I’m setting up OpenDistro for the first time. For now my goal is to configure ElasticSearch, the Security Plugin and Kibana and have these 3 components working together so I can use the Kibana UI.
What I want to have for authentication is the following:
- Client certificate authentication between ES cluster and Kibana SERVER
- Internal user database authentication between Kibana USER and ES cluster
The issue is that whatever username/password I input in Kibana (even completely random/wrong credentials), it will log me in as the Kibana SERVER user (the certificate common name is shown as the logged in user name in the Kibana UI) instead of the user with the username/password I typed.
So basically anyone can type any username/password and they get logged in Kibana as the Kibana server… weird, and of course very insecure (there is basically no username/password as any username/password combination works).
How can I achieve the authentication settings I described above?
Here’s my config.yml for the Security Plugin:
_meta: type: "config" config_version: 2 config: dynamic: kibana: multitenancy_enabled: false http: anonymous_auth_enabled: false authc: basic_internal_auth_domain: description: "Authenticate via HTTP Basic against internal users database" http_enabled: true transport_enabled: true order: 1 http_authenticator: type: basic challenge: true authentication_backend: type: internal clientcert_auth_domain: description: "Authenticate via SSL client certificates (for Kibana Server)" http_enabled: true transport_enabled: true order: 2 http_authenticator: type: clientcert config: username_attribute: cn challenge: false authentication_backend: type: noop
And here’s my kibana.yml:
server.name: test-logs-kibana server.host: 0.0.0.0 server.port: 5601 elasticsearch.hosts: - https://es1.test-logs.example.com:9200 # Use client certificate authentication to authenticate to the ElasticSearch cluster elasticsearch.ssl.alwaysPresentCertificate: true elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/certs/ca.cert.pem"] elasticsearch.ssl.certificate: /etc/kibana/certs/kb1.cert.pem elasticsearch.ssl.key: /etc/kibana/certs/kb1.key.pem # Use SSL for serving Kibana to clients server.ssl.enabled: true server.ssl.certificateAuthorities: ["/etc/kibana/certs/ca.cert.pem"] server.ssl.certificate: /etc/kibana/certs/front.cert.pem server.ssl.key: /etc/kibana/certs/front.key.pem opendistro_security.multitenancy.enabled: false