Nginx proxy_auth setup


#1

Hi, I’m quite confused about adding nginx authentication in readonlyrest. I’m trying to allow users to sign into Kibana with gmail accounts and assign READ/WRITE access rules to different user groups, which should be achieved by ReadonlyRest at Elasticsearch level. I used oauth2_proxy with nginx to sign in with Google, and installed ReadonlyRest on Elasticsearch. But all calls to ES are forbidden. I’m not sure what is wrong. Could you take a look at my configurations? Any help will be appreciated!

Kibana.yml

# load kibana server
elasticsearch.username: "kibana"
elasticsearch.password: "kibana"

# forward authentication from proxy server to elasticsearch
elasticsearch.requestHeadersWhitelist: [ exlog-security, authorization ]

I tried two configuration for ReadonlyRest but both failed with similar errors:

Error Log in Elasticsearch:

FORBIDDEN by default req={ ID:2076378645-891330992#166, TYP:SearchRequest, CGR:N/A, USR:nginx(?), BRS:false, KDX:null, ACT:indices:data/read/search, OA:127.0.0.1, DA:127.0.0.1, IDX:.kibana, MET:POST, PTH:/.kibana/_search?size=1000&from=0, CNT:<OMITTED, LENGTH=245>, HDR:{authorization=<OMITTED>, exlog-security=aliu, Connection=keep-alive, content-type=application/json, Host=localhost:9200, Content-Length=245}, HIS:[::KIBANA-SERVER::->[auth_key->false]], [::VIEWER::->[proxy_auth->false]], [::ADMIN::->[groups->false]] }

It captures the exlog-security=aliu which is passed by nginx in HDR but failed to find a match in ACL.

First Config I tried:

readonlyrest:
    enabled: true
    response_if_req_forbidden: Sorry, request is forbidden.
    prompt_for_basic_auth: false
    access_control_rules:

    - name: "::KIBANA-SERVER::"
      auth_key: kibana:kibana
      verbosity: error

    - name: "::VIEWER::"
      type: allow
      # I didn't specify a user group but directly use username
      proxy_auth: ["aliu"]
      actions: ["indices:data/read/*"]
      indices: [".kiban*", "logstash-*"]

    - name: "::ADMIN::"
      kibana_access: rw
      actions: ["indices:data/*"]
      # trying to assign all accesses to admin group
      indices: ["*"]
      groups: ["admin"]

Second Config:

readonlyrest:
    enabled: true
    response_if_req_forbidden: Sorry, request is forbidden.
    prompt_for_basic_auth: false
    access_control_rules:

    - name: "::KIBANA-SERVER::"
      auth_key: kibana:kibana
      verbosity: error

    - name: "::VIEWER::"
      type: allow
      group: ["viewer"]
      actions: ["indices:data/read/*"]
      indices: [".kibana", "logstash-*"]

    - name: "::ADMIN::"
      kibana_access: rw
      actions: ["indices:data/*"]
      indices: ["*"]
      groups: ["admin"]

    users:
    - username: aliu
      proxy_auth: ["*"]
      groups: ["viewer"]

    - username: test
      proxy_auth: ["*"]
      groups: ["admin"]

My understanding is that when a user logins with Gmail, the username will be passed through Kibana to ES, then ReadonlyRest match the username to corresponding user group, in this case [“aliu”] is matched with [“Viewer”] group and then the user should be granted the rule for “::VIEWER::”.
Is my understanding correct? I’m confused why ReadonlyRest can’t find a matching block in ACL.


#2

Just found out that proxy_auth will extract the user from “X-forwarded-user”, which means I shouldn’t rename this param, in my case, “exlog-security”.
After changing configuration in nginx, I am able to log in now.