Graylog2-server: Unix Authentication
Currently graylog supports only basic authentication when trying to connect to elasticsearch.
Expected Behavior
On the elasticsearch side one might set unix authentication using readonlyrest plugin or any type of hashed authentication which is not entirely useful when using it in combination with graylog.
Current Behavior
graylog should be compatible with different authentication types when it comes to communicating with elasticsearch, as it is not a good practice to have the password in plaintext in the configuration file, rather it should be provided as a hashed version of the password.
Context
Having the GDPR on the way, all companies are becoming more serious about having maximum security and privacy in place, especially when it comes to dealing with sensitive data. For that reason, it is necessary to have any credentials hashed and salted as basic authentication isn't a good option compared to other authentication forms.
Environment
- Graylog Version: 2.3.2
- Elasticsearch Version: 5.5.1
- MongoDB Version: 3.4.10
- Operating System: ubuntu 16.04
Tajjar
All 6 comments
@Tajjar Please elaborate on what authentication mechanisms you would like to see in Graylog with regards to Elasticsearch.
For example the Beats platform currently only supports HTTP Basic Auth and SSL client certificates for authentication.
joschi
on 28 May 2018
I would like to see hash authentication instead of relying on the HTTP basic Auth.
Tajjar
on 28 May 2018
@Tajjar While Elasticsearch supports multiple authentication backends (see https://www.elastic.co/guide/en/x-pack/5.6/how-security-works.html#_user_authentication), it currently only supports Basic Auth (see https://www.elastic.co/guide/en/x-pack/5.6/http-clients.html) and SSL client authentication (see https://www.elastic.co/guide/en/x-pack/5.6/separating-node-client-traffic.html) on the Elasticsearch HTTP API.
Using Basic Auth means that the password has to be known in plaintext to the clients, i. e. to Graylog.
joschi
on 28 May 2018
True, but if you use ReadOnlyRest (see https://github.com/beshu-tech/readonlyrest-docs/blob/master/elasticsearch.md#authentication) it uses HTTP basic Auth with the ability to hash the credentials, in which if you add the hashed version to graylog.conf it will complain about having illegal characters.
Tajjar
on 28 May 2018
@Tajjar We won't add special support for any Elasticsearch authentication mechanisms which require the installation of a commercial 3rd party plugin.
This being said, you should already be able to use the auth_key_sha256 mechanism outlined in the documentation at https://github.com/beshu-tech/readonlyrest-docs/blob/master/elasticsearch.md#authentication by using the SHA-256 hash of the username and password as password in the Elasticsearch connection URIs.
Example:
# username = "user"
# password = "password"
# SHA256("user:password") == c91b1d6acd383c44c4ec20c9723e758c31182a1f4f0231d63d91259a2ea14b9d
elasticsearch_hosts = http://user:c91b1d6acd383c44c4ec20c9723e758c31182a1f4f0231d63d91259a2ea14b9d@es1.example.com:9200/
@joschi forgive the correction, but ReadonlyREST for Elasticsearch is released under GPLv3, so it's not "commercial". Actually the whole mission of the company behind ReadonlyREST is to democratise access to security fundamentals (encryption, authentication, authorization, auditing) in Elasticsearch using nothing but open source and without pay walls.
By the way, graylog is really cool, keep up the good work!
DISCLAIMER: I'm the CEO of the company behind ReadonlyREST
sscarduzio
on 26 Feb 2019
Related issues
ajpen
路
3Comments
1tft
路
3Comments
deanilenko
路
3Comments
hc4
路
4Comments
jalogisch
路
3Comments
Most helpful comment
@Tajjar We won't add special support for any Elasticsearch authentication mechanisms which require the installation of a commercial 3rd party plugin.
This being said, you should already be able to use the
auth_key_sha256mechanism outlined in the documentation at https://github.com/beshu-tech/readonlyrest-docs/blob/master/elasticsearch.md#authentication by using the SHA-256 hash of the username and password as password in the Elasticsearch connection URIs.Example: