Hi,
I am seeing a weird behavior while using multiple authenticators - clientcert_auth_domain and basic_internal_auth_domain. No matter what user credentials are used in Kibana, post authentication the user is always assumed as kibanaserver (whichever appears in CN of certificate), in fact there is no authentication here, even if the credentials are wrong the request is authenticated and user is assumed as kibanaserver.
Below is the way I configured authenticators
-
clientcert_auth_domainat order 2 with “challenge: false”, “http_enabled: true”, “transport_enabled: true”, “authentication_backend.type: noop” -
basic_internal_auth_domainat order 4 with “challenge: true”, “http_enabled: true”, “transport_enabled: true”, “authentication_backend.type: intern” - A role is created with all available
CNvalues in the environment intousers:[], this does not includekibanaserverrole. The role instance has permission to create and index documents.
All other authenticators are disabled. I have several services indexing onto elasticsearch including metricbeat-oss, all these services are configured to use certificate (no username/password credentials).
RPM Versions
- opendistroforelasticsearch-1.2.0-1.noarch
- opendistroforelasticsearch-kibana-1.2.0-1.x86_64
- opendistro-security-1.2.0.0-0.noarch
- Metricbeat OSS: metricbeat-7.2.1-1.x86_64
- Kibana: opendistroforelasticsearch-kibana-1.2.0-1.x86_64
The requirement is to have Basic Authentication and TLS Certificate authentication enabled
Any help is much appreciated, I can post the entire configuration file, may be I am missing some properties to set.
regards
Ratheesh Nair