Proxy auth in KB Enterprise 1.19.4

Diana · May 7, 2020, 4:27pm

Hello,

We are trying to update our kibana and elasticsearch ROR from v.1.18.9 Enterprise to the latest version and we are having an issue with proxy auth. The configuration is the following:

readonlyrest:
  prompt_for_basic_auth: false
  audit_collector: true
  access_control_rules:
    - name: "Kibana Server"
      groups: ["kibana-srv"]
    - name: "Full Admin Users"
      groups: ["full-admin"]
    - name: "Forbidden for .readonlyrest index"
      groups: ["client_admin"]
      type: "forbid"
      indices: [".readonlyrest"]
      methods: ["PUT", "POST"]
    - name: "Client Admin Group Kibana"
      groups: ["client_admin"]
      indices: ["*"]
      kibana_access: "admin"
      kibana_hide_apps: ["readonlyrest_kbn"]
    - name: "Client Group"
      groups: ["client_admin"]
    - name: "Data Group Kibana"
      groups: ["data_injection"]
      indices: ["*"]
      kibana_access: "admin"
      kibana_hide_apps: ["readonlyrest_kbn"]
    - name: "Data Group"
      groups: ["data_injection"]
      indices: ["metricbeat*", "<metricbeat*"]
      actions:
        [
          "indices:data/write/*",
          "cluster:admin/ilm/*",
          "indices:admin/create",
          "indices:admin/template/put",
        ]
  proxy_auth_configs:
    - name: "px1"
      user_id_header: "x-forwarded-user"
  users:
    - username: "fulladmin"
      groups: ["full-admin"]
      auth_key: "fulladmin:password"
    - username: "sspo"
      groups: ["full-admin"]
      auth_key_sha256: "c71f47001de759c2c773d89ea49f409393b61e2e895decd47615709dde3a8d14"
    - username: "clientadmin"
      groups: ["full-admin"]
      auth_key_sha256: "b17f9e5dfb1f21db76d5e40e314d4ee73da28a834947bfeee51d0703576ddb2a"
    - username: "data"
      groups: ["full-admin"]
      auth_key_sha256: "53d33013d97df7cd7c5671fff10e47ebc239e7ba6ae52f19216530fa05a57aaf"
    - username: "kibana"
      groups: ["full-admin"]
      auth_key_sha256: "daa9e71c597808bc332614169783695874b2d850d28868ea6b265d08ef60a944"
    - username: "monitoring"
      groups: ["data_injection"]
      auth_key: "monitoring:password"
    - username: "proxy_user_test"
      groups: ["client_admin"]
      proxy_auth:
        proxy_auth_config: "px1"
        users: ["proxy_user_test"]

If using ROR v.1.18.9 for both KB and ES this works just fine and the proxy auth user is able to login. If using ROR v 1.19.4 for ES and ROR v 1.18.9 for KB, this also work just fine. But, when using v 1.19.4 also for KB , the proxy auth user is not able to login anymore, and we’re receiving a 403 forbidden error. Can you support in investigating why the new KB plugin has this behaviour?
Thanks!

sscarduzio · May 8, 2020, 9:19am

expected <block end>, but found BlockEntry
 in 'reader', line 5, column 1:
    - name: "Kibana Server"
    ^

Your settings don’t even boot up, there’s a major indentation problem in all the file.

Diana · May 8, 2020, 9:35am

It was a copy-paste issue, i edited my original post with the correct indentation.

sscarduzio · May 8, 2020, 11:18am

just discovered it’s a bug in the new version of the Kibana plugin. Fixing now.

cristianr · May 12, 2020, 11:06am

Hello,
Any news regarding this bug ?

Many thanks in advance

sscarduzio · May 12, 2020, 11:09am

Yes it was tricky but now it’s fixed! We’re going to release today, max tomorrow. But I will give you a pre release so you can validate. Good call.