OpenDistro Kibana Login Allowing any login

Security
1

My Elasticsearch Security plugin seems to be working properly. It only allows users from my external LDAP, or my defined Admin, and it does proper password authorization.

The issue is with my Kibana Opendistro setup. I can type any username and password and it will always logs me in as the credentials saved in my elasticsearch.yml file under
opendistro_security.authcz.admin_dn

Has anyone ran into this issue before? Is this caused by some mismatch in my configuration files?

2

For anyone else that faces this:

I resolved this by swapping my
opendistro_security.authcz.admin_dn:
and
opendistro_security.nodes_dn:

fields in elasticsearch.yml and the corresponding certs. I think the issue was that the DN under admin_dn used to match my Elasticsearch URL

3

Hi @misiakj,

I need some help in configuring LDAP Authentication for Kibana UI as I am not able to.
Currently, I am login using internal user database on kibana UI.

NOTE:
I have setup LDAP authentication for Opendistro ElasticSearch.
I have setup the same for Logstash.

4

What problem are you currently facing?
What does your current configuration look like?

5
  1. Problem is unable to login via ldap user credential.
  2. Configuration are as followed.
    KIBANA CONF:

cat kibana.yml

Copyright <2019> Amazon.com, Inc. or its affiliates. All Rights Reserved.

#######
####### Licensed under the Apache License, Version 2.0 (the “License”).
####### You may not use this file except in compliance with the License.
####### A copy of the License is located at
#######
####### http://www.apache.org/licenses/LICENSE-2.0

####### or in the “license” file accompanying this file. This file is distributed
####### on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
####### express or implied. See the License for the specific language governing
####### permissions and limitations under the License.

####### Release Note:
####### Default Kibana configuration for Open Distro.

#######elasticsearch.url: https://exped03.ser01-dc.com:9200
elasticsearch.hosts: [“https://exped02.ser01-dc.com:9200”]
elasticsearch.ssl.certificateAuthorities: /etc/kibana/rootCA.crt
elasticsearch.ssl.verificationMode: full
elasticsearch.username: kibanaserver
elasticsearch.password: xxxxxxxxxxxxxxx
elasticsearch.requestHeadersWhitelist: [“securitytenant”,“Authorization”]
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: [“Private”, “Global”]
opendistro_security.readonly_mode.roles: [“kibana_read_only”]

###########CUSTOM CONFIGS##############

logging.dest: /var/log/kibana/kibana.stdout
#######logging.verbose: true

####### Kibana is served by a back end server. This setting specifies the port to use.
server.port: 5601

####### Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
####### The default is ‘localhost’, which usually means remote machines will not be able to connect.
####### To allow connections from remote users, set this parameter to a non-loopback address.
server.host: exped02.ser01-dc.com

####### Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
####### These settings enable SSL for outgoing requests from the Kibana server to the browser.
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/kibana.crt
server.ssl.key: /etc/kibana/kibana.key
#######server.ssl.redirectHttpFromPort: 5602

6

I see a couple of small differences between your kibana.yml and mine, but I doubt it’s the cause of the issue.
You have
elasticsearch.ssl.verificationMode: full
Vs. I have
elasticsearch.ssl.verificationMode: none
and you’re missing
opendistro_security.auth.type: "basicauth"

It seems likely/possible that your issue exists either in your elasticsearch.yml or your config.yml files.

In elasticsearch.yml do you have configs for both
opendistro_security.authcz.admin_dn:
and
opendistro_security.nodes_dn:
?

In config.yml have you setup your kibana: settings?

Finally, when you try to login through Kibana do you see a specific error/unexpected functionality?
You said that LDAP login is working when you directly access the Elasticsearch cluster so I’ll assume that your LDAP configs are correct.

8

Issue resolved as found there was no backed roles mapped to user.

9

Hi @misiakj, I faced similar problem and tried your solution(login with different credentials from external IdP leads to login as kibana user) and it didn’t work for me. Can you look at my configs and find what’s wrong?
config.yml:

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    kibana:
      multitenancy_enabled: true
      server_username: kibana
      index: '.kibana'
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: intern
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_file: fusionauth.xml
              entity_id: https://entityid-url
            sp:
              entity_id: https://kibana-url:5601/
            kibana_url: https://kibana-url:5601/
            roles_key: Role
            exchange_key: '123qwe'
        authentication_backend:
          type: noop

elasticsearch.yml:

opendistro_security.allow_unsafe_democertificates: true
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.transport.pemkey_filepath: openssl-certs/node-key.pem
opendistro_security.ssl.transport.pemcert_filepath: openssl-certs/node.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: openssl-certs/root-ca.pem
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemkey_filepath: openssl-certs/kibana-key.pem
opendistro_security.ssl.http.pemcert_filepath: openssl-certs/kibana.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: openssl-certs/root-ca.pem
opendistro_security.nodes_dn:
- "CN=Node1,..."
opendistro_security.authcz.admin_dn:
- "CN=ADMIN,..."
opendistro_security.advanced_modules_enabled: true
opendistro_security.roles_mapping_resolution: BOTH
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false

kibana.yml:

server.name: "kibana"

elasticsearch.hosts: ["https://127.0.0.1:9200"]
elasticsearch.username: "kibana"
elasticsearch.password: "kibana"

server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/kibana-cert.crt
server.ssl.key: /etc/kibana/kibana-key.pem
elasticsearch.ssl.certificateAuthorities: [ "/etc/elasticsearch/root-ca.pem" ]
elasticsearch.ssl.verificationMode: none
opendistro_security.auth.type: "saml"
server.xsrf.whitelist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout"]
10

Hi @Kilbirdih,
One thing I noted that exchange_key is too short, it should be even number and at least 32 characters long. However, I would also like to see configuration, since my SAML config is still not working.

11

I have a good key. This value is for display purpose.