I am trying to set up JWT authentication for Kibana in Opendistro 1.13.1, which is running on Docker. My docker-compose.yml file is:
version: '3'
services:
odfe-node1:
image: amazon/opendistro-for-elasticsearch:1.13.1
container_name: odfe-node1
environment:
- cluster.name=odfe-cluster
- node.name=odfe-node1
- discovery.seed_hosts=odfe-node1,odfe-node2
- cluster.initial_master_nodes=odfe-node1,odfe-node2
- bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
- "ES_JAVA_OPTS=-Xms512m -Xmx512m" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536 # maximum number of open files for the Elasticsearch user, set to at least 65536 on modern systems
hard: 65536
volumes:
- odfe-data1:/usr/share/elasticsearch/data
- ./config.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
ports:
- 9200:9200
- 9600:9600 # required for Performance Analyzer
networks:
- odfe-net
odfe-node2:
image: amazon/opendistro-for-elasticsearch:1.13.1
container_name: odfe-node2
environment:
- cluster.name=odfe-cluster
- node.name=odfe-node2
- discovery.seed_hosts=odfe-node1,odfe-node2
- cluster.initial_master_nodes=odfe-node1,odfe-node2
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- odfe-data2:/usr/share/elasticsearch/data
- ./config.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
networks:
- odfe-net
kibana:
image: amazon/opendistro-for-elasticsearch-kibana:1.13.1
container_name: odfe-kibana
ports:
- 5601:5601
expose:
- "5601"
volumes:
- ./kibana.yml:/usr/share/kibana/config/kibana.yml
environment:
ELASTICSEARCH_URL: https://odfe-node1:9200
ELASTICSEARCH_HOSTS: https://odfe-node1:9200
networks:
- odfe-net
volumes:
odfe-data1:
odfe-data2:
networks:
odfe-net:
My config.yml file contains the following section:
jwt_auth_domain:
enabled: true
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: "oeRaYY7Wo24sDqKSX3IM9ASGmdGPmkTd9jo1QTy4b7P9Ze5_9hKolVX8xNrQDcNRfVEdTZNOuOyqEGhXEbdJI-ZQ19k_o9MI0y3eZN2lp9jow55FfXMiINEdt1XR85VipRLSOkT6kSpzs2x-jbLDiz9iFVzkd81YKxMgPA7VfZeQUm4n-mOmnWMaVX30zGFU4L3oPBctYKkl4dYfqY>
jwt_header: "Authorization"
jwt_url_parameter: null
roles_key: "roles"
subject_key: "sub"
authentication_backend:
type: noop
The kibana.yml is:
server.name: kibana
server.host: "0"
elasticsearch.hosts: https://localhost:9200
elasticsearch.ssl.verificationMode: none
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]
opendistro_security.auth.type: "jwt"
opendistro_security.cookie.secure: false
newsfeed.enabled: false
telemetry.optIn: false
telemetry.enabled: false
security.showInsecureClusterWarning: false
Finally, I executed a GET request to my client on Postman after generating a valid authentication token:
{
"info": {
"_postman_id": "7bb92352-26c3-4e1d-b64a-c312b5cea23a",
"name": "kibana",
"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
},
"item": [
{
"name": "test",
"request": {
"auth": {
"type": "oauth2",
"oauth2": [
{
"key": "clientSecret",
"value": "2da2cec1-a347-4d9d-8060-86176d28c162",
"type": "string"
},
{
"key": "tokenType",
"value": "Bearer",
"type": "string"
},
{
"key": "accessToken",
"value": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJDczhvVkJrVFRnR2NGdHNzQzE3V19DRVFUQzNPSjhwSy1oS1ppMGNHNHFVIn0.eyJleHAiOjE2MTcxOTkzMjQsImlhdCI6MTYxNzE5OTAyNCwianRpIjoiMGRmMjQyNDUtZDRkOC00MDAyLWEwYWItNjRmMGQyNDBkNzhkIiwiaXNzIjoiaHR0cDovLzEwLjEwLjI1Mi44NC9hdXRoL3JlYWxtcy9raWJhbmEiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiN2ZmODQwNzAtM2M5OS00ZTVkLTlmNDEtODBhNzkxMTY0MWQwIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoia2liYW5hLWp3dCIsInNlc3Npb25fc3RhdGUiOiIzNjE1ZTYzMy1lYjRjLTRhOTQtYjI5MC0yNDAyMTI4MWE1ZDMiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly8xMC4xMC4yNTIuODQiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiJ9.du_i-IXhReYGzUzKJ2jNto5jBl75pA9ShZ968DjpggK9CT8DUMVm6lCwqYo38h231ouPtALGj1Lpk_YWy7HZKX5gmZvfredIwPZw7TEeMHbw2Q_B7uu8zPrD6Be6oLmcogbchMWG9CxNwrUdN1igqnZ6OWl-6l7RQCpb8KPvzCugnzwwyk6fXpNsWSDm9HliHC66FVb-6evYdB1V_xWrCZoUvMVLIG3G0W7ojdTjVEX_t8EgvMNwZeIcyzDY1kjvJhr7ORRX8SYi0mxJQgZuqHrSV63ssWpzUXvK9BSlgEbMfMJSIqZdVDzQil7eg3IKVv6CziEk0L08-6gGSg66cg",
"type": "string"
},
{
"key": "accessTokenUrl",
"value": "http://10.10.252.84/auth/realms/kibana/protocol/openid-connect/token",
"type": "string"
},
{
"key": "password",
"value": "admin",
"type": "string"
},
{
"key": "username",
"value": "admin",
"type": "string"
},
{
"key": "clientId",
"value": "kibana-jwt",
"type": "string"
},
{
"key": "tokenName",
"value": "Kibana Token",
"type": "string"
},
{
"key": "scope",
"value": "openid",
"type": "string"
},
{
"key": "grant_type",
"value": "password_credentials",
"type": "string"
},
{
"key": "addTokenTo",
"value": "header",
"type": "string"
}
]
},
"method": "GET",
"header": [],
"url": {
"raw": "http://10.10.252.102:5601",
"protocol": "http",
"host": [
"10",
"10",
"252",
"102"
],
"port": "5601"
}
},
"response": []
}
]
}
The response to this was the following error message:
{
"statusCode": 401,
"error": "Unauthorized",
"message": "Authorization error"
}
Can anyone figure out what I have been doing wrong?
