Commit 448b5040 authored by Jochen Kressin's avatar Jochen Kressin
Browse files

Merge branch '7.x' into 7.x-36

parents d0c9bbc0 58a0f9c7
......@@ -5,6 +5,9 @@ docs:
script:
- cat /etc/debian_version || true
- uname -a
- export LC_ALL="C.UTF-8"
- export LANG="en_US.UTF-8"
- export LANGUAGE="en_US.UTF-8"
- apt-get update -yqq && apt-get install -yqq ncftp wget
- echo "Merge marker sanity check"
- (grep -ri "<<<<<<" * || grep -ri ">>>>>>" *) && (echo "found some merge conflicts, will abort"; exit -1)
......
......@@ -10,9 +10,12 @@ kramdown:
sass:
style: compressed
sass_dir: ./sass
exclude:
- .idea
- sass
plugins:
- jekyll-relative-links
......
......@@ -39,6 +39,7 @@ Search Guard tracks the following types of events, on REST and Transport layer:
| SSL_EXCEPTION | yes | yes | An attempt was made to access Elasticsearch without a valid SSL/TLS certificate.|
| SG\_INDEX\_ATTEMPT | no | yes | an attempt was made to modify the Search Guard internal user and privileges index without the required permissions or TLS admin certificate.|
| BAD_HEADERS | yes | yes | An attempt was made to spoof a request to Elasticsearch with Search Guard internal headers.|
{: .config-table}
For security reasons, audit logging has to be configured in `elasticsearch.yml`, not in `sg_config.yml`. Changes to the audit log settings require a restart of all participating nodes in the cluster.
......
......@@ -62,6 +62,7 @@ searchguard:
| endpoint name | A telling name for the endpoint used to reference it in the routing configuration. Must be unique.|
| endpoint type | Any [supported endpoint type](auditlogging_storage.md) |
| endpoint configuration | The configuration for the configured endpoint, individual for each type. |
{: .config-table}
The configuration settings are specific for each endpoint. For a reference, please refer to the [audit storage documentation](auditlogging_storage.md).
......@@ -139,6 +140,7 @@ searchguard:
|---|---|
| category name | The category for which this routing applies. Must match one of the audit and/or compliance event categories. Must be unique.|
| endpoint name | Name of the endpoint to use. Must be one of the endpoints under the `searchguard.audit.endpoints configuration` settings, or `default`.|
{: .config-table}
If there is no specific routing for a category defined the events will be send to the `default` endpoint.
......
......@@ -37,6 +37,7 @@ The elasticsearch configuration monitoring can be switched on an off by the foll
| Name | Description |
|---|---|
| searchguard.compliance.history.external\_config\_enabled | boolean, whether to enable or disable elasticsearch configuration logging. Default: true |
{: .config-table}
## Audit log category
......@@ -51,6 +52,7 @@ The Elasticsearch configuration events are logged in the `COMPLIANCE_EXTERNAL_CO
| audit\_format\_version | Audit log message format version, current: 3|
| audit\_utc\_timestamp | UTC timestamp when the event was generated|
| audit\_category | Audit log category, `COMPLIANCE_EXTERNAL_CONFIG` for all events|
{: .config-table}
### Cluster and node attributes
......@@ -61,6 +63,7 @@ The Elasticsearch configuration events are logged in the `COMPLIANCE_EXTERNAL_CO
| audit\_node\_name | The name of the node where the event was generated. |
| audit\_node\_host\_address |The host address of the node where the event was generated.|
| audit\_node\_host\_name |The host address of the node where the event was generated. |
{: .config-table}
### Configuration attributes
......@@ -68,6 +71,7 @@ The Elasticsearch configuration events are logged in the `COMPLIANCE_EXTERNAL_CO
|---|---|
| audit\_compliance\_file\_infos | All external files referenced in the configuration, with modification date and sha256 checksum. |
| audit\_request\_body | Detailed configuration information as JSON string. |
{: .config-table}
## File information
......@@ -103,6 +107,7 @@ The `audit_compliance_file_infos` key contains an array that lists all files use
| sha256 | SHA256 checksum of the file |
| last_modified | Last modification date of the file |
| key | The configuration key in elasticsearch.yml this file is referenced by. |
{: .config-table}
## Configuration information
......@@ -114,6 +119,7 @@ The detailed configuration settings can be found in the `audit_request_body` fie
| os_environment | Environment variables on node startup |
| java_properties | Java properties on node startup |
| sha256_checksum | SHA256 checksum of the combined external_configuration, os_environment and java_properties. Can be used to detect any changes to your Elasticsearch installation. |
{: .config-table}
### External configuration
......
......@@ -33,7 +33,7 @@ The following attributes are logged for all event categores, independent of the
| audit\_request\_layer | The layer on which the event has been generated. One if `TRANSPORT` or `REST`. |
| audit\_request\_origin | The layer from which the event originated. One if `TRANSPORT` or `REST`. |
| audit\_request\_effective\_user\_is\_admin | true if the request was made wit an TLS admin certificate, false otherwise. |
{: .config-table}
## REST FAILED_LOGIN attributes
......@@ -46,7 +46,7 @@ The following attributes are logged for all event categores, independent of the
| audit\_rest\_request\_headers | The HTTP headers, if any. Optional. |
| audit\_request\_initiating\_user | The user that initiated the request. Only logged if it differs from the effective user, for example when using impersonation. Optional. |
| audit\_request\_body | The HTTP body, if any and if request body logging is enabled. Optional.|
{: .config-table}
## REST AUTHENTICATED attributes
......@@ -59,13 +59,14 @@ The following attributes are logged for all event categores, independent of the
| audit\_rest\_request\_params | The HTTP request parameters, if any. Optional. |
| audit\_rest\_request\_headers | The HTTP headers, if any. Optional. |
| audit\_request\_body | The HTTP body, if any and if request body logging is enabled. Optional.|
{: .config-table}
## REST SSL_EXCEPTION attributes
| Name | Description |
|---|---|
| audit\_request\_exception\_stacktrace | The stacktrace of the SSL Exception|
{: .config-table}
## REST BAD_HEADERS attributes
......@@ -75,6 +76,7 @@ The following attributes are logged for all event categores, independent of the
| audit\_rest\_request\_params | The HTTP request parameters, if any. Optional. |
| audit\_rest\_request\_headers | The HTTP headers, if any. Optional. |
| audit\_request\_body | The HTTP body, if any and if request body logging is enabled. Optional.|
{: .config-table}
## Transport FAILED_LOGIN attributes
......@@ -89,6 +91,7 @@ The following attributes are logged for all event categores, independent of the
| audit\_trace\_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if `resolve_indices` is true. Optional. |
| audit\_trace\_resolved\_indices | The resolved, concrete index name(s) affected by this request. Only logged if `resolve_indices` is true. Optional. |
| audit\_trace\_doc\_types | The document types affecated by this request. Only logged if `resolve_indices` is true. Optional. |
{: .config-table}
## Transport AUTHENTICATED attributes
......@@ -103,6 +106,7 @@ The following attributes are logged for all event categores, independent of the
| audit\_trace\_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if `resolve_indices` is true. Optional. |
| audit\_trace\_resolved\_indices | The resolved, concrete index name(s) affected by this request. Only logged if `resolve_indices` is true. Optional. |
| audit\_trace\_doc\_types | The document types affecated by this request. Only logged if `resolve_indices` is true. Optional. |
{: .config-table}
## Transport MISSING_PRIVILEGES attributes
......@@ -119,6 +123,7 @@ The following attributes are logged for all event categores, independent of the
| audit\_trace\_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if `resolve_indices` is true. Optional. |
| audit\_trace\_resolved\_indices | The resolved, concrete index name(s) affected by this request. Only logged if `resolve_indices` is true. Optional. |
| audit\_trace\_doc\_types | The document types affecated by this request. Only logged if `resolve_indices` is true. Optional. |
{: .config-table}
## Transport GRANTED_PRIVILEGES attributes
......@@ -135,13 +140,14 @@ The following attributes are logged for all event categores, independent of the
| audit\_trace\_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if `resolve_indices` is true. Optional. |
| audit\_trace\_resolved\_indices | The resolved, concrete index name(s) affected by this request. Only logged if `resolve_indices` is true. Optional. |
| audit\_trace\_doc\_types | The document types affecated by this request. Only logged if `resolve_indices` is true. Optional. |
{: .config-table}
## Transport SSL_EXCEPTION attributes
| Name | Description |
|---|---|
| audit\_request\_exception\_stacktrace | The stacktrace of the SSL Exception|
{: .config-table}
## Transport BAD_HEADERS attributes
......@@ -157,6 +163,7 @@ The following attributes are logged for all event categores, independent of the
| audit\_trace\_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if `resolve_indices` is true. Optional. |
| audit\_trace\_resolved\_indices | The resolved, concrete index name(s) affected by this request. Only logged if `resolve_indices` is true. Optional. |
| audit\_trace\_doc\_types | The document types affecated by this request. Only logged if `resolve_indices` is true. Optional. |
{: .config-table}
## Transport SG\_INDEX\_ATTEMPT attributes
......@@ -171,3 +178,4 @@ The following attributes are logged for all event categores, independent of the
| audit\_trace\_indices | The index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. Only logged if `resolve_indices` is true. Optional. |
| audit\_trace\_resolved\_indices | The resolved, concrete index name(s) affected by this request. Only logged if `resolve_indices` is true. Optional. |
| audit\_trace\_doc\_types | The document types affecated by this request. Only logged if `resolve_indices` is true. Optional. |
{: .config-table}
\ No newline at end of file
......@@ -26,6 +26,7 @@ The elasticsearch configuration monitoring can be switched on an off by the foll
| Name | Description |
|---|---|
| searchguard.compliance.history.internal_config_enabled | boolean, whether to enable or disable Search Guard configuration monitoring. Default: true |
{: .config-table}
## Audit log category
......@@ -40,6 +41,7 @@ The Elasticsearch configuration events are logged in the `COMPLIANCE_INTERNAL_CO
| audit\_format\_version | Audit log message format version, current: 3|
| audit\_utc\_timestamp | UTC timestamp when the event was generated|
| audit\_category | Audit log category, `COMPLIANCE_EXTERNAL_CONFIG` for all events|
{: .config-table}
### Cluster and node attributes
......@@ -50,6 +52,7 @@ The Elasticsearch configuration events are logged in the `COMPLIANCE_INTERNAL_CO
| audit\_node\_name | The name of the node where the event was generated. |
| audit\_node\_host\_address |The host address of the node where the event was generated.|
| audit\_node\_host\_name |The host address of the node where the event was generated. |
{: .config-table}
### Configuration attributes
......@@ -59,6 +62,7 @@ The Elasticsearch configuration events are logged in the `COMPLIANCE_INTERNAL_CO
| audit\_trace\_resolve\_indices | The index name used to read the config. May contain aliases or wildcards. |
| audit\_trace\_doc\_id | The configuration that has been read, one of `internalusers`, `roles`, `rolesmapping`, `actiongroups`, `config` |
| audit\_request\_body | The configuration that has been read, as JSON string |
{: .config-table}
### Logged configuration
......@@ -94,6 +98,7 @@ Since the JSON object is stored as String, the quotation marks are escaped in th
| audit\_format\_version | Audit log message format version, current: 3|
| audit\_utc\_timestamp | UTC timestamp when the event was generated|
| audit\_category | Audit log category, `COMPLIANCE_EXTERNAL_CONFIG` for all events|
{: .config-table}
### Cluster and node attributes
......@@ -104,6 +109,7 @@ Since the JSON object is stored as String, the quotation marks are escaped in th
| audit\_node\_name | The name of the node where the event was generated. |
| audit\_node\_host\_address |The host address of the node where the event was generated.|
| audit\_node\_host\_name |The host address of the node where the event was generated. |
{: .config-table}
### Request attributes
......@@ -111,12 +117,14 @@ Since the JSON object is stored as String, the quotation marks are escaped in th
|---|---|
| audit\_request\_origin | The layer from which the event originated. One if `TRANSPORT` or `REST`. |
| audit\_request\_remote\_address | The adress where the request came from. |
{: .config-table}
### User attributes
| Name | Description |
|---|---|
| audit\_request\_effective\_user | The username of the user that has changed the configuration |
{: .config-table}
### Index attributes
......@@ -124,6 +132,7 @@ Since the JSON object is stored as String, the quotation marks are escaped in th
|---|---|
| audit\_trace\_indices | Array, the index name(s) as contained in the request. Can contain wildcards, date patterns and aliases.|
| audit\_trace\_resolved\_indices | Array, the resolved, concrete index name(s) affected by this request. Only logged if `resolve_indices` is true. Optional. |
{: .config-table}
### Document and fields attributes
......@@ -131,3 +140,4 @@ Since the JSON object is stored as String, the quotation marks are escaped in th
|---|---|
| audit\_compliance\_operation | The operation on the configuration, can be one of `CREATE`, `UPDATE` or `DELETE`. |
| audit\_trace\_doc\_id | Name of the configuration that has changed, one of `internalusers`, `roles`, `rolesmapping`, `actiongroups`, `config` |
{: .config-table}
\ No newline at end of file
......@@ -79,6 +79,7 @@ Events in the `COMPLIANCE_DOC_READ` category have the following attributes:
| audit\_format\_version | Audit log message format version, current: 3|
| audit\_utc\_timestamp | UTC timestamp when the event was generated|
| audit\_category | Audit log category, `COMPLIANCE_DOC_READ` for all events|
{: .config-table}
### Cluster and node attributes
......@@ -89,6 +90,7 @@ Events in the `COMPLIANCE_DOC_READ` category have the following attributes:
| audit\_node\_name | The name of the node where the event was generated. |
| audit\_node\_host\_address |The host address of the node where the event was generated.|
| audit\_node\_host\_name |The host address of the node where the event was generated. |
{: .config-table}
### Request attributes
......@@ -96,12 +98,14 @@ Events in the `COMPLIANCE_DOC_READ` category have the following attributes:
|---|---|
| audit\_request\_origin | The layer from which the event originated. One if `TRANSPORT` or `REST`. |
| audit\_request\_remote\_address | The adress where the request came from. |
{: .config-table}
### User attributes
| Name | Description |
|---|---|
| audit\_request\_effective\_user | The username of the user that has accessed watched fields |
{: .config-table}
### Index attributes
......@@ -109,6 +113,7 @@ Events in the `COMPLIANCE_DOC_READ` category have the following attributes:
|---|---|
| audit\_trace\_indices | Array, the index name(s) as contained in the request. Can contain wildcards, date patterns and aliases.|
| audit\_trace\_resolved\_indices | Array, the resolved, concrete index name(s) affected by this request. Only logged if `resolve_indices` is true. Optional. |
{: .config-table}
### Accessed document and fields attributes
......@@ -116,7 +121,7 @@ Events in the `COMPLIANCE_DOC_READ` category have the following attributes:
|---|---|
| audit\_trace\_doc\_id | Id of the document containing the watched fields. |
| audit\_request\_body | The fields and their value as seen by the user, in JSON format. |
{: .config-table}
## Example
......
......@@ -92,7 +92,7 @@ The parameters depend on what authentication type you configured on the REST lay
| searchguard.audit.config.pemkey_filepath | The path to the private key of the TLS certificate to send to the external Elasticsearch cluster, **relative to the `config/` directory**.|
| searchguard.audit.config.pemkey_content | Same as `searchguard.audit.config.pemkey_filepath`, but you can configure the base 64 encoded certificate content directly.|
| searchguard.audit.config.pemkey_password | The password of the private key|
{: .config-table}
### Basic auth settings
......@@ -120,6 +120,7 @@ Ypu can use the following keys to configure the storage type `webhook`:
| searchguard.audit.config.webhook.ssl.pemtrustedcas_filepath | The path to the trusted certificate against which the webhook's TLS certificate is validated. |
| searchguard.audit.config.webhook.ssl.pemtrustedcas_content | Same as `searchguard.audit.config.webhook.ssl.pemtrustedcas_content`, but you can configure the base 64 encoded certificate content directly. |
| searchguard.audit.config.webhook.format | The format in which the audit log message is logged, can be one of URL\_PARAMETER\_GET, URL\_PARAMETER\_POST, TEXT, JSON, SLACK |
{: .config-table}
Formats:
......
......@@ -104,6 +104,7 @@ You can control the level of detail by the following configuration settings in e
|---|---|
| searchguard.compliance.history.write.metadata_only | boolean, if set to true Search Guard will not log any document content, only meta data. Enable this if you need to know when a document was created, changed or delete, but you are not interested in the actual content. Default is false. |
| searchguard.compliance.history.write.log_diffs | boolean, if set to true Search Guard will log diffs for document updates. Default is false. |
{: .config-table}
## Field reference
......@@ -116,6 +117,7 @@ Events in the `COMPLIANCE_DOC_WRITE` category have the following attributes:
| audit\_format\_version | Audit log message format version, current: 3|
| audit\_utc\_timestamp | UTC timestamp when the event was generated|
| audit\_category | Audit log category, `COMPLIANCE_DOC_WRITE` for all events|
{: .config-table}
### Cluster and node attributes
......@@ -127,6 +129,7 @@ Events in the `COMPLIANCE_DOC_WRITE` category have the following attributes:
| audit\_node\_host\_address |The host address of the node where the event was generated.|
| audit\_node\_host\_name |The host address of the node where the event was generated. |
| audit\_trace\_shard\_id | id of the shard |
{: .config-table}
### Request attributes
......@@ -134,12 +137,14 @@ Events in the `COMPLIANCE_DOC_WRITE` category have the following attributes:
|---|---|
| audit\_request\_origin | The layer from which the event originated. One if `TRANSPORT` or `REST`. |
| audit\_request\_remote\_address | The adress where the request came from. |
{: .config-table}
### User attributes
| Name | Description |
|---|---|
| audit\_request\_effective\_user | The username of the user that has accessed watched fields |
{: .config-table}
### Index attributes
......@@ -147,6 +152,7 @@ Events in the `COMPLIANCE_DOC_WRITE` category have the following attributes:
|---|---|
| audit\_trace\_indices | Array, the index name(s) as contained in the request. Can contain wildcards, date patterns and aliases.|
| audit\_trace\_resolved\_indices | Array, the resolved, concrete index name(s) affected by this request. Only logged if `resolve_indices` is true. Optional. |
{: .config-table}
### Document and fields attributes
......@@ -157,6 +163,7 @@ Events in the `COMPLIANCE_DOC_WRITE` category have the following attributes:
| audit\_trace\_doc\_version | The version of the document that has been inserted, changed or deleted. |
| audit\_request\_body | The diff of the old and new version of the document in JSON patch format. Only logged for `UPDATE`. |
| audit\_request\_body | The content of newly created documents. Only logged for `CREATE`, and only if `searchguard.compliance.history.write.diffs_only` is `false`.|
{: .config-table}
## Example
......
......@@ -25,7 +25,6 @@ For example, you can grant unauthenticated users read-only access to certain ind
To use anonymous authentication, enable it in sg_config.yml like:
```yaml
---
_sg_meta:
type: "config"
config_version: 2
......@@ -40,6 +39,7 @@ sg_config:
| Name | Description |
|---|---|
| anonymous\_auth\_enabled | Whether to enable anonymous authentication. Boolean. Default: false|
{: .config-table}
## User and role mapping
......
......@@ -45,6 +45,7 @@ clientcert_auth_domain:
| Name | Description |
|---|---|
| username_attribute | String, the part of the certificate's DN that is used as username. If not specified, the complete DN is used.|
{: .config-table}
## Mapping DNs to roles
......
......@@ -155,4 +155,4 @@ Possible vales for `type` are:
## Examples
The [sg_config.yml](https://github.com/floragunncom/search-guard/blob/master/sgconfig/sg_config.yml){:target="_blank"} that ships with Search Guard contains configuration examples for all support modules. Use these examples as a starting point and customize them to your needs.
\ No newline at end of file
The [sg_config.yml](https://git.floragunn.com/search-guard/search-guard/blob/master/sgconfig/sg_config.yml){:target="_blank"} that ships with Search Guard contains configuration examples for all support modules. Use these examples as a starting point and customize them to your needs.
\ No newline at end of file
......@@ -47,19 +47,19 @@ Where the `${searchguard.version}` and `${elasticsearch.version}` are the Search
A custom HTTPAuthenticator must extend the interface `com.floragunn.searchguard.auth.HTTPAuthenticator`.
The methods to implement are [fully documented in JavaDoc](https://github.com/floragunncom/search-guard/blob/master/src/main/java/com/floragunn/searchguard/auth/HTTPAuthenticator.java).
The methods to implement are [fully documented in JavaDoc](https://git.floragunn.com/search-guard/search-guard/blob/master/src/main/java/com/floragunn/searchguard/auth/HTTPAuthenticator.java).
## Implementing a custom AuthenticationBackend
A custom AuthenticationBackend must extend the interface `com.floragunn.searchguard.auth.AuthenticationBackend`.
The methods to implement are [fully documented in JavaDoc](https://github.com/floragunncom/search-guard/blob/master/src/main/java/com/floragunn/searchguard/auth/AuthenticationBackend.java).
The methods to implement are [fully documented in JavaDoc](https://git.floragunn.com/search-guard/search-guard/blob/master/src/main/java/com/floragunn/searchguard/auth/AuthenticationBackend.java).
## Implementing a custom AuthorisationBackend
A custom AuthorisationBackend must extend the interface `com.floragunn.searchguard.auth.AuthorizationBackend`.
The methods to implement are [fully documented in JavaDoc](https://github.com/floragunncom/search-guard/blob/master/src/main/java/com/floragunn/searchguard/auth/AuthorizationBackend.java).
The methods to implement are [fully documented in JavaDoc](https://git.floragunn.com/search-guard/search-guard/blob/master/src/main/java/com/floragunn/searchguard/auth/AuthorizationBackend.java).
## Configuring custom implementations
......
......@@ -126,6 +126,7 @@ Configuration parameter:
| jwt\_url\_parameter | If the token is not transmitted in the HTTP header, but as an URL parameter, define the name of this parameter here. |
| subject_key | The key in the JSON payload that stores the username. If not set, the [subject](https://tools.ietf.org/html/rfc7519#section-4.1.2){:target="_blank"} registered claim is used.|
| roles_key | The key in the JSON payload that stores the user's roles. The value of this key must be a comma-separated list of roles. |
{: .config-table}
Since JSON web tokens are self-contained and the user is authenticated on HTTP level, no additional `authentication_backend` is needed, hence it can be set to `noop`.
......
......@@ -83,6 +83,7 @@ If this key is not set, or null, then the DN of the LDAP entry is used.
| userbase | Specifies the subtree in the directory where user information is stored |
| usersearch | The actual LDAP query that Search Guard executes when trying to authenticate a user. The variable {0} is substituted with the username.|
| username_attribute | Search Guard uses this attribute of the directory entry to look for the user name. If set to null, the DN is used (default). If this references a multi-value field it is undefined which value will be used. It's therefore not recommended to set it to a multi-value field.|
{: .config-table}
### Complete authentication example
......
......@@ -129,6 +129,7 @@ If your LDAP entries have a lot of attributes, you may want to control which att
|---|---|
| custom\_attr\_whitelist | String array, specifies the LDAP attributes that should be made available for variable substitution. |
| custom\_attr\_maxval\_len | Integer, specifies the maximum allowed length of each attribute. All attributes longer than this value will be discarded. A value of `0` will disable custom attributes altogether. Default: 36 |
{: .config-table}
Example:
......@@ -216,6 +217,7 @@ For more details refer to https://technet.microsoft.com/en-us/library/cc978012.a
| rolesearch_enabled | Boolean, enable or disable the role search, default: true. |
| custom\_attr\_whitelist | String array, specifies the LDAP attributes that should be made available for variable substitution. |
| custom\_attr\_maxval\_len | Integer, specifies the maximum allowed length of each attribute. All attributes longer than this value will be discarded. A value of `0` will disable custom attributes altogether. Default: 36 |
{: .config-table}
### Complete authorization example
......
......@@ -78,6 +78,7 @@ You can configure more than one servers here. If Search Guard cannot connect to
| Name | Description |
|---|---|
| hosts | Host and port of your LDAP server(s). Hostnames and IPs are allowed, and you can define multiple LDAP servers. |
{: .config-table}
### Bind DN and password
......@@ -96,6 +97,7 @@ These are basically the credential you are using to authenticate against your se
|---|---|
| bind_dn | The DN to use when connecting to LDAP. If anonymous auth is allowed, can be set to null |
| password | The password to use when connecting to LDAP. If anonymous auth is allowed, can be set to null |
{: .config-table}
### TLS settings
......@@ -116,6 +118,7 @@ config:
| enable\_ssl\_client\_auth | Whether to send the client certificate to the LDAP server or not. |
| verify\_hostnames | Whether to verify the hostnames of the server's TLS certificate or not (default: true). If you have a running cluster with hostname verification enabled (the default) and you like to switch it off you need to restart all nodes after you applied the config.|
| trust\_all | Whether to verify the hostnames and the LDAP server certificate (default false). If you have a running cluster and you like to enable trust all you need to restart all nodes after you applied the config.|
{: .config-table}
### Certificate validation
......@@ -151,6 +154,7 @@ config:
|---|---|
| pemtrustedcas\_filepath | Absolute path to the PEM file containing the root CA(s) of your Active Directory / LDAP server |
| pemtrustedcas\_content | The root CA content of your Active Directory / LDAP server. Cannot be used when `pemtrustedcas\_filepath` is set. |
{: .config-table}
### Client authentication
......@@ -189,6 +193,7 @@ config:
| pemkey\_password | The password of your private key, if any. |
| pemcert_filepath | Absolute path to the the client certificate. |
| pemcert_content | The content of the client certificate. Cannot be used when `pemcert_filepath` is set. |
{: .config-table}
### Enabled ciphers and protocols
......@@ -213,7 +218,7 @@ ldap:
|---|---|
| enabled\_ssl\_ciphers | Array, enabled TLS ciphers. Only Java format is supported. |
| enabled\_ssl\_protocols | Array, enabled TLS protocols. Only Java format is supported. |
{: .config-table}
By default Search Guard disables `TLSv1` because it is unsecure.
{: .note .js-note .note-warning}
......
......@@ -61,6 +61,7 @@ Configuration parameters:
| jwt\_url\_parameter | If the token is not transmitted in the HTTP header, but as an URL parameter, define the name of this parameter here. Optional.|
| subject_key | The key in the JSON payload that stores the user's name. If not defined, the [subject](https://tools.ietf.org/html/rfc7519#section-4.1.2) registered claim is used. Most IdP providers use the `preferred_username` claim. Optional.|
| roles_key | The key in the JSON payload that stores the user's roles. The value of this key must be a comma-separated list of roles. Mandatory only if you want to use roles in the JWT.|
{: .config-table}
## OpenID connect URL
......@@ -151,6 +152,7 @@ config:
|---|---|
| enable_ssl | Whether to use TLS or not. Default: false |
| verify\_hostnames | Whether to verify the hostnames of the IdP's TLS certificate or not. Default: true |
{: .config-table}
### Certificate validation
......@@ -172,11 +174,11 @@ config:
...
```
| Name | Description |
|---|---|
| pemtrustedcas\_filepath | Absolute path to the PEM file containing the root CA(s) of your IdP |
| pemtrustedcas\_content | The root CA content of your IdP. Cannot be used when `pemtrustedcas_filepath` is set. |
{: .config-table}
### TLS client authentication
......@@ -214,6 +216,7 @@ config:
| pemkey\_filepath | Absolute path to the file containing the private key of the client certificate. |
| pemkey\_content | The content of the private key of your client certificate. Cannot be used when `pemkey_filepath` is set. |
| pemkey\_password | The password of your private key, if any. |
{: .config-table}
### Enabled ciphers and protocols
......@@ -223,7 +226,7 @@ You can limit the allowed ciphers and TLS protocols by using the following keys:
|---|---|
| enabled\_ssl\_ciphers | Array, enabled TLS cipher suites. Only Java format is supported. |
| enabled\_ssl\_protocols | Array, enabled TLS protocols. Only Java format is supported. |
{: .config-table}
## Expert: DOS protection
......@@ -233,6 +236,7 @@ In theory it is possible to DOS attack an OpenID based infrastructure by sending
|---|---|
| refresh\_rate\_limit\_count | The maximum number of unknown key ids in the time window. Default: 10 |
| refresh\_rate\_limit\_time\_window\_ms | The time window to use when checking the maximum number of unknown key ids, in milliseconds. Default: 10000 |
{: .config-table}
## Kibana Single Sign On
......
......@@ -50,6 +50,7 @@ You can configure the following settings:
| searchguard.dynamic.http.xff.enabled | Boolean, Enable or disable proxy support. Default: false |
| searchguard.dynamic.http.xff.internalProxies | A regular expression containing the IP addresses of all trusted proxies. |
| searchguard.dynamic.http.xff.remoteIpHeader | String, name of the HTTP header field where the chain of hostnames are stored. Default: `x-forwarded-for` |
{: .config-table}
In order to determine if a request comes from a trusted internal proxy, Search Guard compares the remote address of the HTTP request with the list of configured internal proxies. If the remote address is not in the list of trusted proxies, it is treated like a client request. Proxy authentication will not work in this case.
......@@ -76,7 +77,7 @@ proxy_auth_domain:
| user_header | String, The HTTP header field containing the authenticated username. Default: `x-proxy-user` |
| roles_header | String, The HTTP header field containing the comma separated list of authenticated role names. Roles found in this header field will be used as backend roles and can be used to [map the user to Search Guard roles](../_docs_roles_permissions/configuration_roles_mapping.md). Default: `x-proxy-roles` |
| roles_separator | String, the separator for roles. Default: "," |
{: .config-table}
## Example
......@@ -114,7 +115,6 @@ http {
The corresponding minimal sg_config.yml looks like:
```
---
_sg_meta:
type: "config"
config_version: 2
......@@ -161,7 +161,6 @@ Authentication Proxy -> Kibana -> Search Guard
In this case the remote address of the HTTP call is the IP of Kibana, because it sits directly in front of Search Guard. Therefore you need to add the IP of Kibana to the list of internal proxies:
```yaml
---
_sg_meta:
type: "config"
config_version: 2
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment