The Practical Benefits of a Unified Elasticsearch and Kibana Installation
Benefits of a Unified Elasticsearch & Kibana Setup from a Businesses standpoint
This is a really quick bunch of notes on how to get an experimental SAML IdP to work with ROR Enterprise for quick testing or product evaluation.
Run Keycloak
Download Keycloak (this was tested with version 16.1.0).
Unpack it locally in a folder.
Then run the standalone server like so:
bin/standalone -b 0.0.0.0Keycloak configuration
The administrative UI is under this URL:
If you can’t log in because you forgot the credentials, reset the admin password:
./bin/add-user-keycloak.sh -r master -u admin -p adminYou have to create:
- A
rorrealm
- With a
rorclient of type SAML
With roughly these settings:
Make sure you have users inside the ror SAML client
Click on the “
ror” name and make sure you have at least a user associated to it
Certificate setup
Copy the certificate base64 representation as a string, and dump it into the
kibana.yml file in the “cert” field.
Now you should be able to run Kibana with ReadonlyREST Enterprise
Configuring ReadonlyREST
Make sure you have a running ELK stack, with ReadonlyREST Enterprise installed in Kibana and ReadonlyREST Free installed in Elasticsearch.
This is a configuration example is straight from development environment. It assumes Kibana and Keycloak run in localhost. Make sure yours is similar to this for the “auth” part:
readonlyrest_kbn: cookiePass: '12312313123213123213123adadasdasdasd' logLevel: 'trace' clearSessionOnEvents: [login, tenancyHop] auth: signature_key: "9yzBfnLaTYLfGPzyKW9es76RKYhUVgmuv6ZtehaScj5msGpBpa5FWpwk295uJYaaffTFnQC5tsknh2AguVDaTrqCLfM5zCTqdE4UGNL73h28Bg4dPrvTAFQyygQqv4xfgnevBED6VZYdfjXAQLc8J8ywaHQQSmprZqYCWGE6sM3vzNUEWWB3kmGrEKa4sGbXhmXZCvL6NDnEJhXPDJAzu9BMQxn8CzVLqrx6BxDgPYF8gZCxtyxMckXwCaYXrxAGbjkYH69F4wYhuAdHSWgRAQCuWwYmWCA6g39j4VPge5pv962XYvxwJpvn23Y5KvNZ5S5c6crdG4f4gTCXnU36x92fKMQzsQV9K4phcuNvMWkpqVB6xMA5aPzUeHcGytD93dG8D52P5BxsgaJJE6QqDrk3Y2vyLw9ZEbJhPRJxbuBKVCBtVx26Ldd46dq5eyyzmNEyQGLrjQ4qd978VtG8TNT5rkn4ETJQEju5HfCBbjm3urGLFVqxhGVawecT4YM9Rry4EqXWkRJGTFQWQRnweUFbKNbVTC9NxcXEp6K5rSPEy9trb5UYLYhhMJ9fWSBMuenGRjNSJxeurMRCaxPpNppBLFnp8qW5ezfHgCBpEjkSNNzP4uXMZFAXmdUfJ8XQdPTWuYfdHYc5TZWnzrdq9wcfFQRDpDB2zX5Myu96krDt9vA7wNKfYwkSczA6qUQV66jA8nV4Cs38cDAKVBXnxz22ddAVrPv8ajpu7hgBtULMURjvLt94Nc5FDKw79CTTQxffWEj9BJCDCpQnTufmT8xenywwVJvtj49yv2MP2mGECrVDRmcGUAYBKR8G6ZnFAYDVC9UhY46FGWDcyVX3HKwgtHeb45Ww7dsW8JdMnZYctaEU585GZmqTJp2LcAWRcQPH25JewnPX8pjzVpJNcy7avfA2bcU86bfASvQBDUCrhjgRmK2ECR6vzPwTsYKRgFrDqb62FeMdrKgJ9vKs435T5ACN7MNtdRXHQ4fj5pNpUMDW26Wd7tt9bkBTqEGf" saml_kc: buttonName: "KeyCloak SAML SSO" enabled: true type: "saml" issuer: "ror" entryPoint: "http://localhost:8080/auth/realms/ror/protocol/saml" kibanaExternalHost: 'localhost:5601' protocol: "https" usernameParameter: "nameID" groupsParameter: "Role" logoutUrl: "http://localhost:8080/auth/realms/ror/protocol/saml" cert: "MIIClTCCAX0CBgGAkyzPIDANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDDANyb3IwHhcNMjIwNTA1MDc0MjA5WhcNMzIwNTA1MDc0MzQ5WjAOMQwwCgYDVQQDDANyb3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCigkWUUB/kHBe76u6CxDK/W2kbqCfcZbWrCrMpQH5ESQC5YqG/WzObusaw5lWiGThzqJPFVXxbDnS+uh56ROw27TpxsSMwgyD2GpW42yl2G0Jrf3HYKskmFnrcy2PMTml8DbyGC3v59RRxVv2XR32cE3BeiID4WFhIcsWjrKTjB+0U+rhrocRXG+dalxiT0dyE1wgwkcEGCZu8vnKRYmC5sazw9xDWAZVcN+SKQweRMWu4ZO6TcrtIERT8NrswUlqij0c1VbmmC3qraK5Lmfn8QCE7ZDH17o8n8HyGBoETnQUHcfL9fFHF/cD/+CnjWocBAX0rjLBnl5S3IuaWT78xAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIgtUSteWw6ZVlpfV5ATkF1o9ZPcJj4KZ+BNfcB5UIcCPCONvO3GiHskCbHTSFSFtBEaxe1mLb2MEptqG0OVDOUtZtoOqWIc2KIObzkgBtOmLmt/modDlRbTzeoNwV4oiwz36VvoY1urxJYglUzQMQVJhEYPw5sxb/Yxj/4nUSgtF9ohVsEJCa0N+WSSykT87M1Afm/kKOO8hS7iGv7+SpSHfAXKQBHXQ4cLOuLoAs6OPPO0/U+XTdvEchXIrh24VPJAG+i5Y/kPkFbQciw8ULpMmwCSWH8W5vXAUfQMSJ47UkfD3TpzAZKNeSVGtwWv6i0EUrpXoPNC/+yuPuTWoQg="
And the
readonlyrest.yml (on the Elasticsearch side) should contain a ror_kbn definition and a specific ACL block using it.readonlyrest: access_control_rules: - name: "ReadonlyREST Enterprise instance #1" kibana_index: ".kibana_external_auth" ror_kbn_auth: name: "kbn1" ror_kbn: - name: kbn1 signature_key: "9yzBfnLaTYLfGPzyKW9es76RKYhUVgmuv6ZtehaScj5msGpBpa5FWpwk295uJYaaffTFnQC5tsknh2AguVDaTrqCLfM5zCTqdE4UGNL73h28Bg4dPrvTAFQyygQqv4xfgnevBED6VZYdfjXAQLc8J8ywaHQQSmprZqYCWGE6sM3vzNUEWWB3kmGrEKa4sGbXhmXZCvL6NDnEJhXPDJAzu9BMQxn8CzVLqrx6BxDgPYF8gZCxtyxMckXwCaYXrxAGbjkYH69F4wYhuAdHSWgRAQCuWwYmWCA6g39j4VPge5pv962XYvxwJpvn23Y5KvNZ5S5c6crdG4f4gTCXnU36x92fKMQzsQV9K4phcuNvMWkpqVB6xMA5aPzUeHcGytD93dG8D52P5BxsgaJJE6QqDrk3Y2vyLw9ZEbJhPRJxbuBKVCBtVx26Ldd46dq5eyyzmNEyQGLrjQ4qd978VtG8TNT5rkn4ETJQEju5HfCBbjm3urGLFVqxhGVawecT4YM9Rry4EqXWkRJGTFQWQRnweUFbKNbVTC9NxcXEp6K5rSPEy9trb5UYLYhhMJ9fWSBMuenGRjNSJxeurMRCaxPpNppBLFnp8qW5ezfHgCBpEjkSNNzP4uXMZFAXmdUfJ8XQdPTWuYfdHYc5TZWnzrdq9wcfFQRDpDB2zX5Myu96krDt9vA7wNKfYwkSczA6qUQV66jA8nV4Cs38cDAKVBXnxz22ddAVrPv8ajpu7hgBtULMURjvLt94Nc5FDKw79CTTQxffWEj9BJCDCpQnTufmT8xenywwVJvtj49yv2MP2mGECrVDRmcGUAYBKR8G6ZnFAYDVC9UhY46FGWDcyVX3HKwgtHeb45Ww7dsW8JdMnZYctaEU585GZmqTJp2LcAWRcQPH25JewnPX8pjzVpJNcy7avfA2bcU86bfASvQBDUCrhjgRmK2ECR6vzPwTsYKRgFrDqb62FeMdrKgJ9vKs435T5ACN7MNtdRXHQ4fj5pNpUMDW26Wd7tt9bkBTqEGf"
Notice
signature_key fields have the same random value in both YAML files, so they share a secret and can validate the requests.In action
Related Posts
The Rise of SAML: Practical Advantages Over LDAP for Enhanced Security
SAML authentication offers enhanced security and user experience over traditional LDAP providing businesses with a robust and agile authentication solution. Dive into the practical advantages of SAML for modern enterprises.
Setting up ReadonlyREST
In this blog post we will show how to install ReadonlyREST security plugin for Elasticsearch and Kibana int the most basic way.