Reputation: 1561
Search Guard Kibana clientcert authentication
I have installed Search Guard for Elasticsearch 5 and configured authentication only through client certificate with CN as username.
clientcert_auth_domain:
enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop
Also I installed Search Guard plugin for Kibana.
How can I canfigure Search Guard for Kibana to use client certificates for users to log in? I see only option to use username password or LDAP in documentationas: https://github.com/floragunncom/search-guard-docs/blob/master/kibana.md
But I would like to use client certificates as configured in Search Guard for Elasticsearch. I do not see any configuration options to enable clientcert authentication also for kibana users.
Still I have to log in through form where I should insert username and password.
Upvotes: 3
Views: 692
Answers (1)
Reputation: 386
Kibana acts like a proxy for Elasticsearch, and by default discards most of the information contained in the original HTTP call, including the HTTP header fields containing your client certificate.
However, you can whitelist HTTP headers explicitly in kibana.yml, so you could try to whitelist the "X-Client-Cert" header like:
elasticsearch.requestHeadersWhitelist: [ "authorization", "X-Client-Cert" ]
Disclaimer: I work for floragunn / Search Guard
Upvotes: 3
Related Questions
- secure Kibana and elasticsearch using SSL / TLS
- Authentication in Elasticsearch
- How to add authentication to Elastic Transport Client
- EFK with Searchguard
- searchguard for SSL communication in ELK
- Connect to Secured Elastic Search using java
- Kerberos for Elasticsearch
- Basic authentication for elasticsearch pod running in kubernetes cluster
- Kibana Elasticsearch 6.4 basic security
- Secure kibana access