Hello guys,
I am having an issue with integrating Kiabana with Okta OpenID.
- Kibana config:
opendistro_security.auth.type: "openid"
opendistro_security.openid.connect_url: "https://my_domain/.well-known/openid-configuration"
opendistro_security.openid.client_id: "0oa9dl1e4VRStlugu5d6"
opendistro_security.openid.client_secret: "my_key"
server.name: kibana
server.host: "0"
elasticsearch.hosts: https://localhost:9200
elasticsearch.ssl.verificationMode: none
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: [ "securitytenant","Authorization" ]
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: [ "Private", "Global" ]
opendistro_security.readonly_mode.roles: [ "kibana_read_only" ]
# Use this setting if you are running kibana without https
opendistro_security.cookie.secure: false
newsfeed.enabled: false
telemetry.optIn: false
telemetry.enabled: false
security.showInsecureClusterWarning: false
- Elasticsearch config.yaml:
_meta:
type: "config"
config_version: 2
config:
dynamic:
# Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#do_not_fail_on_forbidden: false
#kibana:
# Kibana multitenancy
#multitenancy_enabled: true
#server_username: kibanaserver
#index: '.kibana'
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
#internalProxies: '.*' # trust all internal proxies, regex pattern
#remoteIpHeader: 'x-forwarded-for'
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: preffered_username
roles_key: roles
openid_connect_url: https://my_domain/.well-known/openid-configuration
authentication_backend:
type: noop
- Internal_useras.yml: basic demo users
_meta:
type: "internalusers"
config_version: 2
new-user:
hash: "$2y$12$88IFVl6IfIwCFh5aQYfOmuXVL9j2hz/GusQb35o.4sdTDAEMTOD.K"
reserved: false
hidden: false
opendistro_security_roles:
- "some-security-role"
backend_roles:
- "some-backend-role"
attributes:
attribute1: "value1"
static: false
admin:
hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"
kibanaserver:
hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
reserved: true
description: "Demo kibanaserver user"
- Issue:
As soon as i am installing the helm chart after adding the openid settings i get this error in Kibana none stop:
{“type”:“log”,“@timestamp”:“2021-02-25T16:25:30Z”,“tags”:[“error”,“elasticsearch”,“data”],“pid”:1,“message”:“[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200”}
The above prevents the server from going up.
- If i am reverting back to regular authentication without the openid, everything works fine.
- Tried to switch the hosts to “http”
- Tried to switch the openid auth in config.yaml to “0”
- Tried to inject an elasticearch url as per the kubernetes FQDN
- Tried different users besides “kibanaserver”
- Played around with multiple different configuration in kibana.yml
I tried vertuallye everything for the past 7 hours and i do hope i am missing someting here.
Thank you for yout time.
