openid docs

[agadelshin]

I'm trying to connect opendistro kibana to azure ad, but I've found that plugin config doesn't work:

/usr/share/kibana/plugins/opendistro_security/securityconfig/config.yml

      opendistro_security:
        dynamic:
          http:
            anonymous_auth_enabled: false
            xff:
              enabled: true
              internalProxies: '.*' # trust all internal proxies, regex pattern
              remoteIpHeader:  'x-forwarded-for'
              proxiesHeader:   'x-forwarded-by'
              trustedProxies: '.*' # trust all external proxies, regex pattern
          authc:
            openid_auth_domain:
              http_enabled: true
              transport_enabled: true
              order: 0
              http_authenticator:
                type: openid
                challenge: false
                config:
                  openid_connect_url: https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
              authentication_backend:
                type: noop

kibana.yml:

    opendistro_security.auth.type: "openid"
    opendistro_security.openid.connect_url: https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
    opendistro_security.openid.client_id: "{application_id}"
    opendistro_security.openid.client_secret: "{secret}"
    opendistro_security.openid.base_redirect_url: "https://kibana_url"
    opendistro_security.cookie.secure: true
    elasticsearch.requestHeadersWhitelist: ["Authorization", "security_tenant"]

I'm getting authError every time. What I've missed? Don't see any chance to debug this auth error, there is no any helpful message in log or smth.

[gtudor]

If you get problems with odfe not starting using the sample docker-compose.yml file, you may need to increase the mmaps value in your host operating system. After hours of debugging with different config variables, I found this on the elastic.co website. After I executed the command sysctl -w vm.max_map_count=262144 and then did a docker-compose up using the sample docker-compose file everything started normally.

From the elastic.co website:
Elasticsearch uses a mmapfs directory by default to store its indices. The default operating system limits on mmap counts is likely to be too low, which may result in out of memory exceptions.

On Linux, you can increase the limits by running the following command as root:

sysctl -w vm.max_map_count=262144
To set this value permanently, update the vm.max_map_count setting in /etc/sysctl.conf. To verify after rebooting, run sysctl vm.max_map_count.

[agadelshin]

azure log says auth operations are successful.

[aetter]

Hi @pondohva, a couple thoughts:

• I'm only seeing one authentication domain, but you need two. Also, you want the Open ID domain to have an order of 1: https://opendistro.github.io/for-elasticsearch-docs/docs/security/openid-connect/#elasticsearch-configuration
• Are you running securityadmin.sh to reload settings after making tweaks to the YML files? We've had a few people in the past who had things configured properly, but weren't reloading settings, thought they needed to change variables, etc.: https://opendistro.github.io/for-elasticsearch-docs/docs/security/security-admin/

Given the presence of an external provider (and in this case, a proxy), these sorts of issues are always really hard to troubleshoot, but let me know if you're able to get it working.

[agadelshin]

@aetter oh.

1. Thank you, I forgot it.
2. No. I'm using docker image amazon/opendistro-for-elasticsearch-kibana:0.7.1.
   there is no tools directory in /usr/share/kibana/plugins/opendistro_security, whoami shows me "kibana" and there is no JAVA in image.

it seems securityadmin.sh will fix everything.

[agadelshin]

Also I'm using elasticsearch-oss instead of opendistro image (because opendistro image doesn't work with helm chart).
So I'll fix it and try again (I thought security is a kibana plugin, not elasticsearch)

[aetter]

Hi @pondohva, gotcha. Yeah, Security is really two plugins: one for Elasticsearch, one for Kibana. You can use the Elasticsearch plugin by itself, but the Kibana plugin relies on a secured Elasticsearch cluster.

[agadelshin]

updated config to plugin on elasticsearch node

opendistro_security:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
    authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            openid_connect_url: https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
        authentication_backend:
          type: noop

kibana.yaml

server.name: kibana
server.host: "0"
elasticsearch.ssl.verificationMode: none
opendistro_security.auth.type: "openid"
opendistro_security.openid.connect_url: https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
opendistro_security.openid.client_id: "{app_id}"
opendistro_security.openid.client_secret: "{secret}"
opendistro_security.openid.base_redirect_url: "{url}"
elasticsearch.requestHeadersWhitelist: ["Authorization", "security_tenant", "x-forwarded-for", "x-forwarded-by"]
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"

and I'm getting error in es logs on each request.

[2019-04-04T16:51:38,782][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [elasticsearch-master-0] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2019-04-04T16:51:38,784][WARN ][o.a.c.r.s.j.j.JwsUtils   ] [elasticsearch-master-0] No signature algorithm was defined
[2019-04-04T16:51:38,784][WARN ][c.a.o.s.a.BackendRegistry] [elasticsearch-master-0] Authentication finally failed for null from 10.2.66.9:54226

[agadelshin]

securityadmin.sh works too

[root@elasticsearch-master-1 elasticsearch]# "/usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh" -cd "/usr/share/elasticsearch/plugins/opendistro_security/securityconfig" -icl -key "/usr/share/elasticsearch/config/kirk-key.pem" -cert "/usr/share/elasticsearch/config/kirk.pem" -cacert "/usr/share/elasticsearch/config/root-ca.pem" -nhnv
Open Distro Security Admin v6
Will connect to localhost:9300 ... done
Elasticsearch Version: 6.5.4
Open Distro Security Version: 0.7.0.1
Connected as CN=kirk,OU=client,O=client,L=test,C=de
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: elasticsearch
Clusterstate: GREEN
Number of nodes: 3
Number of data nodes: 3
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/
Will update 'security/config' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
   SUCC: Configuration for 'config' created or updated
Will update 'security/roles' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml
   SUCC: Configuration for 'roles' created or updated
Will update 'security/rolesmapping' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
Will update 'security/internalusers' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
   SUCC: Configuration for 'internalusers' created or updated
Will update 'security/actiongroups' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated

[aetter]

Hi @pondohva, everything looks pretty good to me. Are you setting elasticsearch.url in docker-compose.yml? Is Kibana successfully connecting to the cluster in its startup logs? Something like:

odfe-kibana   | {"type":"log","@timestamp":"2019-04-03T17:18:03Z","tags":["status","plugin:elasticsearch@6.5.4","info"],"pid":1,"state":"green","message":"Status changed from red to green - Ready","prevState":"red","prevMsg":"Service Unavailable"}
odfe-kibana   | {"type":"log","@timestamp":"2019-04-03T17:18:04Z","tags":["listening","info"],"pid":1,"message":"Server running at http://0:5601"}

[agadelshin]

@aetter yep

{"type":"log","@timestamp":"2019-04-04T17:05:42Z","tags":["status","plugin:elasticsearch@6.5.4","info"],"pid":1,"state":"green","message":"Status changed from yellow to green - Ready","prevState":"yellow","prevMsg":"Waiting for Elasticsearch"}
{"type":"log","@timestamp":"2019-04-04T17:05:42Z","tags":["listening","info"],"pid":1,"message":"Server running at http://0:5601"}

Also, I'm using distro images in GKE cluster. Kibana is behind google cloud load balancer, but kibana and elastic in the same cluster.

There are messages on each failed request (I enabled DEBUG)

[2019-04-04T20:37:15,387][DEBUG][c.a.o.s.a.BackendRegistry] [elasticsearch-master-2] Rest authentication request from 10.2.66.18:56934 [original: /10.2.66.18:56934]
[2019-04-04T20:37:15,387][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [elasticsearch-master-2] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2019-04-04T20:37:15,388][WARN ][o.a.c.r.s.j.j.JwsUtils   ] [elasticsearch-master-2] No signature algorithm was defined
[2019-04-04T20:37:15,388][DEBUG][c.a.o.s.a.BackendRegistry] [elasticsearch-master-2] 'org.apache.cxf.rs.security.jose.jws.JwsException: ALGORITHM_NOT_SET' extracting credentials from jwt-key-by-oidc http authenticator
org.apache.cxf.rs.security.jose.jws.JwsException: ALGORITHM_NOT_SET
	at org.apache.cxf.rs.security.jose.jws.JwsUtils.getPublicKeySignatureVerifier(JwsUtils.java:177) ~[cxf-rt-rs-security-jose-3.2.2.jar:3.2.2]
	at org.apache.cxf.rs.security.jose.jws.JwsUtils.getSignatureVerifier(JwsUtils.java:146) ~[cxf-rt-rs-security-jose-3.2.2.jar:3.2.2]
	at org.apache.cxf.rs.security.jose.jws.JwsUtils.getSignatureVerifier(JwsUtils.java:138) ~[cxf-rt-rs-security-jose-3.2.2.jar:3.2.2]

[aetter]

@pondohva, everything still looks good to me, so I'm going to move this issue over to the security repo so that engineering can check it out.

[aetter]

Reopened here: https://github.com/opendistro-for-elasticsearch/security/issues/29