Implement LDAP integration for Kibana
Implement-blueprint: ldap-integration-in-stacklight Change-Id: I838c84333feab7828adda0dfc731a8582287f83d
This commit is contained in:
parent
5d742d2ff2
commit
e19d42b190
|
@ -14,6 +14,8 @@
|
|||
|
||||
notice('fuel-plugin-elasticsearch-kibana: firewall.pp')
|
||||
|
||||
$authnz = hiera_hash('lma::kibana::authnz')
|
||||
|
||||
class {'::firewall':}
|
||||
|
||||
firewall { '000 accept all icmp requests':
|
||||
|
@ -80,6 +82,14 @@ firewall { '101 proxy-kibana':
|
|||
action => 'accept',
|
||||
}
|
||||
|
||||
if $authnz['ldap_authorization_enabled'] {
|
||||
firewall { '101 proxy-kibana-viewer':
|
||||
port => hiera('lma::elasticsearch::kibana_frontend_viewer_port'),
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
}
|
||||
|
||||
firewall { '999 drop all other requests':
|
||||
proto => 'all',
|
||||
chain => 'INPUT',
|
||||
|
|
|
@ -16,7 +16,9 @@ notice('fuel-plugin-elasticsearch-kibana: haproxy.pp')
|
|||
|
||||
$es_port = hiera('lma::elasticsearch::rest_port')
|
||||
$kibana_backend_port = hiera('lma::elasticsearch::apache_port')
|
||||
$kibana_backend_viewer_port = hiera('lma::elasticsearch::apache_viewer_port')
|
||||
$kibana_frontend_port = hiera('lma::elasticsearch::kibana_frontend_port')
|
||||
$kibana_frontend_viewer_port = hiera('lma::elasticsearch::kibana_frontend_viewer_port')
|
||||
$vip = hiera('lma::elasticsearch::vip')
|
||||
|
||||
$nodes_ips = hiera('lma::elasticsearch::nodes')
|
||||
|
@ -45,6 +47,7 @@ openstack::ha::haproxy_service { $es_haproxy_service:
|
|||
}
|
||||
|
||||
$kibana_tls = hiera_hash('lma::kibana::tls')
|
||||
$authnz = hiera_hash('lma::kibana::authnz')
|
||||
if $kibana_tls['enabled'] {
|
||||
openstack::ha::haproxy_service { 'kibana':
|
||||
order => '921',
|
||||
|
@ -59,6 +62,22 @@ if $kibana_tls['enabled'] {
|
|||
'mode' => 'http',
|
||||
},
|
||||
}
|
||||
if $authnz['ldap_enabled'] and $authnz['ldap_authorization_enabled'] {
|
||||
openstack::ha::haproxy_service { 'kibana-viewer':
|
||||
order => '922',
|
||||
internal_ssl => true,
|
||||
internal_ssl_path => $kibana_tls['cert_file_path'],
|
||||
listen_port => $kibana_frontend_viewer_port,
|
||||
balancermember_port => $kibana_backend_viewer_port,
|
||||
balancermember_options => 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3',
|
||||
haproxy_config_options => {
|
||||
'option' => ['httplog', 'http-keep-alive', 'prefer-last-server', 'dontlog-normal'],
|
||||
'balance' => 'roundrobin',
|
||||
'mode' => 'http',
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
} else {
|
||||
openstack::ha::haproxy_service { 'kibana':
|
||||
order => '921',
|
||||
|
@ -71,4 +90,17 @@ if $kibana_tls['enabled'] {
|
|||
'mode' => 'http',
|
||||
}
|
||||
}
|
||||
if $authnz['ldap_enabled'] and $authnz['ldap_authorization_enabled'] {
|
||||
openstack::ha::haproxy_service { 'kibana-viewer':
|
||||
order => '922',
|
||||
listen_port => $kibana_frontend_viewer_port,
|
||||
balancermember_port => $kibana_backend_viewer_port,
|
||||
balancermember_options => 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3',
|
||||
haproxy_config_options => {
|
||||
'option' => ['httplog', 'http-keep-alive', 'prefer-last-server', 'dontlog-normal'],
|
||||
'balance' => 'roundrobin',
|
||||
'mode' => 'http',
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -90,7 +90,29 @@ if $tls_enabled {
|
|||
content => $elasticsearch_kibana['kibana_ssl_cert']['content'],
|
||||
require => File[$cert_dir]
|
||||
}
|
||||
}
|
||||
|
||||
$ldap_enabled = $elasticsearch_kibana['ldap_enabled'] or false
|
||||
$ldap_protocol = $elasticsearch_kibana['ldap_protocol']
|
||||
$ldap_servers = split($elasticsearch_kibana['ldap_servers'], '\s+')
|
||||
$ldap_bind_dn = $elasticsearch_kibana['ldap_bind_dn']
|
||||
$ldap_bind_password = $elasticsearch_kibana['ldap_bind_password']
|
||||
$ldap_user_search_base_dns = $elasticsearch_kibana['ldap_user_search_base_dns']
|
||||
$ldap_user_search_filter = $elasticsearch_kibana['ldap_user_search_filter']
|
||||
$ldap_user_attribute = $elasticsearch_kibana['ldap_user_attribute']
|
||||
$ldap_authorization_enabled = $elasticsearch_kibana['ldap_authorization_enabled'] or false
|
||||
$ldap_group_attribute = $elasticsearch_kibana['ldap_group_attribute']
|
||||
$ldap_admin_group_dn = $elasticsearch_kibana['ldap_admin_group_dn']
|
||||
$ldap_viewer_group_dn = $elasticsearch_kibana['ldap_viewer_group_dn']
|
||||
|
||||
if empty($elasticsearch_kibana['ldap_server_port']) {
|
||||
if downcase($ldap_protocol) == 'ldap' {
|
||||
$ldap_port = 389
|
||||
} else {
|
||||
$ldap_port = 636
|
||||
}
|
||||
} else {
|
||||
$ldap_port = $elasticsearch_kibana['ldap_server_port']
|
||||
}
|
||||
|
||||
$calculated_content = inline_template('
|
||||
|
@ -102,7 +124,9 @@ lma::elasticsearch::vip: <%= @vip %>
|
|||
lma::elasticsearch::es_haproxy_service: elasticsearch-rest
|
||||
lma::elasticsearch::listen_address: <%= @listen_address%>
|
||||
lma::elasticsearch::kibana_frontend_port: 80
|
||||
lma::elasticsearch::kibana_frontend_viewer_port: 81
|
||||
lma::elasticsearch::apache_port: 80
|
||||
lma::elasticsearch::apache_viewer_port: 81
|
||||
lma::elasticsearch::kibana_port: 5601
|
||||
lma::elasticsearch::kibana_index: .kibana
|
||||
lma::elasticsearch::rest_port: 9200
|
||||
|
@ -128,8 +152,29 @@ lma::kibana::tls:
|
|||
hostname: <%= @kibana_hostname %>
|
||||
cert_file_path: <%= @cert_file_path %>
|
||||
<% end -%>
|
||||
lma::kibana::username: <%= @elasticsearch_kibana["kibana_username"] %>
|
||||
lma::kibana::password: <%= @elasticsearch_kibana["kibana_password"] %>
|
||||
lma::kibana::authnz:
|
||||
username: <%= @elasticsearch_kibana["kibana_username"] %>
|
||||
password: <%= @elasticsearch_kibana["kibana_password"] %>
|
||||
ldap_enabled: <%= @ldap_enabled %>
|
||||
ldap_authorization_enabled: <%= @ldap_authorization_enabled %>
|
||||
<% if @ldap_enabled -%>
|
||||
ldap_servers:
|
||||
<% @ldap_servers.each do |s| -%>
|
||||
- "<%= s %>"
|
||||
<% end -%>
|
||||
ldap_protocol: <%= @ldap_protocol %>
|
||||
ldap_port: <%= @ldap_port %>
|
||||
ldap_bind_dn: <%= @ldap_bind_dn %>
|
||||
ldap_bind_password: <%= @ldap_bind_password %>
|
||||
ldap_user_search_base_dns: <%= @ldap_user_search_base_dns %>
|
||||
ldap_user_attribute: <%= @ldap_user_attribute %>
|
||||
ldap_user_search_filter: <%= @ldap_user_search_filter %>
|
||||
ldap_group_attribute: <%= @ldap_group_attribute %>
|
||||
<% if @ldap_authorization_enabled -%>
|
||||
ldap_admin_group_dn: <%= @ldap_admin_group_dn %>
|
||||
ldap_viewer_group_dn: <%= @ldap_viewer_group_dn %>
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
')
|
||||
|
||||
file { $hiera_file:
|
||||
|
|
|
@ -22,12 +22,27 @@ class { 'lma_logging_analytics::kibana':
|
|||
version => '4.5.1',
|
||||
}
|
||||
|
||||
$authnz = hiera_hash('lma::kibana::authnz')
|
||||
class { 'lma_logging_analytics::kibana_authentication':
|
||||
listen_address => hiera('lma::elasticsearch::listen_address'),
|
||||
listen_port => hiera('lma::elasticsearch::apache_port'),
|
||||
kibana_address => '127.0.0.1',
|
||||
kibana_port => hiera('lma::elasticsearch::kibana_port'),
|
||||
username => hiera('lma::kibana::username'),
|
||||
password => hiera('lma::kibana::password'),
|
||||
require => Class[lma_logging_analytics::kibana],
|
||||
listen_address => hiera('lma::elasticsearch::listen_address'),
|
||||
listen_port => hiera('lma::elasticsearch::apache_port'),
|
||||
kibana_address => '127.0.0.1',
|
||||
kibana_port => hiera('lma::elasticsearch::kibana_port'),
|
||||
username => $authnz['username'],
|
||||
password => $authnz['password'],
|
||||
ldap_enabled => $authnz['ldap_enabled'],
|
||||
ldap_protocol => $authnz['ldap_protocol'],
|
||||
ldap_port => $authnz['ldap_port'],
|
||||
ldap_servers => $authnz['ldap_servers'],
|
||||
ldap_bind_dn => $authnz['ldap_bind_dn'],
|
||||
ldap_bind_password => $authnz['ldap_bind_password'],
|
||||
ldap_user_search_base_dns => $authnz['ldap_user_search_base_dns'],
|
||||
ldap_user_search_filter => $authnz['ldap_user_search_filter'],
|
||||
ldap_user_attribute => $authnz['ldap_user_attribute'],
|
||||
ldap_authorization_enabled => $authnz['ldap_authorization_enabled'],
|
||||
listen_port_viewer => hiera('lma::elasticsearch::apache_viewer_port'),
|
||||
ldap_group_attribute => $authnz['ldap_group_attribute'],
|
||||
ldap_admin_group_dn => $authnz['ldap_admin_group_dn'],
|
||||
ldap_viewer_group_dn => $authnz['ldap_viewer_group_dn'],
|
||||
require => Class[lma_logging_analytics::kibana],
|
||||
}
|
||||
|
|
|
@ -21,12 +21,59 @@ class lma_logging_analytics::kibana_authentication (
|
|||
$kibana_address,
|
||||
$username,
|
||||
$password,
|
||||
$ldap_enabled = false,
|
||||
$ldap_protocol = undef,
|
||||
$ldap_servers = [],
|
||||
$ldap_port = undef,
|
||||
$ldap_bind_dn = undef,
|
||||
$ldap_bind_password = undef,
|
||||
$ldap_user_search_base_dns = undef,
|
||||
$ldap_user_search_filter = undef,
|
||||
$ldap_user_attribute = undef,
|
||||
$ldap_authorization_enabled = false,
|
||||
$listen_port_viewer = undef,
|
||||
$ldap_group_attribute = undef,
|
||||
$ldap_admin_group_dn = undef,
|
||||
$ldap_viewer_group_dn = undef,
|
||||
) {
|
||||
|
||||
include lma_logging_analytics::params
|
||||
|
||||
$apache_modules = ['proxy', 'proxy_http', 'rewrite',
|
||||
'authn_file', 'auth_basic', 'authz_user']
|
||||
validate_integer($listen_port)
|
||||
validate_integer($kibana_port)
|
||||
|
||||
$default_apache_modules = ['proxy', 'proxy_http', 'rewrite',
|
||||
'authn_file', 'auth_basic', 'authz_user']
|
||||
|
||||
if $ldap_enabled {
|
||||
if empty($ldap_servers) {
|
||||
fail('ldap_servers list parameter is empty')
|
||||
}
|
||||
if ! $ldap_port { fail('Missing ldap_port parameter')}
|
||||
if ! $ldap_protocol { fail('Missing ldap_protocol parameter')}
|
||||
if ! $ldap_bind_dn { fail('Missing ldap_bind_dn parameter')}
|
||||
if ! $ldap_bind_password { fail('Missing ldap_bind_password parameter')}
|
||||
if ! $ldap_user_search_base_dns { fail('Missing ldap_user_search_base_dns parameter')}
|
||||
if ! $ldap_user_search_filter { fail('Missing ldap_user_search_filter parameter')}
|
||||
if ! $ldap_user_attribute { fail('Missing ldap_user_attribute parameter')}
|
||||
|
||||
if $ldap_authorization_enabled {
|
||||
if ! $ldap_group_attribute {fail('Missing ldap_group_attribute parameter')}
|
||||
if ! $ldap_admin_group_dn {fail('Missing ldap_admin_group_dn parameter')}
|
||||
if ! $ldap_viewer_group_dn {fail('Missing ldap_viewer_group_dn parameter')}
|
||||
if ! $listen_port_viewer {fail('Missing listen_port_viewer parameter')}
|
||||
|
||||
validate_integer($listen_port_viewer)
|
||||
}
|
||||
$apache_modules = concat($default_apache_modules, ['ldap', 'authnz_ldap'])
|
||||
|
||||
# LDAP url is used by apache::custom_config
|
||||
$ldap_urls = suffix($ldap_servers, ":${ldap_port}/${ldap_user_search_base_dns}?${ldap_user_attribute}?sub?${ldap_user_search_filter}")
|
||||
|
||||
$ldap_url = join($ldap_urls, ' ')
|
||||
} else {
|
||||
$apache_modules = $default_apache_modules
|
||||
}
|
||||
|
||||
## Configure apache
|
||||
class { 'apache':
|
||||
|
@ -55,8 +102,20 @@ class lma_logging_analytics::kibana_authentication (
|
|||
require => Class[Apache],
|
||||
}
|
||||
|
||||
apache::custom_config { 'kibana-proxy':
|
||||
content => template('lma_logging_analytics/apache_kibana_proxy.conf.erb'),
|
||||
require => [Class['apache'], File[$htpasswd_file]],
|
||||
if $ldap_authorization_enabled {
|
||||
apache::custom_config { 'kibana-proxy':
|
||||
content => template('lma_logging_analytics/apache_kibana_proxy.conf.erb'),
|
||||
require => [Class['apache'], File[$htpasswd_file]],
|
||||
}
|
||||
apache::listen { "${listen_address}:${listen_port_viewer}": }
|
||||
apache::custom_config { 'kibana-proxy-viewer':
|
||||
content => template('lma_logging_analytics/apache_kibana_proxy_viewer.conf.erb'),
|
||||
require => [Class['apache'], File[$htpasswd_file]],
|
||||
}
|
||||
} else {
|
||||
apache::custom_config { 'kibana-proxy':
|
||||
content => template('lma_logging_analytics/apache_kibana_proxy.conf.erb'),
|
||||
require => [Class['apache'], File[$htpasswd_file]],
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -20,18 +20,115 @@ describe 'lma_logging_analytics::kibana_authentication' do
|
|||
:concat_basedir => '/foo' }
|
||||
end
|
||||
|
||||
let(:params) do
|
||||
{:listen_address => '127.0.0.1', :listen_port => 80,
|
||||
:kibana_address => '127.0.0.1', :kibana_port => 5106,
|
||||
:username => 'foouser', :password => 'foopass'
|
||||
describe 'default parameters' do
|
||||
let(:params) do
|
||||
{:listen_address => '127.0.0.1', :listen_port => 80,
|
||||
:kibana_address => '127.0.0.1', :kibana_port => 5106,
|
||||
:username => 'foouser', :password => 'foopass'
|
||||
}
|
||||
end
|
||||
|
||||
it {
|
||||
should contain_class('apache')
|
||||
should contain_apache__custom_config('kibana-proxy')
|
||||
should contain_htpasswd('foouser')
|
||||
should contain_file('/etc/apache2/kibana.htpasswd')
|
||||
}
|
||||
end
|
||||
describe 'ldap parameters' do
|
||||
let(:params) do
|
||||
{:listen_address => '127.0.0.1', :listen_port => 80,
|
||||
:kibana_address => '127.0.0.1', :kibana_port => 5106,
|
||||
:username => 'foouser', :password => 'foopass',
|
||||
:ldap_enabled => true,
|
||||
:ldap_protocol => 'ldap',
|
||||
:ldap_port => 389,
|
||||
:ldap_servers => ['ldap.foo.fr'],
|
||||
:ldap_bind_dn => 'cn=admin,dc=example,dc=com',
|
||||
:ldap_bind_password => 'foopass',
|
||||
:ldap_user_search_base_dns => 'ou=groups,dc=example,dc=com',
|
||||
:ldap_user_search_filter => '(&(objectClass=posixGroup)(memberUid=%s))',
|
||||
:ldap_user_attribute => 'uid',
|
||||
}
|
||||
end
|
||||
|
||||
it {
|
||||
should contain_class('apache')
|
||||
should contain_apache__custom_config('kibana-proxy')
|
||||
should contain_htpasswd('foouser')
|
||||
should contain_file('/etc/apache2/kibana.htpasswd')
|
||||
}
|
||||
end
|
||||
describe 'ldap parameters are missing' do
|
||||
let(:params) do
|
||||
{:listen_address => '127.0.0.1', :listen_port => 80,
|
||||
:kibana_address => '127.0.0.1', :kibana_port => 5106,
|
||||
:username => 'foouser', :password => 'foopass',
|
||||
:ldap_enabled => true,
|
||||
:ldap_protocol => 'ldap',
|
||||
:ldap_port => 389,
|
||||
:ldap_servers => ['ldap.foo.fr'],
|
||||
:ldap_user_search_base_dns => 'ou=groups,dc=example,dc=com',
|
||||
:ldap_user_search_filter => '(&(objectClass=posixGroup)(memberUid=%s))',
|
||||
:ldap_user_attribute => 'uid',
|
||||
}
|
||||
end
|
||||
|
||||
it { is_expected.to raise_error(Puppet::Error, /Missing ldap_/) }
|
||||
end
|
||||
|
||||
describe 'ldap parameters with authorization' do
|
||||
let(:params) do
|
||||
{:listen_address => '127.0.0.1', :listen_port => 80,
|
||||
:kibana_address => '127.0.0.1', :kibana_port => 5106,
|
||||
:username => 'foouser', :password => 'foopass',
|
||||
:ldap_enabled => true,
|
||||
:ldap_protocol => 'ldap',
|
||||
:ldap_port => 389,
|
||||
:ldap_servers => ['ldap.foo.fr'],
|
||||
:ldap_bind_dn => 'cn=admin,dc=example,dc=com',
|
||||
:ldap_bind_password => 'foopass',
|
||||
:ldap_user_search_base_dns => 'ou=groups,dc=example,dc=com',
|
||||
:ldap_user_search_filter => '(&(objectClass=posixGroup)(memberUid=%s))',
|
||||
:ldap_user_attribute => 'uid',
|
||||
:ldap_authorization_enabled => true,
|
||||
:listen_port_viewer => 81,
|
||||
:ldap_group_attribute => 'memberUid',
|
||||
:ldap_admin_group_dn => 'cn=admin_group,dc=example,dc=com',
|
||||
:ldap_viewer_group_dn => 'cn=viewer_group,dc=example,dc=com',
|
||||
}
|
||||
end
|
||||
|
||||
it {
|
||||
should contain_class('apache')
|
||||
should contain_apache__custom_config('kibana-proxy')
|
||||
should contain_htpasswd('foouser')
|
||||
should contain_file('/etc/apache2/kibana.htpasswd')
|
||||
}
|
||||
end
|
||||
|
||||
it {
|
||||
should contain_class('apache')
|
||||
should contain_apache__custom_config('kibana-proxy')
|
||||
should contain_htpasswd('foouser')
|
||||
should contain_file('/etc/apache2/kibana.htpasswd')
|
||||
}
|
||||
describe 'ldap parameters with authorization missing' do
|
||||
let(:params) do
|
||||
{:listen_address => '127.0.0.1', :listen_port => 80,
|
||||
:kibana_address => '127.0.0.1', :kibana_port => 5106,
|
||||
:username => 'foouser', :password => 'foopass',
|
||||
:ldap_enabled => true,
|
||||
:ldap_protocol => 'ldap',
|
||||
:ldap_port => 389,
|
||||
:ldap_servers => ['ldap.foo.fr'],
|
||||
:ldap_bind_dn => 'cn=admin,dc=example,dc=com',
|
||||
:ldap_bind_password => 'foopass',
|
||||
:ldap_user_search_base_dns => 'ou=groups,dc=example,dc=com',
|
||||
:ldap_user_search_filter => '(&(objectClass=posixGroup)(memberUid=%s))',
|
||||
:ldap_user_attribute => 'uid',
|
||||
:ldap_authorization_enabled => true,
|
||||
#:ldap_group_attribute => 'memberUid',
|
||||
#:ldap_admin_group_dn => 'cn=admin_group,dc=example,dc=com',
|
||||
#:ldap_viewer_group_dn => 'cn=viewer_group,dc=example,dc=com',
|
||||
}
|
||||
end
|
||||
|
||||
it { is_expected.to raise_error(Puppet::Error, /Missing/) }
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -15,14 +15,32 @@
|
|||
AuthName "Kibana Access"
|
||||
AuthType Basic
|
||||
AuthUserFile <%= @htpasswd_file %>
|
||||
<% if @ldap_enabled -%>
|
||||
AuthBasicProvider file ldap
|
||||
AuthLDAPURL "<%= @ldap_protocol %>://<%= @ldap_url %>"
|
||||
AuthLDAPBindDN "<%= @ldap_bind_dn %>"
|
||||
AuthLDAPBindPassword <%= @ldap_bind_password %>
|
||||
<% if @ldap_authorization_enabled -%>
|
||||
AuthLDAPGroupAttribute <%= @ldap_group_attribute %>
|
||||
AuthLDAPGroupAttributeIsDN off
|
||||
AuthBasicAuthoritative on
|
||||
<RequireAny>
|
||||
require user <%= @username %>
|
||||
Require ldap-group <%= @ldap_admin_group_dn %>
|
||||
</RequireAny>
|
||||
<% else -%>
|
||||
require valid-user
|
||||
<% end -%>
|
||||
<% else -%>
|
||||
require valid-user
|
||||
<% end -%>
|
||||
</Proxy>
|
||||
|
||||
ProxyPass / http://<%= @kibana_address %>:<%= @kibana_port %>
|
||||
ProxyPassReverse / http://<%= @kibana_address %>:<%= @kibana_port %>
|
||||
RewriteEngine on
|
||||
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
|
||||
RewriteRule .* http://<%= @kibana_address %>:<%= @kibana_port %>%{REQUEST_URI} [P,QSA]
|
||||
# Passthrough the request to Kibana with the orginal query string
|
||||
RewriteRule .* http://<%= @kibana_address %>:<%= @kibana_port %>%{REQUEST_URI} [P,QSA,L]
|
||||
|
||||
ErrorLog "/var/log/apache2/kibana_error.log"
|
||||
ServerSignature Off
|
||||
|
|
|
@ -0,0 +1,56 @@
|
|||
# ************************************
|
||||
# Vhost template in module lma_logging_analytics
|
||||
# Managed by Puppet
|
||||
# ************************************
|
||||
|
||||
<VirtualHost <%= @listen_address %>:<%= @listen_port_viewer %>>
|
||||
ServerName kibana
|
||||
DocumentRoot "/opt/kibana"
|
||||
|
||||
ProxyRequests Off
|
||||
|
||||
<Proxy *>
|
||||
Order Allow,Deny
|
||||
Allow From All
|
||||
AuthName "Kibana Access"
|
||||
AuthType Basic
|
||||
AuthUserFile <%= @htpasswd_file %>
|
||||
<% if @ldap_enabled -%>
|
||||
AuthBasicProvider file ldap
|
||||
AuthLDAPURL "<%= @ldap_protocol %>://<%= @ldap_url %>"
|
||||
AuthLDAPBindDN "<%= @ldap_bind_dn %>"
|
||||
AuthLDAPBindPassword <%= @ldap_bind_password %>
|
||||
<% if @ldap_authorization_enabled -%>
|
||||
AuthLDAPGroupAttribute <%= @ldap_group_attribute %>
|
||||
AuthLDAPGroupAttributeIsDN off
|
||||
AuthBasicAuthoritative on
|
||||
<RequireAny>
|
||||
require user <%= @username %>
|
||||
Require ldap-group <%= @ldap_viewer_group_dn %>
|
||||
Require ldap-group <%= @ldap_admin_group_dn %>
|
||||
</RequireAny>
|
||||
<% else -%>
|
||||
require valid-user
|
||||
<% end -%>
|
||||
<% else -%>
|
||||
require valid-user
|
||||
<% end -%>
|
||||
</Proxy>
|
||||
|
||||
ProxyPass / http://<%= @kibana_address %>:<%= @kibana_port %>
|
||||
ProxyPassReverse / http://<%= @kibana_address %>:<%= @kibana_port %>
|
||||
RewriteEngine on
|
||||
# Deleting is forbidden for viewers
|
||||
RewriteCond %{REQUEST_METHOD} DELETE
|
||||
RewriteRule .* - [F,L]
|
||||
# Creation/update is forbidden for viewers
|
||||
RewriteCond %{REQUEST_METHOD} POST
|
||||
RewriteCond %{QUERY_STRING} op_type=create
|
||||
RewriteRule .* - [F,L]
|
||||
# Passthrough the request to Kibana with the orginal query string
|
||||
RewriteRule .* http://<%= @kibana_address %>:<%= @kibana_port %>%{REQUEST_URI} [P,QSA,L]
|
||||
|
||||
ErrorLog "/var/log/apache2/kibana_error.log"
|
||||
ServerSignature Off
|
||||
CustomLog "/var/log/apache2/kibana_access.log" combined
|
||||
</VirtualHost>
|
|
@ -139,3 +139,177 @@ attributes:
|
|||
- condition: "settings:elasticsearch_kibana.tls_enabled.value == false"
|
||||
action: "hide"
|
||||
# TLS Settings: END
|
||||
# LDAP Settings: BEGIN
|
||||
ldap_enabled:
|
||||
value: false
|
||||
label: 'Use LDAP for Kibana authentication'
|
||||
description: ''
|
||||
weight: 100
|
||||
type: "checkbox"
|
||||
|
||||
ldap_protocol:
|
||||
type: "radio"
|
||||
value: 'ldap'
|
||||
weight: 110
|
||||
label: 'LDAP protocol'
|
||||
values:
|
||||
- data: "ldap"
|
||||
label: "LDAP"
|
||||
- data: "ldaps"
|
||||
label: "LDAPS"
|
||||
restrictions:
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: hide
|
||||
|
||||
ldap_servers:
|
||||
value: ''
|
||||
label: 'LDAP servers'
|
||||
description: 'Specify one or several LDAP servers separated by space.'
|
||||
weight: 120
|
||||
type: "text"
|
||||
regex:
|
||||
source: '^\w[\w\-\s.]+$'
|
||||
error: "You must provide a hostname or IP"
|
||||
restrictions:
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: hide
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: disable
|
||||
|
||||
ldap_server_port:
|
||||
value: ''
|
||||
label: 'Port'
|
||||
description: 'If empty, the default value is 389 for LDAP and 636 for LDAPS.'
|
||||
weight: 130
|
||||
type: "text"
|
||||
regex:
|
||||
source: '^\d{0,5}$'
|
||||
error: "You must provide a valid port number"
|
||||
restrictions:
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: hide
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: disable
|
||||
|
||||
ldap_bind_dn:
|
||||
value: ''
|
||||
label: 'Bind DN'
|
||||
description: 'DN used to bind to the server when searching for entries.'
|
||||
weight: 140
|
||||
type: "text"
|
||||
regex: ¬_empty_parameter
|
||||
source: '\S'
|
||||
error: "Invalid value"
|
||||
restrictions:
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: hide
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: disable
|
||||
|
||||
ldap_bind_password:
|
||||
value: ''
|
||||
label: 'Bind password'
|
||||
description: 'Password to use in conjunction with the bind DN.'
|
||||
weight: 150
|
||||
type: "password"
|
||||
regex: *not_empty_parameter
|
||||
restrictions:
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: hide
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: disable
|
||||
|
||||
ldap_user_search_base_dns:
|
||||
value: ''
|
||||
label: 'User search base DN'
|
||||
description: 'The base DN to search for users.'
|
||||
weight: 160
|
||||
type: "text"
|
||||
regex: *not_empty_parameter
|
||||
restrictions:
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: hide
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: disable
|
||||
|
||||
ldap_user_attribute:
|
||||
value: 'uid'
|
||||
label: 'User attribute to search for'
|
||||
description: "It's a good idea to choose an attribute that will be unique across all entries."
|
||||
weight: 165
|
||||
type: "text"
|
||||
regex: *not_empty_parameter
|
||||
restrictions:
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: hide
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: disable
|
||||
|
||||
ldap_user_search_filter:
|
||||
value: '(objectClass=*)'
|
||||
label: 'User search filter'
|
||||
description: 'A valid LDAP search filter.'
|
||||
weight: 170
|
||||
type: "text"
|
||||
regex: *not_empty_parameter
|
||||
restrictions:
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: hide
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: disable
|
||||
|
||||
ldap_authorization_enabled:
|
||||
value: false
|
||||
label: 'Enable group-based authorization'
|
||||
description: 'It allows to associate the users with the Admin or Viewer role. Otherwise all users are assigned to admin role.'
|
||||
weight: 200
|
||||
type: "checkbox"
|
||||
restrictions:
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: hide
|
||||
|
||||
ldap_group_attribute:
|
||||
value: 'memberUid'
|
||||
label: 'LDAP group attribute'
|
||||
description: 'LDAP attribute used to identify the user members of groups.'
|
||||
weight: 205
|
||||
type: "text"
|
||||
regex: *not_empty_parameter
|
||||
restrictions:
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: hide
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: disable
|
||||
- condition: "settings:elasticsearch_kibana.ldap_authorization_enabled.value == false"
|
||||
action: disable
|
||||
|
||||
ldap_admin_group_dn:
|
||||
value: ''
|
||||
label: 'Group DN mapping to the Admins role'
|
||||
description: ''
|
||||
weight: 210
|
||||
type: "text"
|
||||
regex: *not_empty_parameter
|
||||
restrictions:
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: hide
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: disable
|
||||
- condition: "settings:elasticsearch_kibana.ldap_authorization_enabled.value == false"
|
||||
action: disable
|
||||
|
||||
ldap_viewer_group_dn:
|
||||
value: ''
|
||||
label: 'Group DN mapping to the Viewers role'
|
||||
description: ''
|
||||
weight: 220
|
||||
type: "text"
|
||||
regex: *not_empty_parameter
|
||||
restrictions:
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: hide
|
||||
- condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
|
||||
action: disable
|
||||
- condition: "settings:elasticsearch_kibana.ldap_authorization_enabled.value == false"
|
||||
action: disable
|
||||
# LDAP Settings: END
|
||||
|
|
Loading…
Reference in New Issue