Proxy auth in 6.7.1


I’m trying to upgrade from elk 6.4.2 (ror 1.16.28) to 6.7.1 (ror 1.18.0). Everything works fine in 6.4.2 multi-tenant configuration with a proxy_auth configuration and nginx for authentication. Now in 6.7.1, i have ‘too many redirection’ in my browser when i’m trying to access kibana even if i see ALLOWED in elasticsearch logs for my requests.


 - indices:
     - .kibana_foo
     kibana_access: admin
     kibana_index: .kibana_foo
     name: '::foo_admin::'
     verbosity: info
   - actions:
     - indices:data/read/*
     - indices:data/write/*
     - indices:admin/template/*
     - indices:admin/create
     - cluster:*
     - indice1
     - indice2
     - .kibana_foo
     name: '::foo_admin_john_actions::'
     verbosity: info


[2019-05-29T14:07:41,645][INFO ][t.b.r.a.l.AclLoggingDecorator] [host] ALLOWED by { name: ‘::foo_admin_john::’, policy: ALLOW, rules: [proxy_auth,kibana_access,indices,kibana_index] req={ ID:14
24692030–1674813434#10770, TYP:SearchRequest, CGR:N/A,, BRS:false, KDX:.kibana_foo, ACT:indices:data/read/search, OA:, XFF:null, DA:, IDX:<N/A>, ME
T:POST, PTH:/.kibana_foo/_search?size=1000&from=0&rest_total_hits_as_int=true, CNT:<OMITTED, LENGTH=257.0 B> , HDR:Connection=keep-alive, Content-Length=257,, content-type
=application/json,, HIS:[john_internal->[hosts->false]], [localhost->[hosts->false]], [::KIBANA-SRV::->[auth_key->false]], [::other_policy::->[auth_key->false]], [legacy->[proxy_aut
h->false]], [::foo_admin_john::->[proxy_auth->true, kibana_access->true, indices->true, kibana_index->true]] }

Also i had to change

‘proxy_auth: john’




Otherwise i had a parsing error at elasticsearch startup.

Is proxy auth authentication still work in 6.7.1 ?

Thank you

Yes, it is supposed to work in 6.7.1 too. We’ll see why it’s not.
There might be differences in behaviour between between the plugin builds before and after 6.6.0. That’s because they are handled in different git branches.

The internal fork happened because Kibana team made a radical change of libraries in the backend and we had to rewrite most of the plugin to adapt to it.

I guess events like these bring a ton of value to our product when it comes to the classic decision maker dilemma about “is it best to buy or make your own authentication Kibana plugin?”.

Anyway, we are going to check this.

Do you have “readonlyrest_kbn.proxy_auth_passthrough: true” in kibana.yml?

Yes. Here is an extract of my kibana.yml

elasticsearch.username: kibana_usr
elasticsearch.password: kibana_pwd
readonlyrest_kbn.proxy_auth_passthrough: true
elasticsearch.requestHeadersWhitelist: [authorization, x-forwarded-user]
elasticsearch.requestTimeout: 90000 false
xpack.monitoring.enabled: false
xpack.xpack_main.telemetry.enabled: false

Hello Simone,

Have you been able to reproduce this issue ?

Thank you.

At the moment looking at a very similar issue, will tidy this up and revert back to you.

Hello Simone,

Do you have an idea when you will publish a release with a patch for this issue ?

Thank you.

We are going to have some progress on this during this week. Sorry for the wait.

Hi @FredericBallot, I tested this with the latest 1.18.1 and ES/KBN versions 7.1.1 and 6.7.1 and it works.
I attach an archive with all configuration files and the docker/makefile to reproduce it.

$ tar xzvf es-all-in-one.tar.gz
$ make run

es-all-in-one.tar.gz (9.4 KB)

FYI, the settings used:

$ cat es-all-in-one/config/kibana/kibana.yml | egrep -v "^#|^$"
elasticsearch.username: "kibana"
elasticsearch.password: "kibana" false
readonlyrest_kbn.proxy_auth_passthrough: true

$ cat es-all-in-one/config/elasticsearch/elasticsearch.yml | egrep -v "^#|^$" n1_it es-all-in-one /var/lib/elasticsearch
path.logs: /var/log/elasticsearch _local_,_site_ false


 $ cat es-all-in-one/config/elasticsearch/readonlyrest.yml | egrep -v "^#|^$"
  prompt_for_basic_auth: false
  # kibana:kibana
  - name: "::KIBANA::"
    auth_key_sha256: "ab8aa94dd63debfa31ef8a9eae9582dcb252c06cdb6313e123546cc8edfeaf3e"
    verbosity: error
  - name: "Admin"
    groups: ["useradmin"]
    kibana_access: admin
    kibana_index: ".kibana_useradmin"
    verbosity: error
  - name: "Proxyauth"
    kibana_access: admin
    kibana_index: ".kibana_useradmin"
    verbosity: error
      users: ["*"]
      proxy_auth_config: px1
  - name: "px1"
    user_id_header: "x-forwarded-user"

  # admin:admin
  - username: admin
    auth_key_sha256: "8da193366e1554c08b2870c50f737b9587c3372b656151c4a96028af26f51334"
    groups: ["useradmin"]

And to simulate the proxy, I wrote a node.js proxy program that injected a header to each request:

  req.headers['x-forwarded-user'] = 'proxyUser'

hey @FredericBallot any news on this? All good?

Hello @sscarduzio, sorry for the late reply. Everything works fine with 1.18.1 and the configuration you provided. Also, i had to export all my kibana 6.4.2 objects and reimport them in 6.7.1 to avoid the ‘too many redirections’ problem due to the space selector feature.

Thank you.

1 Like

Oh great! Thanks for reporting on this.

You know, as a ROR Enterprise user, I’d rather disable the spaces feature entirely (in kibana.yml xpack.spaces.enabled: false), as the concept of ROR tenancies greatly supersedes the concept of kibana “space”.

Not sure if anyone else has the same feeling.
What do you think?

I missed this parameter when reading the documentation but this is definitively the best solution to avoid spaces problems. Thanks for the tip !

1 Like