/usr/share/elasticsearch/config/esnode-key.pem
  - ./config/kirk.pem:/usr/share/elasticsearch/config/kirk.pem
  - ./config/kirk-key.pem:/usr/share/elasticsearch/config/kirk-key.pem
  - odfe-data1:/usr/share/elasticsearch/data
  - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
  - ./security.config.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml    
ports:
  - 9200:9200
  - 9600:9600 # required for Performance Analyzer
networks:
  - odfe-net
  odfe-node2:
image: amazon/opendistro-for-elasticsearch:1.2.0
container_name: odfe-node2
environment:
  - cluster.name=odfe-cluster
  - node.name=odfe-node2
  - discovery.seed_hosts=odfe-node1,odfe-node2
  - cluster.initial_master_nodes=odfe-node1,odfe-node2
  - bootstrap.memory_lock=true
  - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
  memlock:
    soft: -1
    hard: -1
  nofile:
    soft: 65536
    hard: 65536
volumes:
  - ./config/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
  - ./config/esnode.pem:/usr/share/elasticsearch/config/esnode.pem
  - ./config/esnode-key.pem:/usr/share/elasticsearch/config/esnode-key.pem
  - ./config/kirk.pem:/usr/share/elasticsearch/config/kirk.pem
  - ./config/kirk-key.pem:/usr/share/elasticsearch/config/kirk-key.pem
  - odfe-data1:/usr/share/elasticsearch/data
  - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
  - ./security.config.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
networks:
  - odfe-net
  kibana:
image: amazon/opendistro-for-elasticsearch-kibana:1.2.0
container_name: odfe-kibana
ports:
  - 5601:5601
expose:
  - "5601"
environment:
  ELASTICSEARCH_URL: https://odfe-node1:9200
  ELASTICSEARCH_HOSTS: https://odfe-node1:9200
volumes:
  - ./kibana.yml:/usr/share/kibana/config/kibana.yml
networks:
  - odfe-net

volumes:
  odfe-data1:
  odfe-data2:

networks:
  odfe-net:

security.config.yml

jwt_auth_domain:
enabled: true
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: “MTIzNDU2”
jwt_header: “Authorization”
roles_key: “rolesKey”
subject_key: “subjectKey”
authentication_backend:
type: noop

elasticsearch.yml

######## Start OpenDistro for Elasticsearch Security Demo Configuration ########

WARNING: revise all the lines below before you go into production

opendistro_security.ssl.transport.pemcert_filepath: esnode.pem
opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: esnode.pem
opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.allow_unsafe_democertificates: true
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:

  • CN=kirk,OU=client,O=client,L=test, C=de

opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]
cluster.routing.allocation.disk.threshold_enabled: false
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
######## End OpenDistro for Elasticsearch Security Demo Configuration ########

network.host: 0.0.0.0

kibana.yml

Default Kibana configuration from kibana-docker.

server.name: kibana
server.host: “0”
elasticsearch.ssl.verificationMode: none
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: [“securitytenant”,“Authorization”,“jwtToken”]

opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: [“Private”, “Global”]
opendistro_security.readonly_mode.roles: [“kibana_read_only”]
opendistro_security.jwt.enabled: true
opendistro_security.auth.type: “jwt”
opendistro_security.jwt.url_param: jwtToken

I generated a simple token with jwt.io:

{
“rolesKey”: “all_access”,
“subjectKey”: “admin”,
“exp”: 2553444112,
“iss”: “http://localhost
}

and secret base64 encoded which resulted in this token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlc0tleSI6ImFsbF9hY2Nlc3MiLCJzdWJqZWN0S2V5IjoiYWRtaW4iLCJleHAiOjI1NTM0NDQxMTIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3QifQ.83Y2G1THwPgwZEmNrwxTvewuk3nxJKJg8x_IlkdYNeA

The Kibana shows Authentication failed, Please provide a new token. in the browser.
Checking

curl localhost:5601?jwtToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlc0tleSI6ImFsbF9hY2Nlc3MiLCJzdWJqZWN0S2V5IjoiYWRtaW4iLCJleHAiOjI1NTM0NDQxMTIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3QifQ.83Y2G1THwPgwZEmNrwxTvewuk3nxJKJg8x_IlkdYNeA -i

gives

HTTP/1.1 302 Found

location: /customerror?type=authError
kbn-name: kibana
content-type: text/html; charset=utf-8
cache-control: no-cache
set-cookie: security_storage=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/
set-cookie: security_authentication=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/
content-length: 0
connection: close
Date: Fri, 11 Oct 2019 08:34:17 GMT

And

curl -XGET http://localhost:5601 -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlc0tleSI6ImFsbF9hY2Nlc3MiLCJzdWJqZWN0S2V5IjoiYWRtaW4iLCJleHAiOjI1NTM0NDQxMTIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3QifQ.83Y2G1THwPgwZEmNrwxTvewuk3nxJKJg8x_IlkdYNeA" -i

produces the same 302 result.

Is there any way I can get this working or are there maybe alternatives to automatically login to an embedded Kibana dashboard?

2

Hello @nickgregz

Did you manage to do it? or to automatically login to an embedded Kibana dashboard with different users?

Thanks.

3

@nick and @Agu91 did you get this working?

If not, can you share your complete config.yml file? redact any sensitive information (if any).

From above the role that should be available in JWT is ‘admin’ assuming default config is used. This will map the user to correct role ‘all_access’