pdf/png reporting broken when using proxy authentication in kibana
ccottam opened this issue · 2 comments
When using kibana with the opendistro kibana security plugin in proxy auth mode pdf and png reports fail to generate. CVS report still work
As far as I can tell, to generate a report, the security_authentication cookie is passed to the headerless chrome instance to allow it to authenticate against kibana.
But when in proxy auth mode the security_authentication cookie isn't the authentication method in use in kibana.
could you share more details of your case? what is the authentication method you use? We are passing a security_authentication cookie yes, which comes from ODFE security plugin.
we've got the opendistro security plugin in proxy auth mode eg https://opendistro.github.io/for-elasticsearch-docs/docs/security/configuration/proxy/
kibana.yml
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization","x-forwarded-for","x-proxy-user"]
opendistro_security.auth.type: "proxy"
opendistro_security.proxycache.user_header: "x-proxy-user"
We're authenticating the user in front of kibana, then passing the username via a header though to kibana to be authorized via the built in roles + rolesmappings
from tcpdump running in the kibana container
my request for a report to the reporting api
POST /api/reporting/generateReport?timezone=Europe/London HTTP/1.0
x-proxy-user: 515197f1-6906-4f72-9253-9bd553f97a82
X-Forwarded-For: 172.17.0.161
Host: kibana:5601
Connection: close
Content-Length: 1904
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: */*
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7,zh-TW;q=0.6
Accept-Encoding: gzip, deflate
Referer: http://localhost/app/visualize
Content-Type: application/json
kbn-version: 7.10.2
pragma: no-cache
Origin: http://localhost
DNT: 1
Cookie: security_preferences=Fe26.2**43e00cfb150555cebaba3ba0a67a52c2a7428f64ec8a55228c92c5a2c2fce17e*Eo5rOj3o1ynV-9ui2vqD7g*LVJTDbIQuAjHW55_AzZnN8s-8D--1ASqYr6y7fJF8GEPCKXJifWFXnwf_Bgnc3hi**a0b3b3247d258d1d040316fe031489645f43ea6c1d61161d5a9c2428d77812b2*eyhIQac3ygzcyRaBxSJRppCm62sLTWYaPOw-rO9w-D4; security_authentication=Fe26.2**8d29a410846eac517e1297b44d529787b2ad3202696c72f5efc62b781b4bf387*W2ZWKYjNbc2lA57zFpwIBQ*wuRuObjTDdP3jU6UFaPUZgqd-G49FU04rM9rXlWb66VFg6shTa8m2i8mtJsd7eJscpuyaq8TWKk8NubLj7FCGsVhXxZDGrTmsmww3a1lOYuMjSjS2Ln9epZdCa0ieoJa71l8dNopxveIamPbs3Oil6JN3107Bz4ebB4aRUWm_4CeDRE0ABcwvZKFEaW6vxNVNnE7n2E7IKHflRXade-bWpDLkM80rm2xNDlv0CD4IpGMRFfMbJdBh6uYouu25Dq-**f5d01e926f1be020aef32e0b1757729283fc6ad58b23f3d036a0771f938767a8*JiYHXNqmdxiQaCXNPJZlBhNIYOCOO0b8wFDh3ZWNQ2c
Then the internal request from the headless chrome without the x-proxy-user header which gets rejected with a 401 unauthorized
GET /app/visualize?security_tenant=global HTTP/1.1
Host: 0.0.0.0:5601
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/77.0.3844.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Cookie: security_authentication=Fe26.2**8d29a410846eac517e1297b44d529787b2ad3202696c72f5efc62b781b4bf387*W2ZWKYjNbc2lA57zFpwIBQ*wuRuObjTDdP3jU6UFaPUZgqd-G49FU04rM9rXlWb66VFg6shTa8m2i8mtJsd7eJscpuyaq8TWKk8NubLj7FCGsVhXxZDGrTmsmww3a1lOYuMjSjS2Ln9epZdCa0ieoJa71l8dNopxveIamPbs3Oil6JN3107Bz4ebB4aRUWm_4CeDRE0ABcwvZKFEaW6vxNVNnE7n2E7IKHflRXade-bWpDLkM80rm2xNDlv0CD4IpGMRFfMbJdBh6uYouu25Dq-**f5d01e926f1be020aef32e0b1757729283fc6ad58b23f3d036a0771f938767a8*JiYHXNqmdxiQaCXNPJZlBhNIYOCOO0b8wFDh3ZWNQ2c