Hi,
I’m setting up OpenDistro for the first time. For now my goal is to configure ElasticSearch, the Security Plugin and Kibana and have these 3 components working together so I can use the Kibana UI.
What I want to have for authentication is the following:
- Client certificate authentication between ES cluster and Kibana SERVER
- Internal user database authentication between Kibana USER and ES cluster
The issue is that whatever username/password I input in Kibana (even completely random/wrong credentials), it will log me in as the Kibana SERVER user (the certificate common name is shown as the logged in user name in the Kibana UI) instead of the user with the username/password I typed.
So basically anyone can type any username/password and they get logged in Kibana as the Kibana server… weird, and of course very insecure (there is basically no username/password as any username/password combination works).
How can I achieve the authentication settings I described above?
Here’s my config.yml for the Security Plugin:
_meta:
type: "config"
config_version: 2
config:
dynamic:
kibana:
multitenancy_enabled: false
http:
anonymous_auth_enabled: false
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal
clientcert_auth_domain:
description: "Authenticate via SSL client certificates (for Kibana Server)"
http_enabled: true
transport_enabled: true
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn
challenge: false
authentication_backend:
type: noop
And here’s my kibana.yml:
server.name: test-logs-kibana
server.host: 0.0.0.0
server.port: 5601
elasticsearch.hosts:
- https://es1.test-logs.example.com:9200
# Use client certificate authentication to authenticate to the ElasticSearch cluster
elasticsearch.ssl.alwaysPresentCertificate: true
elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/certs/ca.cert.pem"]
elasticsearch.ssl.certificate: /etc/kibana/certs/kb1.cert.pem
elasticsearch.ssl.key: /etc/kibana/certs/kb1.key.pem
# Use SSL for serving Kibana to clients
server.ssl.enabled: true
server.ssl.certificateAuthorities: ["/etc/kibana/certs/ca.cert.pem"]
server.ssl.certificate: /etc/kibana/certs/front.cert.pem
server.ssl.key: /etc/kibana/certs/front.key.pem
opendistro_security.multitenancy.enabled: false
Regards,
Guillaume.