Merge branch 'feature-search-guard' into 'feature-v6.5.x'

  artifacts:

    paths: [gl-sast-container-report.json]

deploy-supporting-branch-develop:

deploy-es6-1-supporting-branch-develop:

  stage: deploy

  image: registry.gitlab.com/redmic-project/docker/docker-deploy:latest

  variables:

    IMAGE_NAME: ${CI_REGISTRY_IMAGE}

    IMAGE_TAG: ${CI_COMMIT_SHA}

    COMPOSE_FILE: docker-compose.es6-1.tmpl.yml:docker-compose.es6-1.dev.yml

    SG_ADMIN_DN: ${DEV_SG_ADMIN_DN}

    SG_NODE_1_DN: ${DEV_SG_NODE_1_DN}

    SG_NODE_2_DN: ${DEV_SG_NODE_2_DN}

    SG_NODE_3_DN: ${DEV_SG_NODE_3_DN}

    CA_PEM: ${DEV_CA_PEM}

    CA_KEY: ${DEV_CA_KEY}

    ADMIN_PEM: ${DEV_ADMIN_PEM}

    ADMIN_KEY: ${DEV_ADMIN_KEY}

    ADMIN_CSR: ${DEV_ADMIN_CSR}

    NODE_PEM: ${DEV_NODE_1_PEM}

    NODE_KEY: ${DEV_NODE_1_KEY}

    NODE_CSR: ${DEV_NODE_1_CSR}

    SG_USERS: ${DEV_SG_USERS}

    S3_ACCESS_KEY: ${DEV_S3_ACCESS_KEY}

    S3_SECRET_KEY: ${DEV_S3_SECRET_KEY}

  script:

    - deploy.sh IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} COMPOSE_FILE=${COMPOSE_FILE}

    - mkdir -p deploy/certs deploy/config

    - echo "${CA_PEM}" > "deploy/certs/root-ca.pem"

    - echo "${CA_KEY}" > "deploy/certs/root-ca.key"

    - echo "${ADMIN_PEM}" > "deploy/certs/admin.pem"

    - echo "${ADMIN_KEY}" > "deploy/certs/admin.key"

    - echo "${ADMIN_CSR}" > "deploy/certs/admin.csr"

    - echo "${NODE_PEM}" > "deploy/certs/node.pem"

    - echo "${NODE_KEY}" > "deploy/certs/node.key"

    - echo "${NODE_CSR}" > "deploy/certs/node.csr"

    - echo "${SG_USERS}" > "deploy/config/sg_internal_users.yml"

    - >

      deploy.sh IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} COMPOSE_FILE=${COMPOSE_FILE} SG_ADMIN_DN=${SG_ADMIN_DN}

      SG_NODE_1_DN=${SG_NODE_1_DN} SG_NODE_2_DN=${SG_NODE_2_DN} SG_NODE_3_DN=${SG_NODE_3_DN}

      S3_ACCESS_KEY=${S3_ACCESS_KEY} S3_SECRET_KEY=${S3_SECRET_KEY}

  environment:

    name: dev

  only:

    - branches

  except:

    - master

  when: manual

deploy-es6-2-supporting-branch-develop:

  stage: deploy

  image: registry.gitlab.com/redmic-project/docker/docker-deploy:latest

  variables:

    SSH_REMOTE: ${DEV_SSH_REMOTE}

    STACK: elastic

    SERVICES_TO_CHECK: elastic_es6-2

    IMAGE_NAME: ${CI_REGISTRY_IMAGE}

    IMAGE_TAG: ${CI_COMMIT_SHA}

    COMPOSE_FILE: docker-compose.es6-2.tmpl.yml:docker-compose.es6-2.dev.yml

    SG_NODE_1_DN: ${DEV_SG_NODE_1_DN}

    SG_NODE_2_DN: ${DEV_SG_NODE_2_DN}

    SG_NODE_3_DN: ${DEV_SG_NODE_3_DN}

    CA_PEM: ${DEV_CA_PEM}

    CA_KEY: ${DEV_CA_KEY}

    NODE_PEM: ${DEV_NODE_2_PEM}

    NODE_KEY: ${DEV_NODE_2_KEY}

    NODE_CSR: ${DEV_NODE_2_CSR}

    S3_ACCESS_KEY: ${DEV_S3_ACCESS_KEY}

    S3_SECRET_KEY: ${DEV_S3_SECRET_KEY}

  script:

    - mkdir -p deploy/certs deploy/config

    - echo "${CA_PEM}" > "deploy/certs/root-ca.pem"

    - echo "${CA_KEY}" > "deploy/certs/root-ca.key"

    - echo "${NODE_PEM}" > "deploy/certs/node.pem"

    - echo "${NODE_KEY}" > "deploy/certs/node.key"

    - echo "${NODE_CSR}" > "deploy/certs/node.csr"

    - >

      deploy.sh IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} COMPOSE_FILE=${COMPOSE_FILE}

      SG_NODE_1_DN=${SG_NODE_1_DN} SG_NODE_2_DN=${SG_NODE_2_DN} SG_NODE_3_DN=${SG_NODE_3_DN}

      S3_ACCESS_KEY=${S3_ACCESS_KEY} S3_SECRET_KEY=${S3_SECRET_KEY}

  environment:

    name: dev

  only:

    - branches

  except:

    - master

  when: manual

deploy-es6-3-supporting-branch-develop:

  stage: deploy

  image: registry.gitlab.com/redmic-project/docker/docker-deploy:latest

  variables:

    SSH_REMOTE: ${DEV_SSH_REMOTE}

    STACK: elastic

    SERVICES_TO_CHECK: elastic_es6-3

    IMAGE_NAME: ${CI_REGISTRY_IMAGE}

    IMAGE_TAG: ${CI_COMMIT_SHA}

    COMPOSE_FILE: docker-compose.es6-3.tmpl.yml:docker-compose.es6-3.dev.yml

    SG_NODE_1_DN: ${DEV_SG_NODE_1_DN}

    SG_NODE_2_DN: ${DEV_SG_NODE_2_DN}

    SG_NODE_3_DN: ${DEV_SG_NODE_3_DN}

    CA_PEM: ${DEV_CA_PEM}

    CA_KEY: ${DEV_CA_KEY}

    NODE_PEM: ${DEV_NODE_2_PEM}

    NODE_KEY: ${DEV_NODE_2_KEY}

    NODE_CSR: ${DEV_NODE_2_CSR}

    S3_ACCESS_KEY: ${DEV_S3_ACCESS_KEY}

    S3_SECRET_KEY: ${DEV_S3_SECRET_KEY}

  script:

    - mkdir -p deploy/certs deploy/config

    - echo "${CA_PEM}" > "deploy/certs/root-ca.pem"

    - echo "${CA_KEY}" > "deploy/certs/root-ca.key"

    - echo "${NODE_PEM}" > "deploy/certs/node.pem"

    - echo "${NODE_KEY}" > "deploy/certs/node.key"

    - echo "${NODE_CSR}" > "deploy/certs/node.csr"

    - >

      deploy.sh IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} COMPOSE_FILE=${COMPOSE_FILE}

      SG_NODE_1_DN=${SG_NODE_1_DN} SG_NODE_2_DN=${SG_NODE_2_DN} SG_NODE_3_DN=${SG_NODE_3_DN}

      S3_ACCESS_KEY=${S3_ACCESS_KEY} S3_SECRET_KEY=${S3_SECRET_KEY}

  environment:

    name: dev

  only:

    IMAGE_NAME: ${CI_REGISTRY_IMAGE}

    IMAGE_TAG: ${CI_COMMIT_SHA}

    COMPOSE_FILE: docker-compose.es6-1.tmpl.yml:docker-compose.es6-1.dev.yml

    SG_ADMIN_DN: ${DEV_SG_ADMIN_DN}

    SG_NODE_1_DN: ${DEV_SG_NODE_1_DN}

    SG_NODE_2_DN: ${DEV_SG_NODE_2_DN}

    SG_NODE_3_DN: ${DEV_SG_NODE_3_DN}

    CA_PEM: ${DEV_CA_PEM}

    CA_KEY: ${DEV_CA_KEY}

    ADMIN_PEM: ${DEV_ADMIN_PEM}

    ADMIN_KEY: ${DEV_ADMIN_KEY}

    ADMIN_CSR: ${DEV_ADMIN_CSR}

    NODE_PEM: ${DEV_NODE_1_PEM}

    NODE_KEY: ${DEV_NODE_1_KEY}

    NODE_CSR: ${DEV_NODE_1_CSR}

    SG_USERS: ${DEV_SG_USERS}

    S3_ACCESS_KEY: ${DEV_S3_ACCESS_KEY}

    S3_SECRET_KEY: ${DEV_S3_SECRET_KEY}

  script:

    - deploy.sh IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} COMPOSE_FILE=${COMPOSE_FILE}

    - mkdir -p deploy/certs deploy/config

    - echo "${CA_PEM}" > "deploy/certs/root-ca.pem"

    - echo "${CA_KEY}" > "deploy/certs/root-ca.key"

    - echo "${ADMIN_PEM}" > "deploy/certs/admin.pem"

    - echo "${ADMIN_KEY}" > "deploy/certs/admin.key"

    - echo "${ADMIN_CSR}" > "deploy/certs/admin.csr"

    - echo "${NODE_PEM}" > "deploy/certs/node.pem"

    - echo "${NODE_KEY}" > "deploy/certs/node.key"

    - echo "${NODE_CSR}" > "deploy/certs/node.csr"

    - echo "${SG_USERS}" > "deploy/config/sg_internal_users.yml"

    - >

      deploy.sh IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} COMPOSE_FILE=${COMPOSE_FILE} SG_ADMIN_DN=${SG_ADMIN_DN}

      SG_NODE_1_DN=${SG_NODE_1_DN} SG_NODE_2_DN=${SG_NODE_2_DN} SG_NODE_3_DN=${SG_NODE_3_DN}

      S3_ACCESS_KEY=${S3_ACCESS_KEY} S3_SECRET_KEY=${S3_SECRET_KEY}

  environment:

    name: dev

  only:

  stage: deploy

  image: registry.gitlab.com/redmic-project/docker/docker-deploy:latest

  variables:

    SSH_REMOTE: ${PRO_SSH_REMOTE}

    SSH_REMOTE: ${DEV_SSH_REMOTE}

    STACK: elastic

    SERVICES_TO_CHECK: elastic_es6-1

    IMAGE_NAME: ${CI_REGISTRY_IMAGE}

    IMAGE_TAG: ${CI_COMMIT_SHA}

    COMPOSE_FILE: docker-compose.es6-1.tmpl.yml:docker-compose.es6-1.prod.yml

    ES_CLOUD_AWS_S3_ACCESS_KEY: ${PRO_AWS_ACCESS_KEY_ID}

    ES_CLOUD_AWS_S3_SECRET_KEY: ${PRO_AWS_SECRET_ACCESS_KEY}

    SG_ADMIN_DN: ${PRO_SG_ADMIN_DN}

    SG_NODE_1_DN: ${PRO_SG_NODE_1_DN}

    SG_NODE_2_DN: ${PRO_SG_NODE_2_DN}

    SG_NODE_3_DN: ${PRO_SG_NODE_3_DN}

    CA_PEM: ${PRO_CA_PEM}

    CA_KEY: ${PRO_CA_KEY}

    ADMIN_PEM: ${PRO_ADMIN_PEM}

    ADMIN_KEY: ${PRO_ADMIN_KEY}

    ADMIN_CSR: ${PRO_ADMIN_CSR}

    NODE_PEM: ${PRO_NODE_1_PEM}

    NODE_KEY: ${PRO_NODE_1_KEY}

    NODE_CSR: ${PRO_NODE_1_CSR}

    SG_USERS: ${PRO_SG_USERS}

    S3_ACCESS_KEY: ${PRO_S3_ACCESS_KEY}

    S3_SECRET_KEY: ${PRO_S3_SECRET_KEY}

  script:

    - mkdir -p deploy/certs deploy/config

    - echo "${CA_PEM}" > "deploy/certs/root-ca.pem"

    - echo "${CA_KEY}" > "deploy/certs/root-ca.key"

    - echo "${ADMIN_PEM}" > "deploy/certs/admin.pem"

    - echo "${ADMIN_KEY}" > "deploy/certs/admin.key"

    - echo "${ADMIN_CSR}" > "deploy/certs/admin.csr"

    - echo "${NODE_PEM}" > "deploy/certs/node.pem"

    - echo "${NODE_KEY}" > "deploy/certs/node.key"

    - echo "${NODE_CSR}" > "deploy/certs/node.csr"

    - echo "${SG_USERS}" > "deploy/config/sg_internal_users.yml"

    - >

      deploy.sh IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} COMPOSE_FILE=${COMPOSE_FILE} AWS_REGION=${AWS_REGION}

      ES_CLOUD_AWS_S3_ACCESS_KEY=${ES_CLOUD_AWS_S3_ACCESS_KEY} ES_CLOUD_AWS_S3_SECRET_KEY=${ES_CLOUD_AWS_S3_SECRET_KEY}

      deploy.sh IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} COMPOSE_FILE=${COMPOSE_FILE} SG_ADMIN_DN=${SG_ADMIN_DN}

      SG_NODE_1_DN=${SG_NODE_1_DN} SG_NODE_2_DN=${SG_NODE_2_DN} SG_NODE_3_DN=${SG_NODE_3_DN}

      S3_ACCESS_KEY=${S3_ACCESS_KEY} S3_SECRET_KEY=${S3_SECRET_KEY}

  environment:

    name: pro

  only:

  stage: deploy

  image: registry.gitlab.com/redmic-project/docker/docker-deploy:latest

  variables:

    SSH_REMOTE: ${PRO_SSH_REMOTE}

    SSH_REMOTE: ${DEV_SSH_REMOTE}

    STACK: elastic

    SERVICES_TO_CHECK: elastic_es6-2

    IMAGE_NAME: ${CI_REGISTRY_IMAGE}

    IMAGE_TAG: ${CI_COMMIT_SHA}

    COMPOSE_FILE: docker-compose.es6-2.tmpl.yml:docker-compose.es6-2.prod.yml

    ES_CLOUD_AWS_S3_ACCESS_KEY: ${PRO_AWS_ACCESS_KEY_ID}

    ES_CLOUD_AWS_S3_SECRET_KEY: ${PRO_AWS_SECRET_ACCESS_KEY}

    SG_NODE_1_DN: ${PRO_SG_NODE_1_DN}

    SG_NODE_2_DN: ${PRO_SG_NODE_2_DN}

    SG_NODE_3_DN: ${PRO_SG_NODE_3_DN}

    CA_PEM: ${PRO_CA_PEM}

    CA_KEY: ${PRO_CA_KEY}

    NODE_PEM: ${PRO_NODE_2_PEM}

    NODE_KEY: ${PRO_NODE_2_KEY}

    NODE_CSR: ${PRO_NODE_2_CSR}

    S3_ACCESS_KEY: ${PRO_S3_ACCESS_KEY}

    S3_SECRET_KEY: ${PRO_S3_SECRET_KEY}

  script:

    - mkdir -p deploy/certs deploy/config

    - echo "${CA_PEM}" > "deploy/certs/root-ca.pem"

    - echo "${CA_KEY}" > "deploy/certs/root-ca.key"

    - echo "${NODE_PEM}" > "deploy/certs/node.pem"

    - echo "${NODE_KEY}" > "deploy/certs/node.key"

    - echo "${NODE_CSR}" > "deploy/certs/node.csr"

    - >

      deploy.sh IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} COMPOSE_FILE=${COMPOSE_FILE} AWS_REGION=${AWS_REGION}

      ES_CLOUD_AWS_S3_ACCESS_KEY=${ES_CLOUD_AWS_S3_ACCESS_KEY} ES_CLOUD_AWS_S3_SECRET_KEY=${ES_CLOUD_AWS_S3_SECRET_KEY}

      deploy.sh IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} COMPOSE_FILE=${COMPOSE_FILE}

      SG_NODE_1_DN=${SG_NODE_1_DN} SG_NODE_2_DN=${SG_NODE_2_DN} SG_NODE_3_DN=${SG_NODE_3_DN}

      S3_ACCESS_KEY=${S3_ACCESS_KEY} S3_SECRET_KEY=${S3_SECRET_KEY}

  environment:

    name: pro

  only:

  stage: deploy

  image: registry.gitlab.com/redmic-project/docker/docker-deploy:latest

  variables:

    SSH_REMOTE: ${PRO_SSH_REMOTE}

    SSH_REMOTE: ${DEV_SSH_REMOTE}

    STACK: elastic

    SERVICES_TO_CHECK: elastic_es6-3

    IMAGE_NAME: ${CI_REGISTRY_IMAGE}

    IMAGE_TAG: ${CI_COMMIT_SHA}

    COMPOSE_FILE: docker-compose.es6-3.tmpl.yml:docker-compose.es6-3.prod.yml

    ES_CLOUD_AWS_S3_ACCESS_KEY: ${PRO_AWS_ACCESS_KEY_ID}

    ES_CLOUD_AWS_S3_SECRET_KEY: ${PRO_AWS_SECRET_ACCESS_KEY}

    SG_NODE_1_DN: ${PRO_SG_NODE_1_DN}

    SG_NODE_2_DN: ${PRO_SG_NODE_2_DN}

    SG_NODE_3_DN: ${PRO_SG_NODE_3_DN}

    CA_PEM: ${PRO_CA_PEM}

    CA_KEY: ${PRO_CA_KEY}

    NODE_PEM: ${PRO_NODE_2_PEM}

    NODE_KEY: ${PRO_NODE_2_KEY}

    NODE_CSR: ${PRO_NODE_2_CSR}

    S3_ACCESS_KEY: ${PRO_S3_ACCESS_KEY}

    S3_SECRET_KEY: ${PRO_S3_SECRET_KEY}

  script:

    - mkdir -p deploy/certs deploy/config

    - echo "${CA_PEM}" > "deploy/certs/root-ca.pem"

    - echo "${CA_KEY}" > "deploy/certs/root-ca.key"

    - echo "${NODE_PEM}" > "deploy/certs/node.pem"

    - echo "${NODE_KEY}" > "deploy/certs/node.key"

    - echo "${NODE_CSR}" > "deploy/certs/node.csr"

    - >

      deploy.sh IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} COMPOSE_FILE=${COMPOSE_FILE} AWS_REGION=${AWS_REGION}

      ES_CLOUD_AWS_S3_ACCESS_KEY=${ES_CLOUD_AWS_S3_ACCESS_KEY} ES_CLOUD_AWS_S3_SECRET_KEY=${ES_CLOUD_AWS_S3_SECRET_KEY}

      deploy.sh IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} COMPOSE_FILE=${COMPOSE_FILE}

      SG_NODE_1_DN=${SG_NODE_1_DN} SG_NODE_2_DN=${SG_NODE_2_DN} SG_NODE_3_DN=${SG_NODE_3_DN}

      S3_ACCESS_KEY=${S3_ACCESS_KEY} S3_SECRET_KEY=${S3_SECRET_KEY}

  environment:

    name: pro

  only:

ARG PARENT_IMAGE_TAG="6.5.1"

ARG PARENT_IMAGE_TAG="6.5.4"

FROM docker.elastic.co/elasticsearch/elasticsearch:${PARENT_IMAGE_TAG}

	network.host="0.0.0.0" \

	bootstrap.memory_lock="true"

RUN ulimit -n 65536 \

	${ES_PATH}/bin/elasticsearch-plugin install --batch repository-s3

RUN ulimit -n 65536 && \

	${ES_PATH}/bin/elasticsearch-plugin install --batch repository-s3 && \

	${ES_PATH}/bin/elasticsearch-plugin install --batch com.floragunn:search-guard-6:6.5.4-24.0

VOLUME [ "${ES_PATH}/data" ]

# Elasticsearch

## Search Guard

### Certificates creation

Search Guard provides a tool, [Search Guard TLS Tool](https://search.maven.org/search?q=a:search-guard-tlstool). Download and extract it.

First, create a yaml file with certificates definition, at `config/example.yml` inside extracted content:

```

ca:

  root:

    dn: CN=root-ca.example.net,O=EXAMPLE

    keysize: 2048

    validityDays: 3650

    pkPassword: none

    file: root-ca.pem

defaults:

  validityDays: 3650

  pkPassword: none

  generatedPasswordLength: 12

  httpsEnabled: true

  reuseTransportCertificatesForHttp: true

nodes:

  - name: node1

    dn: CN=es1.example.net

    dns:

      - elasticsearch-1

      - es-1

  - name: node2

    dn: CN=es2.example.net

    dns:

      - elasticsearch-2

      - es-2

  - name: node3

    dn: CN=es3.example.net

    dns:

      - elasticsearch-3

      - es-3

clients:

  - name: admin

    dn: CN=admin.example.net

    admin: true

```

Then, use it with the script `tools/sgtlstool.sh` and generate the certificates:

```

$ ./sgtlstool.sh -c ../config/example.yml -v -ca

$ ./sgtlstool.sh -c ../config/example.yml -v -csr

$ ./sgtlstool.sh -c ../config/example.yml -v -crt -f -o

```

Your certificates will be generated inside `tools/out` directory.

### Configuration

Before using Search Guard, you must update the content of `/usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_internal_users.yml` file, which define the users to be created and its roles.

You can generate the password hashes with a [online tool](https://8gwifi.org/bccrypt.jsp), for example.

```

admin_elastic:

  readonly: true

  hash: $2a...

  roles:

    - admin

kibanaserver:

  readonly: true

  hash: $2a...

```

### Initialization

When using Search Guard at first time, is required to run a script as certified admin, to create the configuration index.

While running, get into container and run the following commands:

```

$ cd /usr/share/elasticsearch/plugins/search-guard-6/tools

$ bash sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig -icl \

	-key /usr/share/elasticsearch/config/certs/admin.key \

	-cert /usr/share/elasticsearch/config/certs/admin.pem \

	-cacert /usr/share/elasticsearch/config/certs/root-ca.pem \

	-nhnv -h localhost

```

## Snapshots

In order to create backups, you must configure a snapshot repository first. Run these command once inside running container:

```

$ echo "${S3_ACCESS_KEY}" | elasticsearch-keystore add --stdin s3.client.default.access_key

$ echo "${S3_SECRET_KEY}" | elasticsearch-keystore add --stdin s3.client.default.secret_key

$ curl -XPOST -u <user>:<pass> 'http://localhost:9200/_nodes/reload_secure_settings'

// This can be run through Kibana console:

// POST _nodes/reload_secure_settings

$ curl -XPUT -u <user>:<pass> 'http://localhost:9200/_snapshot/s3-backup' -d '{

	"type": "s3",

	"settings": {

		"bucket": "redmic.elasticsearch.backup",

		"region": "eu-west-1"

	}

}'

// This can be run through Kibana console:

// PUT _snapshot/s3-backup { ... }

```

# This is the main Search Guard configuration file where authentication

# and authorization is defined.

#

# You need to configure at least one authentication domain in the authc of this file.

# An authentication domain is responsible for extracting the user credentials from

# the request and for validating them against an authentication backend like Active Directory for example.

#

# If more than one authentication domain is configured the first one which succeeds wins.

# If all authentication domains fail then the request is unauthenticated.

# In this case an exception is thrown and/or the HTTP status is set to 401.

#

# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect

# the roles from a given backend for the authenticated user.

#

# Both, authc and auth can be enabled/disabled separately for REST and TRANSPORT layer. Default is true for both.

#        http_enabled: true

#        transport_enabled: true

#

# 5.x Migration: "enabled: true/false" will also be respected currently but only to provide backward compatibility.

#

# For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to

# find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated.

# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "sg_anonymous"

# and one role named "sg_anonymous_backendrole".

# If you enable anonymous authentication all HTTP authenticators will not challenge.

#

#

# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert"

# first and the challenging one last.

# Because it's not possible to challenge a client with two different authentication methods (for example

# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation

# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request.

#

# Default value of the challenge flag is true.

#

#

# HTTP

#   basic (challenging)

#   proxy (not challenging, needs xff)

#   kerberos (challenging) NOT FREE FOR COMMERCIAL

#   clientcert (not challenging, needs https)

#   jwt (not challenging) NOT FREE FOR COMMERCIAL

#   host (not challenging) #DEPRECATED, will be removed in a future version.

#                           host based authentication is configurable in sg_roles_mapping

# Authc

#   internal

#   noop

#   ldap  NOT FREE FOR COMMERCIAL USE

# Authz

#   ldap  NOT FREE FOR COMMERCIAL USE

#   noop

searchguard:

  dynamic:

    # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index

    # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)

    # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently

    #filtered_alias_mode: warn

    #kibana:

      # Kibana multitenancy - NOT FREE FOR COMMERCIAL USE

      # see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md

      # To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki

      #multitenancy_enabled: true

      #server_username: kibanaserver

      #index: '.kibana'

      #do_not_fail_on_forbidden: false

    http:

      anonymous_auth_enabled: true

      xff:

        enabled: false

        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern

        #internalProxies: '.*' # trust all internal proxies, regex pattern

        remoteIpHeader:  'x-forwarded-for'

        proxiesHeader:   'x-forwarded-by'

        #trustedProxies: '.*' # trust all external proxies, regex pattern

        ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help

        ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For

        ###### and here https://tools.ietf.org/html/rfc7239

        ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve

    authc:

      kerberos_auth_domain:

        http_enabled: false

        transport_enabled: false

        order: 6

        http_authenticator:

          type: kerberos # NOT FREE FOR COMMERCIAL USE

          challenge: true

          config:

            # If true a lot of kerberos/security related debugging output will be logged to standard out

            krb_debug: false

            # If true then the realm will be stripped from the user name

            strip_realm_from_principal: true

        authentication_backend:

          type: noop

      basic_internal_auth_domain:

        http_enabled: true

        transport_enabled: true

        order: 4

        http_authenticator:

          type: basic

          challenge: true

        authentication_backend:

          type: intern

      proxy_auth_domain:

        http_enabled: false

        transport_enabled: false

        order: 3

        http_authenticator:

          type: proxy

          challenge: false

          config:

            user_header: "x-proxy-user"

            roles_header: "x-proxy-roles"

        authentication_backend:

          type: noop

      jwt_auth_domain:

        http_enabled: false

        transport_enabled: false

        order: 0

        http_authenticator:

          type: jwt

          challenge: false

          config:

            signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"

            jwt_header: "Authorization"

            jwt_url_parameter: null

            roles_key: null

            subject_key: null

        authentication_backend:

          type: noop

      clientcert_auth_domain:

        http_enabled: false

        transport_enabled: false

        order: 2

        http_authenticator:

          type: clientcert

          config:

            username_attribute: cn #optional, if omitted DN becomes username

          challenge: false

        authentication_backend:

          type: noop

      ldap:

        http_enabled: false

        transport_enabled: false

        order: 5

        http_authenticator:

          type: basic

          challenge: false

        authentication_backend:

          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)

          type: ldap # NOT FREE FOR COMMERCIAL USE

          config:

            # enable ldaps

            enable_ssl: false

            # enable start tls, enable_ssl should be false

            enable_start_tls: false

            # send client certificate

            enable_ssl_client_auth: false

            # verify ldap hostname

            verify_hostnames: true

            hosts:

              - localhost:8389

            bind_dn: null

            password: null

            userbase: 'ou=people,dc=example,dc=com'

            # Filter to search for users (currently in the whole subtree beneath userbase)

            # {0} is substituted with the username

            usersearch: '(sAMAccountName={0})'

            # Use this attribute from the user as username (if not set then DN is used)

            username_attribute: null

    authz:

      roles_from_myldap:

        http_enabled: false

        transport_enabled: false

        authorization_backend:

          # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)

          type: ldap # NOT FREE FOR COMMERCIAL USE

          config:

            # enable ldaps

            enable_ssl: false

            # enable start tls, enable_ssl should be false

            enable_start_tls: false

            # send client certificate

            enable_ssl_client_auth: false

            # verify ldap hostname

            verify_hostnames: true

            hosts:

              - localhost:8389

            bind_dn: null

            password: null

            rolebase: 'ou=groups,dc=example,dc=com'

            # Filter to search for roles (currently in the whole subtree beneath rolebase)

            # {0} is substituted with the DN of the user

            # {1} is substituted with the username

            # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute

            rolesearch: '(member={0})'

            # Specify the name of the attribute which value should be substituted with {2} above

            userroleattribute: null

            # Roles as an attribute of the user entry

            userrolename: disabled

            #userrolename: memberOf

            # The attribute in a role entry containing the name of that role, Default is "name".

            # Can also be "dn" to use the full DN as rolename.

            rolename: cn

            # Resolve nested roles transitive (roles which are members of other roles and so on ...)

            resolve_nested_roles: true

            userbase: 'ou=people,dc=example,dc=com'

            # Filter to search for users (currently in the whole subtree beneath userbase)

            # {0} is substituted with the username

            usersearch: '(uid={0})'

            # Skip users matching a user name, a wildcard or a regex pattern

            #skip_users:

            #  - 'cn=Michael Jackson,ou*people,o=TEST'

            #  - '/\S*/'

      roles_from_another_ldap:

        enabled: false

        authorization_backend:

          type: ldap # NOT FREE FOR COMMERCIAL USE

          #config goes here ...