From 528eff5ef7fefba02d4ad3b5ac278647835f95cd Mon Sep 17 00:00:00 2001 From: "Mihaylov, Miroslav" Date: Thu, 14 Jan 2021 13:28:11 -0600 Subject: [PATCH 1/7] SSL --- tasks/kibana-ssl.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/kibana-ssl.yml b/tasks/kibana-ssl.yml index 92ebd5c..a564713 100644 --- a/tasks/kibana-ssl.yml +++ b/tasks/kibana-ssl.yml @@ -80,6 +80,7 @@ stat: path: "{{ kibana_data_dirs }}/kibana.keystore" register: keystore_exists + become: yes - name: Create Kibana keystore become: yes From 13b804cb062a2de2fd97db01b058bb26386d4ade Mon Sep 17 00:00:00 2001 From: "Mihaylov, Miroslav" Date: Thu, 14 Jan 2021 15:27:45 -0600 Subject: [PATCH 2/7] Added OIDC integration config --- README_SSL.md | 54 ++++++++++++++++++++++++++++++++++++++--- defaults/main.yml | 2 ++ templates/kibana.yml.j2 | 10 ++++++++ 3 files changed, 63 insertions(+), 3 deletions(-) diff --git a/README_SSL.md b/README_SSL.md index b802b2e..69cb6e9 100644 --- a/README_SSL.md +++ b/README_SSL.md @@ -48,13 +48,37 @@ server_ssl_key_passphrase: elastic Stores the Kibana username/password in he Kibana keystore instead of the kibana.conf file. `secure_settings: true` +4. Implement OIDC kibana configuration as documented here + [Configuring Kibana](https://www.elastic.co/guide/en/elasticsearch/reference/7.10/oidc-kibana.html) amd + [Set up OpenID Connect with Azure, Google, or Okta](https://www.elastic.co/guide/en/cloud/7.10/ec-securing-clusters-oidc-op.html) + [Secure your clusters with OpenID Connect]( https://www.elastic.co/guide/en/cloud-heroku/7.10/ech-secure-clusters-oidc.html) + +This is controlled via `es_enable_oidc: true` +And will add the following settings to `kibana.yml` +```yaml +xpack.security.authc.providers: + oidc.oidc1: + order: 0 + realm: oidc1 + description: "Log in with my OpenID Connect" + basic.basic1: + order: 1 +``` +If you are using a Kibana instance of version 7.6 or earlier change the settings in your `kibana.yml` to: ```yaml - - name: Simple Example with SSL +xpack.security.authc.providers: [oidc] +xpack.security.authc.oidc.realm: "oidc1" +server.xsrf.whitelist: [/api/security/v1/oidc] +``` +## Here is a sample Playbook with all the variables + +```yaml + - name: Simple Kibana Playbook with SSL enabled hosts: kibana-node roles: - role: fedelemantuano.kibana - es_version: 7.6.2 + es_version: 7.10.1 kibana_api_host: "{{ ansible_default_ipv4.address }}" #Secure communication with Elasticsearch es_enable_http_ssl: true @@ -76,6 +100,7 @@ Stores the Kibana username/password in he Kibana keystore instead of the kibana. secure_settings: true es_user: kibana es_pass: changeme + es_enable_oidc: false kibana_config: server.name: "{{ inventory_hostname }}" server.port: 5601 @@ -86,6 +111,8 @@ Stores the Kibana username/password in he Kibana keystore instead of the kibana. ``` + + ### Debugging tips Check what is stored in the Kibana keystore. @@ -96,4 +123,25 @@ server.ssl.keystore.password elasticsearch.username elasticsearch.password [root@kibana-host]# -``` \ No newline at end of file +``` + +### Removing Kibana + +Use this playbook for removing kibana from RPM based system. +```yaml +- hosts: kibana-node + tasks: + - yum: + name: kibana + state: absent + become: true + - file: + path: "{{item}}" + state: absent + with_items: + - /etc/kibana + - /usr/share/kibana + - /var/lib/kibana + become: true + +``` \ No newline at end of file diff --git a/defaults/main.yml b/defaults/main.yml index 88c5690..12908cf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -62,3 +62,5 @@ server_ssl_key: '' server_ssl_key_passphrase: '' #Optionally use the keystore for saving the user/pass secure_settings: false +#Enable OIDC integration +es_enable_oidc: false \ No newline at end of file diff --git a/templates/kibana.yml.j2 b/templates/kibana.yml.j2 index ccc6028..28096dd 100644 --- a/templates/kibana.yml.j2 +++ b/templates/kibana.yml.j2 @@ -75,6 +75,16 @@ elasticsearch.ssl.key: "{{ es_ssl_certificate_path }}/{{ es_ssl_key | basename } elasticsearch.ssl.verificationMode: "{{ es_ssl_verification_mode }}" {% endif %} +#OIDC configuration +{% if es_enable_oidc %} +xpack.security.authc.providers: + oidc.oidc1: + order: 0 + realm: oidc1 + description: "Log in with my OpenID Connect" + basic.basic1: + order: 1 +{% endif %} # Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of # the elasticsearch.requestTimeout setting. #elasticsearch.pingTimeout: 1500 From 02541fb7ca278f78c6abdbbcc3bdb45489938861 Mon Sep 17 00:00:00 2001 From: "Mihaylov, Miroslav" Date: Mon, 15 Mar 2021 16:15:06 -0500 Subject: [PATCH 3/7] Kibana SSL for 7.11 --- tasks/kibana-ssl.yml | 16 ++++++++-------- templates/kibana.yml.j2 | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/tasks/kibana-ssl.yml b/tasks/kibana-ssl.yml index a564713..b3958d3 100644 --- a/tasks/kibana-ssl.yml +++ b/tasks/kibana-ssl.yml @@ -78,47 +78,47 @@ #Create KeyStore - name: Check that Kibana keystore exists stat: - path: "{{ kibana_data_dirs }}/kibana.keystore" + path: "{{ conf_dir }}/kibana.keystore" register: keystore_exists become: yes - name: Create Kibana keystore become: yes - shell: "{{ kibana_home }}/bin/kibana-keystore create --allow-root" + shell: "{{ kibana_home }}/bin/kibana-keystore create" when: not keystore_exists.stat.exists ignore_errors: yes #Set keystore or certificate passwords - name: Set Elasticsearch SSL Keystore Password become: yes - shell: echo "{{ es_ssl_keystore_password }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f elasticsearch.ssl.keystore.password --allow-root + shell: echo "{{ es_ssl_keystore_password }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f elasticsearch.ssl.keystore.password when: es_ssl_keystore_password and copy_es_keystore.changed ignore_errors: yes - name: Set Elasticsearch SSL Key Passphrase become: yes - shell: echo "{{ es_ssl_key_passphrase }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f elasticsearch.ssl.keyPassphrase --allow-root + shell: echo "{{ es_ssl_key_passphrase }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f elasticsearch.ssl.keyPassphrase when: es_ssl_key_passphrase and copy_es_certificates.changed ignore_errors: yes - name: Set Kibana Server SSL Keystore Password become: yes - shell: echo "{{ server_ssl_keystore_password }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f server.ssl.keystore.password --allow-root + shell: echo "{{ server_ssl_keystore_password }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f server.ssl.keystore.password when: server_ssl_keystore_password and (copy_server_keystore.changed or (es_kibana_same_keystore_or_cert and copy_es_keystore.changed)) ignore_errors: yes - name: Set Kibana Server SSL Key Passphrase become: yes - shell: echo "{{ server_ssl_key_passphrase }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f server.ssl.keyPassphrase --allow-root + shell: echo "{{ server_ssl_key_passphrase }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f server.ssl.keyPassphrase when: server_ssl_key_passphrase and ( copy_server_certificates.changed or( es_kibana_same_keystore_or_cert and copy_es_certificates.changed)) ignore_errors: yes #Add String settings to the Keystore - name: Add Es useraname to Kibana keystore become: yes - shell: echo "{{ es_user }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f elasticsearch.username --allow-root + shell: echo "{{ es_user }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f elasticsearch.username when: secure_settings and es_user ignore_errors: yes - name: Add Es password to Kibana keystore become: yes - shell: echo "{{ es_pass }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f elasticsearch.password --allow-root + shell: echo "{{ es_pass }}" | {{ kibana_home }}/bin/kibana-keystore add -x -f elasticsearch.password when: secure_settings and es_pass ignore_errors: yes diff --git a/templates/kibana.yml.j2 b/templates/kibana.yml.j2 index 28096dd..93aaf8f 100644 --- a/templates/kibana.yml.j2 +++ b/templates/kibana.yml.j2 @@ -76,7 +76,7 @@ elasticsearch.ssl.verificationMode: "{{ es_ssl_verification_mode }}" {% endif %} #OIDC configuration -{% if es_enable_oidc %} +{% if es_enable_oidc |bool == true %} xpack.security.authc.providers: oidc.oidc1: order: 0 From 911904ca263aee9109e4cdbdf19ce68f0206a0ff Mon Sep 17 00:00:00 2001 From: Miroslav Date: Wed, 5 May 2021 13:00:19 -0500 Subject: [PATCH 4/7] Update main.yml --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 12908cf..d182e35 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,13 +1,13 @@ --- # Commons parameters for all ELK Stack es_major_version: "7.x" -es_version: "7.6.1" +es_version: "7.11.2" es_use_repository: true es_apt_key: "https://artifacts.elastic.co/GPG-KEY-elasticsearch" es_apt_url: "deb https://artifacts.elastic.co/packages/{{ es_repo_name }}/apt stable main" es_apt_url_old: "deb http://packages.elastic.co/elasticsearch/{{ es_repo_name }}/debian stable main" #Elasticsearch username and password -es_user: kibana +es_user: kibana_system es_pass: elastic # Kibana parameters kibana_install_oss: false @@ -63,4 +63,4 @@ server_ssl_key_passphrase: '' #Optionally use the keystore for saving the user/pass secure_settings: false #Enable OIDC integration -es_enable_oidc: false \ No newline at end of file +es_enable_oidc: false From 5049e0770647c3dc84b100bad594721c6ec8bb56 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Wed, 5 May 2021 13:03:58 -0500 Subject: [PATCH 5/7] Update README_SSL.md --- README_SSL.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/README_SSL.md b/README_SSL.md index 69cb6e9..47c9c09 100644 --- a/README_SSL.md +++ b/README_SSL.md @@ -78,7 +78,7 @@ server.xsrf.whitelist: [/api/security/v1/oidc] hosts: kibana-node roles: - role: fedelemantuano.kibana - es_version: 7.10.1 + es_version: 7.11.2 kibana_api_host: "{{ ansible_default_ipv4.address }}" #Secure communication with Elasticsearch es_enable_http_ssl: true @@ -98,7 +98,7 @@ server.xsrf.whitelist: [/api/security/v1/oidc] #server_ssl_key_passphrase: elastic #Store kibana settings in the keystore secure_settings: true - es_user: kibana + es_user: kibana_system es_pass: changeme es_enable_oidc: false kibana_config: @@ -107,6 +107,9 @@ server.xsrf.whitelist: [/api/security/v1/oidc] server.host: "{{ ansible_default_ipv4.address }}" elasticsearch.hosts: "https://{{ ansible_default_ipv4.address }}:9200" xpack.security.audit.enabled: true + #Add this when deploying behing AWS ALB Target Group + #server.basePath: "/kibana" + #server.rewriteBasePath: true ``` @@ -144,4 +147,4 @@ Use this playbook for removing kibana from RPM based system. - /var/lib/kibana become: true -``` \ No newline at end of file +``` From 7c4c0412588b561f80176dd4c2c47e6a1bd5e683 Mon Sep 17 00:00:00 2001 From: Fedele Mantuano Date: Tue, 11 May 2021 21:19:31 +0200 Subject: [PATCH 6/7] Update README_SSL.md --- README_SSL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README_SSL.md b/README_SSL.md index 47c9c09..2378e76 100644 --- a/README_SSL.md +++ b/README_SSL.md @@ -49,7 +49,7 @@ Stores the Kibana username/password in he Kibana keystore instead of the kibana. `secure_settings: true` 4. Implement OIDC kibana configuration as documented here - [Configuring Kibana](https://www.elastic.co/guide/en/elasticsearch/reference/7.10/oidc-kibana.html) amd + [Configuring Kibana](https://www.elastic.co/guide/en/elasticsearch/reference/7.10/oidc-kibana.html) and [Set up OpenID Connect with Azure, Google, or Okta](https://www.elastic.co/guide/en/cloud/7.10/ec-securing-clusters-oidc-op.html) [Secure your clusters with OpenID Connect]( https://www.elastic.co/guide/en/cloud-heroku/7.10/ech-secure-clusters-oidc.html) From df0ce4d4e2a4790dc5b12c8c093e117dab8670eb Mon Sep 17 00:00:00 2001 From: Fedele Mantuano Date: Tue, 11 May 2021 21:25:44 +0200 Subject: [PATCH 7/7] Update README_SSL.md --- README_SSL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README_SSL.md b/README_SSL.md index 2378e76..c4235e8 100644 --- a/README_SSL.md +++ b/README_SSL.md @@ -141,7 +141,7 @@ Use this playbook for removing kibana from RPM based system. - file: path: "{{item}}" state: absent - with_items: + loop: - /etc/kibana - /usr/share/kibana - /var/lib/kibana