Kibana Server authentication overrides Kibana USER authentication

Security
1

Hi,

I’m setting up OpenDistro for the first time. For now my goal is to configure ElasticSearch, the Security Plugin and Kibana and have these 3 components working together so I can use the Kibana UI.

What I want to have for authentication is the following:

  • Client certificate authentication between ES cluster and Kibana SERVER
  • Internal user database authentication between Kibana USER and ES cluster

The issue is that whatever username/password I input in Kibana (even completely random/wrong credentials), it will log me in as the Kibana SERVER user (the certificate common name is shown as the logged in user name in the Kibana UI) instead of the user with the username/password I typed.

So basically anyone can type any username/password and they get logged in Kibana as the Kibana server… weird, and of course very insecure (there is basically no username/password as any username/password combination works).

How can I achieve the authentication settings I described above?

Here’s my config.yml for the Security Plugin:

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    kibana:
      multitenancy_enabled: false
    http:
      anonymous_auth_enabled: false
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: internal
      clientcert_auth_domain:
        description: "Authenticate via SSL client certificates (for Kibana Server)"
        http_enabled: true
        transport_enabled: true
        order: 2
        http_authenticator:
          type: clientcert
          config:
            username_attribute: cn
          challenge: false
        authentication_backend:
          type: noop

And here’s my kibana.yml:

server.name: test-logs-kibana
server.host: 0.0.0.0
server.port: 5601

elasticsearch.hosts:
  - https://es1.test-logs.example.com:9200

# Use client certificate authentication to authenticate to the ElasticSearch cluster
elasticsearch.ssl.alwaysPresentCertificate: true
elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/certs/ca.cert.pem"]
elasticsearch.ssl.certificate: /etc/kibana/certs/kb1.cert.pem
elasticsearch.ssl.key: /etc/kibana/certs/kb1.key.pem

# Use SSL for serving Kibana to clients
server.ssl.enabled: true
server.ssl.certificateAuthorities: ["/etc/kibana/certs/ca.cert.pem"]
server.ssl.certificate: /etc/kibana/certs/front.cert.pem
server.ssl.key: /etc/kibana/certs/front.key.pem

opendistro_security.multitenancy.enabled: false

Regards,

Guillaume.

2

Hi @GuiTeK I just ran test with 1.13.2 and it works as expected the users get authenticated and granted relevant privileges. The only difference that I could see is in config.yml file the challenge flag needs to be set to false, otherwise it doesn’t proceed to the cert authentication.

What version of odfe are you using?

3

Hi @Anthony, thank you for your answer.

I tried to set challenge to false, but it still behaves the same. I completely destroyed & re-created the test environment (I use Chef with Kitchen) to make sure everything was in a clean state.

I can still enter random credentials and I get logged in as the Kibana Server. Did you also try with random credentials to see if you get logged in?

I’m using:

Elasticsearch Version: 7.10.2
Open Distro Security Version: 1.13.1.0
ODFE package (dpkg -s): 1.13.2-1
Kibana package (dpkg -s): 1.13.2

I use the installation method described here:

If you don’t find the difference, could you upload (or copy/paste) all the relevant configuration files so I can look for the difference myself?

4

Sorry @GuiTeK I tried now with random creds and seeing the exact behaviour you described. Doesn’t seem to be a way around it. You might want to submit a bug for this.

5

Exact behaviour too here, you must switch to false the elasticsearch.ssl.alwaysPresentCertificate parameter

6

As @acamilleri mentioned the elasticsearch.ssl.alwaysPresentCertificate: true is a strange configuration to have with the security plugin installed - . For anyone that comes across this state I have put more detail on this issue #785 as it was also filed in the security GitHub .