在Kibana Open发行版中设置JWT身份验证 [英] Setting JWT authentication in Kibana Opendistro
本文介绍了在Kibana Open发行版中设置JWT身份验证的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在尝试为运行在Docker上的Opendio1.13.1中的Kibana设置JWT身份验证。我的docker-compose.yml文件是:
version: '3'
services:
odfe-node1:
image: amazon/opendistro-for-elasticsearch:1.13.1
container_name: odfe-node1
environment:
- cluster.name=odfe-cluster
- node.name=odfe-node1
- discovery.seed_hosts=odfe-node1,odfe-node2
- cluster.initial_master_nodes=odfe-node1,odfe-node2
- bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
- "ES_JAVA_OPTS=-Xms512m -Xmx512m" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536 # maximum number of open files for the Elasticsearch user, set to at least 65536 on modern systems
hard: 65536
volumes:
- odfe-data1:/usr/share/elasticsearch/data
- ./config.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
ports:
- 9200:9200
- 9600:9600 # required for Performance Analyzer
networks:
- odfe-net
odfe-node2:
image: amazon/opendistro-for-elasticsearch:1.13.1
container_name: odfe-node2
environment:
- cluster.name=odfe-cluster
- node.name=odfe-node2
- discovery.seed_hosts=odfe-node1,odfe-node2
- cluster.initial_master_nodes=odfe-node1,odfe-node2
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- odfe-data2:/usr/share/elasticsearch/data
- ./config.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
networks:
- odfe-net
kibana:
image: amazon/opendistro-for-elasticsearch-kibana:1.13.1
container_name: odfe-kibana
ports:
- 5601:5601
expose:
- "5601"
volumes:
- ./kibana.yml:/usr/share/kibana/config/kibana.yml
environment:
ELASTICSEARCH_URL: https://odfe-node1:9200
ELASTICSEARCH_HOSTS: https://odfe-node1:9200
networks:
- odfe-net
volumes:
odfe-data1:
odfe-data2:
networks:
odfe-net:
我的config.yml文件包含以下部分:
jwt_auth_domain:
enabled: true
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: "oeRaYY7Wo24sDqKSX3IM9ASGmdGPmkTd9jo1QTy4b7P9Ze5_9hKolVX8xNrQDcNRfVEdTZNOuOyqEGhXEbdJI-ZQ19k_o9MI0y3eZN2lp9jow55FfXMiINEdt1XR85VipRLSOkT6kSpzs2x-jbLDiz9iFVzkd81YKxMgPA7VfZeQUm4n-mOmnWMaVX30zGFU4L3oPBctYKkl4dYfqY>
jwt_header: "Authorization"
jwt_url_parameter: null
roles_key: "roles"
subject_key: "sub"
authentication_backend:
type: noop
kibana.yml为:
server.name: kibana
server.host: "0"
elasticsearch.hosts: https://localhost:9200
elasticsearch.ssl.verificationMode: none
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]
opendistro_security.auth.type: "jwt"
opendistro_security.cookie.secure: false
newsfeed.enabled: false
telemetry.optIn: false
telemetry.enabled: false
security.showInsecureClusterWarning: false
最后,在生成有效的身份验证令牌后,我在Postman上执行了对客户端的GET请求:
{
"info": {
"_postman_id": "7bb92352-26c3-4e1d-b64a-c312b5cea23a",
"name": "kibana",
"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
},
"item": [
{
"name": "test",
"request": {
"auth": {
"type": "oauth2",
"oauth2": [
{
"key": "clientSecret",
"value": "2da2cec1-a347-4d9d-8060-86176d28c162",
"type": "string"
},
{
"key": "tokenType",
"value": "Bearer",
"type": "string"
},
{
"key": "accessToken",
"value": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJDczhvVkJrVFRnR2NGdHNzQzE3V19DRVFUQzNPSjhwSy1oS1ppMGNHNHFVIn0.eyJleHAiOjE2MTcxOTkzMjQsImlhdCI6MTYxNzE5OTAyNCwianRpIjoiMGRmMjQyNDUtZDRkOC00MDAyLWEwYWItNjRmMGQyNDBkNzhkIiwiaXNzIjoiaHR0cDovLzEwLjEwLjI1Mi44NC9hdXRoL3JlYWxtcy9raWJhbmEiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiN2ZmODQwNzAtM2M5OS00ZTVkLTlmNDEtODBhNzkxMTY0MWQwIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoia2liYW5hLWp3dCIsInNlc3Npb25fc3RhdGUiOiIzNjE1ZTYzMy1lYjRjLTRhOTQtYjI5MC0yNDAyMTI4MWE1ZDMiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly8xMC4xMC4yNTIuODQiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiJ9.du_i-IXhReYGzUzKJ2jNto5jBl75pA9ShZ968DjpggK9CT8DUMVm6lCwqYo38h231ouPtALGj1Lpk_YWy7HZKX5gmZvfredIwPZw7TEeMHbw2Q_B7uu8zPrD6Be6oLmcogbchMWG9CxNwrUdN1igqnZ6OWl-6l7RQCpb8KPvzCugnzwwyk6fXpNsWSDm9HliHC66FVb-6evYdB1V_xWrCZoUvMVLIG3G0W7ojdTjVEX_t8EgvMNwZeIcyzDY1kjvJhr7ORRX8SYi0mxJQgZuqHrSV63ssWpzUXvK9BSlgEbMfMJSIqZdVDzQil7eg3IKVv6CziEk0L08-6gGSg66cg",
"type": "string"
},
{
"key": "accessTokenUrl",
"value": "http://10.10.252.84/auth/realms/kibana/protocol/openid-connect/token",
"type": "string"
},
{
"key": "password",
"value": "admin",
"type": "string"
},
{
"key": "username",
"value": "admin",
"type": "string"
},
{
"key": "clientId",
"value": "kibana-jwt",
"type": "string"
},
{
"key": "tokenName",
"value": "Kibana Token",
"type": "string"
},
{
"key": "scope",
"value": "openid",
"type": "string"
},
{
"key": "grant_type",
"value": "password_credentials",
"type": "string"
},
{
"key": "addTokenTo",
"value": "header",
"type": "string"
}
]
},
"method": "GET",
"header": [],
"url": {
"raw": "http://10.10.252.102:5601",
"protocol": "http",
"host": [
"10",
"10",
"252",
"102"
],
"port": "5601"
}
},
"response": []
}
]
}
对此的响应是以下错误消息:
{
"statusCode": 401,
"error": "Unauthorized",
"message": "Authorization error"
}
有人能找出我做错了什么吗?
推荐答案
是否可以尝试将令牌添加为URL参数?通过将以下内容添加到您的kibana.yml
opendistro_security.jwt.url_param: jwttoken
然后尝试像http://localhost:5601/jwttoken=<;your_jwt>;
一样访问Kibana甚至您也可以在kibana.yml中尝试以下配置(因为下面的配置对我有效)
server.name: kibana
server.port: 5601
server.host: "127.0.0.1"
elasticsearch.url: https://127.0.0.1:9200
elasticsearch.ssl.verificationMode: none
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opendistro_security.auth.type: "jwt"
opendistro_security.jwt.url_param: jwttoken
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]
....
另外,请确保您每次更新config.yml中的内容时都在运行security-admin.sh,否则安全索引将无法获取新更改。
编辑: 另外,在opendio7安全性方面,我注意到我们不需要将enable:true作为config.yml文件中JWT配置的一部分。
这篇关于在Kibana Open发行版中设置JWT身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
