Elasticsearch 結合realm + LDAP

--- title: Elasticsearch 結合realm + LDAP tags: Elasticsearch description: View the slide with "Slide Mode". --- # Elasticsearch 結合realm + LDAP 出處：[User Impersonation with X-Pack: Integrating Third Party Auth with Kibana](https://www.elastic.co/blog/user-impersonation-with-x-pack-integrating-third-party-auth-with-kibana) ## 簡介 - X-Pack Security 提供 authentication and authorization via RBAC - authentication:認證，透過Elasticsearch原生的realm來做管理 - authorization:有哪些權限 ## 架構流程 To do so, I’ll be using Bitly’s [oauth2_proxy](https://github.com/bitly/oauth2_proxy) to handle the Google authentication layer and [Nginx](https://www.nginx.com/resources/wiki/) to pass the necessary* headers to Kibana. My overall architecture will look something like this: ![](https://i.imgur.com/u3DnX7A.png) :::success The above configuration will only work in Kibana 5.x or later. This is because we’ve implemented an additional way to trigger a login event by passing basic auth headers (<font color=red>rather than entering credentials in the Security UI login screen</font>). K 5.x also allows you to <font color=red>whitelist headers</font>, which allows us to pass our special “run as” header. ::: ## 實作拉 ### 1. `kibana.yml` ```yaml= elasticsearch.requestHeadersWhitelist: [ es-security-runas-user, authorization ] xpack.monitoring.elasticsearch.requestHeadersWhitelist: [ es-security-runas-user, authorization ] ``` - [Submitting requests on behalf of other users](https://www.elastic.co/guide/en/elasticsearch/reference/current/run-as-privilege.html#run-as-privilege) >[name=昱齊]等於說，其實沒有靠user的account和password登入，只要user通過第一層LDAP的認證，就直接允許以`es-security-runas-user`進去 ### 2. 建立`nginx` role來控管 - role底下，要用`run_as`來涵蓋所有以`LDAP`登入的user - 再建立一個nginx user，來給Nginx proxy 用的 - 透過`run_as`來模仿 users ```htmlmixed= curl -u elastic:changeme -XPOST "http://localhost:9200/_xpack/security/role/nginx" -H 'Content-Type: application/json' -d' { "run_as": ["user1"] }' curl -u elastic:changeme -XPOST "http://localhost:9200/_xpack/security/user/nginx" -H 'Content-Type: application/json' -d' { "password" : "secretpassword", "roles" : ["nginx"], "full_name" : "Service Account" }' ``` - 如果有更多user要登入，就要透過API去調整擴充`nginx`的`run_as`權限 >[name=昱齊]能不能不要用nginx，直接傳遞user >[name=昱齊]這樣必須要新增user，以及調整nginx的權限 ### 3. oauth套件使用 ```bash= $ ./oauth2_proxy \ --email-domain="elastic.co" \ --upstream="http://127.0.0.1:8080/" \ --approval-prompt="auto" \ --redirect-url="http://localhost:4180/oauth2/callback" \ --cookie-secret=secretsecret \ --cookie-name="_oauth2_proxy" \ --cookie-secure=false \ --provider=google \ --client-id="<your client id from your google project>" \ --client-secret="<your client secret from your google project>" ``` >[name=昱齊] 與nginx對接的參數是哪一個 -> upstream="http://127.0.0.1:8080/" ### 4. 調整`nginx.conf` ```json= server { listen 8080; server_name localhost; location / { # The location of our Kibana server (this is default) proxy_pass http: //localhost:5601/; # Send a Basic auth header to Kibana on every request to get past the log - in UI. # "bmdpbng6c2VjcmV0cGFzc3dvcmQ="is a base64 encoded string of my service account 's credentials "nginx:secretpassword" proxy_set_header Authorization "Basic bmdpbng6c2VjcmV0cGFzc3dvcmQ="; # Also submit the 'es-security-runas-user'header on every request with a value of X - Forwarded - User sent from the downstream oauth2_proxy. # X-Forwarded-User would be 'user1' if the Google account was user1 @elastic.co proxy_set_header es-security-runas-user $http_x_forwarded_user; # Simple rewrite to get us back to oauth2_proxy 's login page if someone uses Kibana's Logout button. rewrite /login http: //localhost:4180/oauth2/sign_in redirect; } } ``` - `proxy_set_header` es-security-runas-user $http_x_forwarded_user; ### 缺點 - 登入的kibana 介面，user顯示上會是nginx，不過在audit log上會是`userXXX` - 這邊介紹的登入方式是使用oauth，要找到LDAP的UI login介面，然後要使後面的`nginx`對接 ![Uploading file..._cweza2rwj]() >[name=昱齊]假設nginx role裡面的`run_as`已經有user1和user2，在哪裡決定是以user1進行操作呢，會不會看得到user2的index >[name=昱齊] 在nginx裡面的 `proxy_set_header es-security-runas-user $http_x_forwarded_user; ` 傳遞user account ### 調整 - 將create User這件事，以batch腳本執行，定期去與LDAP user資料庫同步 - 也提供手動create User API - 找到LDAP的UI - 如何讓LDAP把資料拋給後面的nginx ## [LDAP版本](https://mapr.com/blog/how-secure-elasticsearch-and-kibana/)