I am seeing a weird behavior while using multiple authenticators -
basic_internal_auth_domain. No matter what user credentials are used in Kibana, post authentication the user is always assumed as
kibanaserver (whichever appears in CN of certificate), in fact there is no authentication here, even if the credentials are wrong the request is authenticated and user is assumed as
Below is the way I configured authenticators
clientcert_auth_domainat order 2 with “challenge: false”, “http_enabled: true”, “transport_enabled: true”, “authentication_backend.type: noop”
basic_internal_auth_domainat order 4 with “challenge: true”, “http_enabled: true”, “transport_enabled: true”, “authentication_backend.type: intern”
- A role is created with all available
CNvalues in the environment into
users:, this does not include
kibanaserverrole. The role instance has permission to create and index documents.
All other authenticators are disabled. I have several services indexing onto elasticsearch including metricbeat-oss, all these services are configured to use certificate (no username/password credentials).
- Metricbeat OSS: metricbeat-7.2.1-1.x86_64
- Kibana: opendistroforelasticsearch-kibana-1.2.0-1.x86_64
The requirement is to have Basic Authentication and TLS Certificate authentication enabled
Any help is much appreciated, I can post the entire configuration file, may be I am missing some properties to set.