Proxy auth in 6.7.1

Hello,

I’m trying to upgrade from elk 6.4.2 (ror 1.16.28) to 6.7.1 (ror 1.18.0). Everything works fine in 6.4.2 multi-tenant configuration with a proxy_auth configuration and nginx for authentication. Now in 6.7.1, i have ‘too many redirection’ in my browser when i’m trying to access kibana even if i see ALLOWED in elasticsearch logs for my requests.

readonlyrest.yml:

 - indices:
     - .kibana_foo
     kibana_access: admin
     kibana_index: .kibana_foo
     name: '::foo_admin::'
     proxy_auth:
       users:
        - john.foo
     verbosity: info
   - actions:
     - indices:data/read/*
     - indices:data/write/*
     - indices:admin/template/*
     - indices:admin/create
     - cluster:*
     indices:
     - indice1
     - indice2
     - .kibana_foo
     name: '::foo_admin_john_actions::'
     proxy_auth:
       users:
        - john.foo
     verbosity: info

Logfile:

[2019-05-29T14:07:41,645][INFO ][t.b.r.a.l.AclLoggingDecorator] [host] ALLOWED by { name: ‘::foo_admin_john::’, policy: ALLOW, rules: [proxy_auth,kibana_access,indices,kibana_index] req={ ID:14
24692030–1674813434#10770, TYP:SearchRequest, CGR:N/A, USR:john.foo, BRS:false, KDX:.kibana_foo, ACT:indices:data/read/search, OA:172.17.0.3/32, XFF:null, DA:192.168.98.100/32, IDX:<N/A>, ME
T:POST, PTH:/.kibana_foo/_search?size=1000&from=0&rest_total_hits_as_int=true, CNT:<OMITTED, LENGTH=257.0 B> , HDR:Connection=keep-alive, Content-Length=257, Host:9200=elk.com, content-type
=application/json, x-forwarded-user=john.foo, HIS:[john_internal->[hosts->false]], [localhost->[hosts->false]], [::KIBANA-SRV::->[auth_key->false]], [::other_policy::->[auth_key->false]], [legacy->[proxy_aut
h->false]], [::foo_admin_john::->[proxy_auth->true, kibana_access->true, indices->true, kibana_index->true]] }

342560×598 172 KB

Also i had to change

‘proxy_auth: john’

to:

proxy_auth:
users:

• john.foo

Otherwise i had a parsing error at elasticsearch startup.

Is proxy auth authentication still work in 6.7.1 ?

Thank you

Yes, it is supposed to work in 6.7.1 too. We’ll see why it’s not.
There might be differences in behaviour between between the plugin builds before and after 6.6.0. That’s because they are handled in different git branches.

The internal fork happened because Kibana team made a radical change of libraries in the backend and we had to rewrite most of the plugin to adapt to it.

I guess events like these bring a ton of value to our product when it comes to the classic decision maker dilemma about “is it best to buy or make your own authentication Kibana plugin?”.

Anyway, we are going to check this.

Do you have “readonlyrest_kbn.proxy_auth_passthrough: true” in kibana.yml?

Yes. Here is an extract of my kibana.yml

elasticsearch.username: kibana_usr
elasticsearch.password: kibana_pwd
readonlyrest_kbn.proxy_auth_passthrough: true
elasticsearch.requestHeadersWhitelist: [authorization, x-forwarded-user]
elasticsearch.requestTimeout: 90000
xpack.security.enabled: false
xpack.monitoring.enabled: false
xpack.xpack_main.telemetry.enabled: false

Hello Simone,

Have you been able to reproduce this issue ?

Thank you.

At the moment looking at a very similar issue, will tidy this up and revert back to you.

Hello Simone,

Do you have an idea when you will publish a release with a patch for this issue ?

Thank you.

We are going to have some progress on this during this week. Sorry for the wait.

Hi @FredericBallot, I tested this with the latest 1.18.1 and ES/KBN versions 7.1.1 and 6.7.1 and it works.
I attach an archive with all configuration files and the docker/makefile to reproduce it.

$ tar xzvf es-all-in-one.tar.gz
$ make run

es-all-in-one.tar.gz (9.4 KB)

FYI, the settings used:

$ cat es-all-in-one/config/kibana/kibana.yml | egrep -v "^#|^$"
server.host: 0.0.0.0
elasticsearch.username: "kibana"
elasticsearch.password: "kibana"
xpack.security.enabled: false
readonlyrest_kbn.proxy_auth_passthrough: true


$ cat es-all-in-one/config/elasticsearch/elasticsearch.yml | egrep -v "^#|^$"
node.name: n1_it
cluster.name: es-all-in-one
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: _local_,_site_
xpack.security.enabled: false

readonlyrest.yml

 $ cat es-all-in-one/config/elasticsearch/readonlyrest.yml | egrep -v "^#|^$"
readonlyrest:
  # IMPORTANT FOR LOGIN/LOGOUT TO WORK
  prompt_for_basic_auth: false
  access_control_rules:
  # kibana:kibana
  - name: "::KIBANA::"
    auth_key_sha256: "ab8aa94dd63debfa31ef8a9eae9582dcb252c06cdb6313e123546cc8edfeaf3e"
    verbosity: error
  - name: "Admin"
    groups: ["useradmin"]
    kibana_access: admin
    kibana_index: ".kibana_useradmin"
    verbosity: error
  - name: "Proxyauth"
    kibana_access: admin
    kibana_index: ".kibana_useradmin"
    verbosity: error
    proxy_auth:
      users: ["*"]
      proxy_auth_config: px1
  proxy_auth_configs:
  - name: "px1"
    user_id_header: "x-forwarded-user"

  users:
  # admin:admin
  - username: admin
    auth_key_sha256: "8da193366e1554c08b2870c50f737b9587c3372b656151c4a96028af26f51334"
    groups: ["useradmin"]

And to simulate the proxy, I wrote a node.js proxy program that injected a header to each request:
i.e.

  req.headers['x-forwarded-user'] = 'proxyUser'

hey @FredericBallot any news on this? All good?

Hello @sscarduzio, sorry for the late reply. Everything works fine with 1.18.1 and the configuration you provided. Also, i had to export all my kibana 6.4.2 objects and reimport them in 6.7.1 to avoid the ‘too many redirections’ problem due to the space selector feature.

Thank you.

Oh great! Thanks for reporting on this.

You know, as a ROR Enterprise user, I’d rather disable the spaces feature entirely (in kibana.yml xpack.spaces.enabled: false), as the concept of ROR tenancies greatly supersedes the concept of kibana “space”.

Not sure if anyone else has the same feeling.
What do you think?

I missed this parameter when reading the documentation but this is definitively the best solution to avoid spaces problems. Thanks for the tip !