Multiple authenticator domains in opendistro v1.2.0 fails for Kibana


I am seeing a weird behavior while using multiple authenticators - clientcert_auth_domain and basic_internal_auth_domain. No matter what user credentials are used in Kibana, post authentication the user is always assumed as kibanaserver (whichever appears in CN of certificate), in fact there is no authentication here, even if the credentials are wrong the request is authenticated and user is assumed as kibanaserver.

Below is the way I configured authenticators

  1. clientcert_auth_domain at order 2 with “challenge: false”, “http_enabled: true”, “transport_enabled: true”, “authentication_backend.type: noop”
  2. basic_internal_auth_domain at order 4 with “challenge: true”, “http_enabled: true”, “transport_enabled: true”, “authentication_backend.type: intern”
  3. A role is created with all available CN values in the environment into users:[], this does not include kibanaserver role. The role instance has permission to create and index documents.

All other authenticators are disabled. I have several services indexing onto elasticsearch including metricbeat-oss, all these services are configured to use certificate (no username/password credentials).

RPM Versions

  1. opendistroforelasticsearch-1.2.0-1.noarch
  2. opendistroforelasticsearch-kibana-1.2.0-1.x86_64
  3. opendistro-security-
  4. Metricbeat OSS: metricbeat-7.2.1-1.x86_64
  5. Kibana: opendistroforelasticsearch-kibana-1.2.0-1.x86_64

The requirement is to have Basic Authentication and TLS Certificate authentication enabled

Any help is much appreciated, I can post the entire configuration file, may be I am missing some properties to set.

Ratheesh Nair

Helo @ratheesh.nair

Have you found a solution to your issue?