Configura acceso anónimo por fichero (b2b20dd5) · Commits · REDMIC Project / Elastic / Elasticsearch

deploy/config/sg_config.yml

0 → 100644

+221 −0

Original line number	Diff line number	Diff line
		# This is the main Search Guard configuration file where authentication
		# and authorization is defined.
		#
		# You need to configure at least one authentication domain in the authc of this file.
		# An authentication domain is responsible for extracting the user credentials from
		# the request and for validating them against an authentication backend like Active Directory for example.
		#
		# If more than one authentication domain is configured the first one which succeeds wins.
		# If all authentication domains fail then the request is unauthenticated.
		# In this case an exception is thrown and/or the HTTP status is set to 401.
		#
		# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
		# the roles from a given backend for the authenticated user.
		#
		# Both, authc and auth can be enabled/disabled separately for REST and TRANSPORT layer. Default is true for both.
		# http_enabled: true
		# transport_enabled: true
		#
		# 5.x Migration: "enabled: true/false" will also be respected currently but only to provide backward compatibility.
		#
		# For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to
		# find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated.
		# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "sg_anonymous"
		# and one role named "sg_anonymous_backendrole".
		# If you enable anonymous authentication all HTTP authenticators will not challenge.
		#
		#
		# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert"
		# first and the challenging one last.
		# Because it's not possible to challenge a client with two different authentication methods (for example
		# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation
		# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request.
		#
		# Default value of the challenge flag is true.
		#
		#
		# HTTP
		# basic (challenging)
		# proxy (not challenging, needs xff)
		# kerberos (challenging) NOT FREE FOR COMMERCIAL
		# clientcert (not challenging, needs https)
		# jwt (not challenging) NOT FREE FOR COMMERCIAL
		# host (not challenging) #DEPRECATED, will be removed in a future version.
		# host based authentication is configurable in sg_roles_mapping

		# Authc
		# internal
		# noop
		# ldap NOT FREE FOR COMMERCIAL USE

		# Authz
		# ldap NOT FREE FOR COMMERCIAL USE
		# noop

		searchguard:
		dynamic:
		# Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
		# Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
		# Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
		#filtered_alias_mode: warn
		#kibana:
		# Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
		# see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md
		# To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki
		#multitenancy_enabled: true
		#server_username: kibanaserver
		#index: '.kibana'
		#do_not_fail_on_forbidden: false
		http:
		anonymous_auth_enabled: true
		xff:
		enabled: false
		internalProxies: '192\.168\.0\.10\|192\.168\.0\.11' # regex pattern
		#internalProxies: '.*' # trust all internal proxies, regex pattern
		remoteIpHeader: 'x-forwarded-for'
		proxiesHeader: 'x-forwarded-by'
		#trustedProxies: '.*' # trust all external proxies, regex pattern
		###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
		###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
		###### and here https://tools.ietf.org/html/rfc7239
		###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
		authc:
		kerberos_auth_domain:
		http_enabled: false
		transport_enabled: false
		order: 6
		http_authenticator:
		type: kerberos # NOT FREE FOR COMMERCIAL USE
		challenge: true
		config:
		# If true a lot of kerberos/security related debugging output will be logged to standard out
		krb_debug: false
		# If true then the realm will be stripped from the user name
		strip_realm_from_principal: true
		authentication_backend:
		type: noop
		basic_internal_auth_domain:
		http_enabled: true
		transport_enabled: true
		order: 4
		http_authenticator:
		type: basic
		challenge: true
		authentication_backend:
		type: intern
		proxy_auth_domain:
		http_enabled: false
		transport_enabled: false
		order: 3
		http_authenticator:
		type: proxy
		challenge: false
		config:
		user_header: "x-proxy-user"
		roles_header: "x-proxy-roles"
		authentication_backend:
		type: noop
		jwt_auth_domain:
		http_enabled: false
		transport_enabled: false
		order: 0
		http_authenticator:
		type: jwt
		challenge: false
		config:
		signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
		jwt_header: "Authorization"
		jwt_url_parameter: null
		roles_key: null
		subject_key: null
		authentication_backend:
		type: noop
		clientcert_auth_domain:
		http_enabled: false
		transport_enabled: false
		order: 2
		http_authenticator:
		type: clientcert
		config:
		username_attribute: cn #optional, if omitted DN becomes username
		challenge: false
		authentication_backend:
		type: noop
		ldap:
		http_enabled: false
		transport_enabled: false
		order: 5
		http_authenticator:
		type: basic
		challenge: false
		authentication_backend:
		# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
		type: ldap # NOT FREE FOR COMMERCIAL USE
		config:
		# enable ldaps
		enable_ssl: false
		# enable start tls, enable_ssl should be false
		enable_start_tls: false
		# send client certificate
		enable_ssl_client_auth: false
		# verify ldap hostname
		verify_hostnames: true
		hosts:
		- localhost:8389
		bind_dn: null
		password: null
		userbase: 'ou=people,dc=example,dc=com'
		# Filter to search for users (currently in the whole subtree beneath userbase)
		# {0} is substituted with the username
		usersearch: '(sAMAccountName={0})'
		# Use this attribute from the user as username (if not set then DN is used)
		username_attribute: null
		authz:
		roles_from_myldap:
		http_enabled: false
		transport_enabled: false
		authorization_backend:
		# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
		type: ldap # NOT FREE FOR COMMERCIAL USE
		config:
		# enable ldaps
		enable_ssl: false
		# enable start tls, enable_ssl should be false
		enable_start_tls: false
		# send client certificate
		enable_ssl_client_auth: false
		# verify ldap hostname
		verify_hostnames: true
		hosts:
		- localhost:8389
		bind_dn: null
		password: null
		rolebase: 'ou=groups,dc=example,dc=com'
		# Filter to search for roles (currently in the whole subtree beneath rolebase)
		# {0} is substituted with the DN of the user
		# {1} is substituted with the username
		# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
		rolesearch: '(member={0})'
		# Specify the name of the attribute which value should be substituted with {2} above
		userroleattribute: null
		# Roles as an attribute of the user entry
		userrolename: disabled
		#userrolename: memberOf
		# The attribute in a role entry containing the name of that role, Default is "name".
		# Can also be "dn" to use the full DN as rolename.
		rolename: cn
		# Resolve nested roles transitive (roles which are members of other roles and so on ...)
		resolve_nested_roles: true
		userbase: 'ou=people,dc=example,dc=com'
		# Filter to search for users (currently in the whole subtree beneath userbase)
		# {0} is substituted with the username
		usersearch: '(uid={0})'
		# Skip users matching a user name, a wildcard or a regex pattern
		#skip_users:
		# - 'cn=Michael Jackson,ou*people,o=TEST'
		# - '/\S*/'
		roles_from_another_ldap:
		enabled: false
		authorization_backend:
		type: ldap # NOT FREE FOR COMMERCIAL USE
		#config goes here ...

deploy/docker-compose.es6-1.tmpl.yml

+9 −1

Original line number	Diff line number	Diff line
		@@ -26,7 +26,6 @@ services:
		- searchguard.ssl.http.pemcert_filepath=certs/node.pem
		- searchguard.ssl.http.pemkey_filepath=certs/node.key
		- searchguard.ssl.http.pemtrustedcas_filepath=certs/root-ca.pem
		- searchguard.dynamic.http.anonymous_auth_enabled=true
		networks:
		elastic-net:
		aliases:
		@@ -80,6 +79,11 @@ services:
		mode: 0600
		uid: '1000'
		gid: '1000'
		- source: sg-config
		target: /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_config.yml
		mode: 0600
		uid: '1000'
		gid: '1000'
		deploy:
		mode: replicated
		replicas: 1
		@@ -141,3 +145,7 @@ configs:
		sg-users:
		name: ${SG_USERS_NAME:-sg-users}
		file: ./config/sg_internal_users.yml

		sg-config:
		name: ${SG_CONFIG_NAME:-sg-config}
		file: ./config/sg_config.yml