diff --git a/deployment_scripts/puppet/manifests/firewall.pp b/deployment_scripts/puppet/manifests/firewall.pp
index 91582f2..12246c8 100644
--- a/deployment_scripts/puppet/manifests/firewall.pp
+++ b/deployment_scripts/puppet/manifests/firewall.pp
@@ -14,6 +14,8 @@
notice('fuel-plugin-elasticsearch-kibana: firewall.pp')
+$authnz = hiera_hash('lma::kibana::authnz')
+
class {'::firewall':}
firewall { '000 accept all icmp requests':
@@ -80,6 +82,14 @@ firewall { '101 proxy-kibana':
action => 'accept',
}
+if $authnz['ldap_authorization_enabled'] {
+ firewall { '101 proxy-kibana-viewer':
+ port => hiera('lma::elasticsearch::kibana_frontend_viewer_port'),
+ proto => 'tcp',
+ action => 'accept',
+ }
+}
+
firewall { '999 drop all other requests':
proto => 'all',
chain => 'INPUT',
diff --git a/deployment_scripts/puppet/manifests/haproxy.pp b/deployment_scripts/puppet/manifests/haproxy.pp
index f8a3a44..ebc1e57 100644
--- a/deployment_scripts/puppet/manifests/haproxy.pp
+++ b/deployment_scripts/puppet/manifests/haproxy.pp
@@ -16,7 +16,9 @@ notice('fuel-plugin-elasticsearch-kibana: haproxy.pp')
$es_port = hiera('lma::elasticsearch::rest_port')
$kibana_backend_port = hiera('lma::elasticsearch::apache_port')
+$kibana_backend_viewer_port = hiera('lma::elasticsearch::apache_viewer_port')
$kibana_frontend_port = hiera('lma::elasticsearch::kibana_frontend_port')
+$kibana_frontend_viewer_port = hiera('lma::elasticsearch::kibana_frontend_viewer_port')
$vip = hiera('lma::elasticsearch::vip')
$nodes_ips = hiera('lma::elasticsearch::nodes')
@@ -45,6 +47,7 @@ openstack::ha::haproxy_service { $es_haproxy_service:
}
$kibana_tls = hiera_hash('lma::kibana::tls')
+$authnz = hiera_hash('lma::kibana::authnz')
if $kibana_tls['enabled'] {
openstack::ha::haproxy_service { 'kibana':
order => '921',
@@ -59,6 +62,22 @@ if $kibana_tls['enabled'] {
'mode' => 'http',
},
}
+ if $authnz['ldap_enabled'] and $authnz['ldap_authorization_enabled'] {
+ openstack::ha::haproxy_service { 'kibana-viewer':
+ order => '922',
+ internal_ssl => true,
+ internal_ssl_path => $kibana_tls['cert_file_path'],
+ listen_port => $kibana_frontend_viewer_port,
+ balancermember_port => $kibana_backend_viewer_port,
+ balancermember_options => 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3',
+ haproxy_config_options => {
+ 'option' => ['httplog', 'http-keep-alive', 'prefer-last-server', 'dontlog-normal'],
+ 'balance' => 'roundrobin',
+ 'mode' => 'http',
+ },
+ }
+ }
+
} else {
openstack::ha::haproxy_service { 'kibana':
order => '921',
@@ -71,4 +90,17 @@ if $kibana_tls['enabled'] {
'mode' => 'http',
}
}
+ if $authnz['ldap_enabled'] and $authnz['ldap_authorization_enabled'] {
+ openstack::ha::haproxy_service { 'kibana-viewer':
+ order => '922',
+ listen_port => $kibana_frontend_viewer_port,
+ balancermember_port => $kibana_backend_viewer_port,
+ balancermember_options => 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3',
+ haproxy_config_options => {
+ 'option' => ['httplog', 'http-keep-alive', 'prefer-last-server', 'dontlog-normal'],
+ 'balance' => 'roundrobin',
+ 'mode' => 'http',
+ }
+ }
+ }
}
diff --git a/deployment_scripts/puppet/manifests/hiera_override.pp b/deployment_scripts/puppet/manifests/hiera_override.pp
index e7604a3..316ff9b 100644
--- a/deployment_scripts/puppet/manifests/hiera_override.pp
+++ b/deployment_scripts/puppet/manifests/hiera_override.pp
@@ -90,7 +90,29 @@ if $tls_enabled {
content => $elasticsearch_kibana['kibana_ssl_cert']['content'],
require => File[$cert_dir]
}
+}
+$ldap_enabled = $elasticsearch_kibana['ldap_enabled'] or false
+$ldap_protocol = $elasticsearch_kibana['ldap_protocol']
+$ldap_servers = split($elasticsearch_kibana['ldap_servers'], '\s+')
+$ldap_bind_dn = $elasticsearch_kibana['ldap_bind_dn']
+$ldap_bind_password = $elasticsearch_kibana['ldap_bind_password']
+$ldap_user_search_base_dns = $elasticsearch_kibana['ldap_user_search_base_dns']
+$ldap_user_search_filter = $elasticsearch_kibana['ldap_user_search_filter']
+$ldap_user_attribute = $elasticsearch_kibana['ldap_user_attribute']
+$ldap_authorization_enabled = $elasticsearch_kibana['ldap_authorization_enabled'] or false
+$ldap_group_attribute = $elasticsearch_kibana['ldap_group_attribute']
+$ldap_admin_group_dn = $elasticsearch_kibana['ldap_admin_group_dn']
+$ldap_viewer_group_dn = $elasticsearch_kibana['ldap_viewer_group_dn']
+
+if empty($elasticsearch_kibana['ldap_server_port']) {
+ if downcase($ldap_protocol) == 'ldap' {
+ $ldap_port = 389
+ } else {
+ $ldap_port = 636
+ }
+} else {
+ $ldap_port = $elasticsearch_kibana['ldap_server_port']
}
$calculated_content = inline_template('
@@ -102,7 +124,9 @@ lma::elasticsearch::vip: <%= @vip %>
lma::elasticsearch::es_haproxy_service: elasticsearch-rest
lma::elasticsearch::listen_address: <%= @listen_address%>
lma::elasticsearch::kibana_frontend_port: 80
+lma::elasticsearch::kibana_frontend_viewer_port: 81
lma::elasticsearch::apache_port: 80
+lma::elasticsearch::apache_viewer_port: 81
lma::elasticsearch::kibana_port: 5601
lma::elasticsearch::kibana_index: .kibana
lma::elasticsearch::rest_port: 9200
@@ -128,8 +152,29 @@ lma::kibana::tls:
hostname: <%= @kibana_hostname %>
cert_file_path: <%= @cert_file_path %>
<% end -%>
-lma::kibana::username: <%= @elasticsearch_kibana["kibana_username"] %>
-lma::kibana::password: <%= @elasticsearch_kibana["kibana_password"] %>
+lma::kibana::authnz:
+ username: <%= @elasticsearch_kibana["kibana_username"] %>
+ password: <%= @elasticsearch_kibana["kibana_password"] %>
+ ldap_enabled: <%= @ldap_enabled %>
+ ldap_authorization_enabled: <%= @ldap_authorization_enabled %>
+<% if @ldap_enabled -%>
+ ldap_servers:
+<% @ldap_servers.each do |s| -%>
+ - "<%= s %>"
+<% end -%>
+ ldap_protocol: <%= @ldap_protocol %>
+ ldap_port: <%= @ldap_port %>
+ ldap_bind_dn: <%= @ldap_bind_dn %>
+ ldap_bind_password: <%= @ldap_bind_password %>
+ ldap_user_search_base_dns: <%= @ldap_user_search_base_dns %>
+ ldap_user_attribute: <%= @ldap_user_attribute %>
+ ldap_user_search_filter: <%= @ldap_user_search_filter %>
+ ldap_group_attribute: <%= @ldap_group_attribute %>
+<% if @ldap_authorization_enabled -%>
+ ldap_admin_group_dn: <%= @ldap_admin_group_dn %>
+ ldap_viewer_group_dn: <%= @ldap_viewer_group_dn %>
+<% end -%>
+<% end -%>
')
file { $hiera_file:
diff --git a/deployment_scripts/puppet/manifests/kibana.pp b/deployment_scripts/puppet/manifests/kibana.pp
index 037e745..f1a480d 100644
--- a/deployment_scripts/puppet/manifests/kibana.pp
+++ b/deployment_scripts/puppet/manifests/kibana.pp
@@ -22,12 +22,27 @@ class { 'lma_logging_analytics::kibana':
version => '4.5.1',
}
+$authnz = hiera_hash('lma::kibana::authnz')
class { 'lma_logging_analytics::kibana_authentication':
- listen_address => hiera('lma::elasticsearch::listen_address'),
- listen_port => hiera('lma::elasticsearch::apache_port'),
- kibana_address => '127.0.0.1',
- kibana_port => hiera('lma::elasticsearch::kibana_port'),
- username => hiera('lma::kibana::username'),
- password => hiera('lma::kibana::password'),
- require => Class[lma_logging_analytics::kibana],
+ listen_address => hiera('lma::elasticsearch::listen_address'),
+ listen_port => hiera('lma::elasticsearch::apache_port'),
+ kibana_address => '127.0.0.1',
+ kibana_port => hiera('lma::elasticsearch::kibana_port'),
+ username => $authnz['username'],
+ password => $authnz['password'],
+ ldap_enabled => $authnz['ldap_enabled'],
+ ldap_protocol => $authnz['ldap_protocol'],
+ ldap_port => $authnz['ldap_port'],
+ ldap_servers => $authnz['ldap_servers'],
+ ldap_bind_dn => $authnz['ldap_bind_dn'],
+ ldap_bind_password => $authnz['ldap_bind_password'],
+ ldap_user_search_base_dns => $authnz['ldap_user_search_base_dns'],
+ ldap_user_search_filter => $authnz['ldap_user_search_filter'],
+ ldap_user_attribute => $authnz['ldap_user_attribute'],
+ ldap_authorization_enabled => $authnz['ldap_authorization_enabled'],
+ listen_port_viewer => hiera('lma::elasticsearch::apache_viewer_port'),
+ ldap_group_attribute => $authnz['ldap_group_attribute'],
+ ldap_admin_group_dn => $authnz['ldap_admin_group_dn'],
+ ldap_viewer_group_dn => $authnz['ldap_viewer_group_dn'],
+ require => Class[lma_logging_analytics::kibana],
}
diff --git a/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/kibana_authentication.pp b/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/kibana_authentication.pp
index efb5701..5c1a039 100644
--- a/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/kibana_authentication.pp
+++ b/deployment_scripts/puppet/modules/lma_logging_analytics/manifests/kibana_authentication.pp
@@ -21,12 +21,59 @@ class lma_logging_analytics::kibana_authentication (
$kibana_address,
$username,
$password,
+ $ldap_enabled = false,
+ $ldap_protocol = undef,
+ $ldap_servers = [],
+ $ldap_port = undef,
+ $ldap_bind_dn = undef,
+ $ldap_bind_password = undef,
+ $ldap_user_search_base_dns = undef,
+ $ldap_user_search_filter = undef,
+ $ldap_user_attribute = undef,
+ $ldap_authorization_enabled = false,
+ $listen_port_viewer = undef,
+ $ldap_group_attribute = undef,
+ $ldap_admin_group_dn = undef,
+ $ldap_viewer_group_dn = undef,
) {
include lma_logging_analytics::params
- $apache_modules = ['proxy', 'proxy_http', 'rewrite',
- 'authn_file', 'auth_basic', 'authz_user']
+ validate_integer($listen_port)
+ validate_integer($kibana_port)
+
+ $default_apache_modules = ['proxy', 'proxy_http', 'rewrite',
+ 'authn_file', 'auth_basic', 'authz_user']
+
+ if $ldap_enabled {
+ if empty($ldap_servers) {
+ fail('ldap_servers list parameter is empty')
+ }
+ if ! $ldap_port { fail('Missing ldap_port parameter')}
+ if ! $ldap_protocol { fail('Missing ldap_protocol parameter')}
+ if ! $ldap_bind_dn { fail('Missing ldap_bind_dn parameter')}
+ if ! $ldap_bind_password { fail('Missing ldap_bind_password parameter')}
+ if ! $ldap_user_search_base_dns { fail('Missing ldap_user_search_base_dns parameter')}
+ if ! $ldap_user_search_filter { fail('Missing ldap_user_search_filter parameter')}
+ if ! $ldap_user_attribute { fail('Missing ldap_user_attribute parameter')}
+
+ if $ldap_authorization_enabled {
+ if ! $ldap_group_attribute {fail('Missing ldap_group_attribute parameter')}
+ if ! $ldap_admin_group_dn {fail('Missing ldap_admin_group_dn parameter')}
+ if ! $ldap_viewer_group_dn {fail('Missing ldap_viewer_group_dn parameter')}
+ if ! $listen_port_viewer {fail('Missing listen_port_viewer parameter')}
+
+ validate_integer($listen_port_viewer)
+ }
+ $apache_modules = concat($default_apache_modules, ['ldap', 'authnz_ldap'])
+
+ # LDAP url is used by apache::custom_config
+ $ldap_urls = suffix($ldap_servers, ":${ldap_port}/${ldap_user_search_base_dns}?${ldap_user_attribute}?sub?${ldap_user_search_filter}")
+
+ $ldap_url = join($ldap_urls, ' ')
+ } else {
+ $apache_modules = $default_apache_modules
+ }
## Configure apache
class { 'apache':
@@ -55,8 +102,20 @@ class lma_logging_analytics::kibana_authentication (
require => Class[Apache],
}
- apache::custom_config { 'kibana-proxy':
- content => template('lma_logging_analytics/apache_kibana_proxy.conf.erb'),
- require => [Class['apache'], File[$htpasswd_file]],
+ if $ldap_authorization_enabled {
+ apache::custom_config { 'kibana-proxy':
+ content => template('lma_logging_analytics/apache_kibana_proxy.conf.erb'),
+ require => [Class['apache'], File[$htpasswd_file]],
+ }
+ apache::listen { "${listen_address}:${listen_port_viewer}": }
+ apache::custom_config { 'kibana-proxy-viewer':
+ content => template('lma_logging_analytics/apache_kibana_proxy_viewer.conf.erb'),
+ require => [Class['apache'], File[$htpasswd_file]],
+ }
+ } else {
+ apache::custom_config { 'kibana-proxy':
+ content => template('lma_logging_analytics/apache_kibana_proxy.conf.erb'),
+ require => [Class['apache'], File[$htpasswd_file]],
+ }
}
}
diff --git a/deployment_scripts/puppet/modules/lma_logging_analytics/spec/classes/lma_logging_analytics_kibana_authentication_spec.rb b/deployment_scripts/puppet/modules/lma_logging_analytics/spec/classes/lma_logging_analytics_kibana_authentication_spec.rb
index b6d1f1c..f3c1f5b 100644
--- a/deployment_scripts/puppet/modules/lma_logging_analytics/spec/classes/lma_logging_analytics_kibana_authentication_spec.rb
+++ b/deployment_scripts/puppet/modules/lma_logging_analytics/spec/classes/lma_logging_analytics_kibana_authentication_spec.rb
@@ -20,18 +20,115 @@ describe 'lma_logging_analytics::kibana_authentication' do
:concat_basedir => '/foo' }
end
- let(:params) do
- {:listen_address => '127.0.0.1', :listen_port => 80,
- :kibana_address => '127.0.0.1', :kibana_port => 5106,
- :username => 'foouser', :password => 'foopass'
+ describe 'default parameters' do
+ let(:params) do
+ {:listen_address => '127.0.0.1', :listen_port => 80,
+ :kibana_address => '127.0.0.1', :kibana_port => 5106,
+ :username => 'foouser', :password => 'foopass'
+ }
+ end
+
+ it {
+ should contain_class('apache')
+ should contain_apache__custom_config('kibana-proxy')
+ should contain_htpasswd('foouser')
+ should contain_file('/etc/apache2/kibana.htpasswd')
+ }
+ end
+ describe 'ldap parameters' do
+ let(:params) do
+ {:listen_address => '127.0.0.1', :listen_port => 80,
+ :kibana_address => '127.0.0.1', :kibana_port => 5106,
+ :username => 'foouser', :password => 'foopass',
+ :ldap_enabled => true,
+ :ldap_protocol => 'ldap',
+ :ldap_port => 389,
+ :ldap_servers => ['ldap.foo.fr'],
+ :ldap_bind_dn => 'cn=admin,dc=example,dc=com',
+ :ldap_bind_password => 'foopass',
+ :ldap_user_search_base_dns => 'ou=groups,dc=example,dc=com',
+ :ldap_user_search_filter => '(&(objectClass=posixGroup)(memberUid=%s))',
+ :ldap_user_attribute => 'uid',
+ }
+ end
+
+ it {
+ should contain_class('apache')
+ should contain_apache__custom_config('kibana-proxy')
+ should contain_htpasswd('foouser')
+ should contain_file('/etc/apache2/kibana.htpasswd')
+ }
+ end
+ describe 'ldap parameters are missing' do
+ let(:params) do
+ {:listen_address => '127.0.0.1', :listen_port => 80,
+ :kibana_address => '127.0.0.1', :kibana_port => 5106,
+ :username => 'foouser', :password => 'foopass',
+ :ldap_enabled => true,
+ :ldap_protocol => 'ldap',
+ :ldap_port => 389,
+ :ldap_servers => ['ldap.foo.fr'],
+ :ldap_user_search_base_dns => 'ou=groups,dc=example,dc=com',
+ :ldap_user_search_filter => '(&(objectClass=posixGroup)(memberUid=%s))',
+ :ldap_user_attribute => 'uid',
+ }
+ end
+
+ it { is_expected.to raise_error(Puppet::Error, /Missing ldap_/) }
+ end
+
+ describe 'ldap parameters with authorization' do
+ let(:params) do
+ {:listen_address => '127.0.0.1', :listen_port => 80,
+ :kibana_address => '127.0.0.1', :kibana_port => 5106,
+ :username => 'foouser', :password => 'foopass',
+ :ldap_enabled => true,
+ :ldap_protocol => 'ldap',
+ :ldap_port => 389,
+ :ldap_servers => ['ldap.foo.fr'],
+ :ldap_bind_dn => 'cn=admin,dc=example,dc=com',
+ :ldap_bind_password => 'foopass',
+ :ldap_user_search_base_dns => 'ou=groups,dc=example,dc=com',
+ :ldap_user_search_filter => '(&(objectClass=posixGroup)(memberUid=%s))',
+ :ldap_user_attribute => 'uid',
+ :ldap_authorization_enabled => true,
+ :listen_port_viewer => 81,
+ :ldap_group_attribute => 'memberUid',
+ :ldap_admin_group_dn => 'cn=admin_group,dc=example,dc=com',
+ :ldap_viewer_group_dn => 'cn=viewer_group,dc=example,dc=com',
+ }
+ end
+
+ it {
+ should contain_class('apache')
+ should contain_apache__custom_config('kibana-proxy')
+ should contain_htpasswd('foouser')
+ should contain_file('/etc/apache2/kibana.htpasswd')
}
end
- it {
- should contain_class('apache')
- should contain_apache__custom_config('kibana-proxy')
- should contain_htpasswd('foouser')
- should contain_file('/etc/apache2/kibana.htpasswd')
- }
+ describe 'ldap parameters with authorization missing' do
+ let(:params) do
+ {:listen_address => '127.0.0.1', :listen_port => 80,
+ :kibana_address => '127.0.0.1', :kibana_port => 5106,
+ :username => 'foouser', :password => 'foopass',
+ :ldap_enabled => true,
+ :ldap_protocol => 'ldap',
+ :ldap_port => 389,
+ :ldap_servers => ['ldap.foo.fr'],
+ :ldap_bind_dn => 'cn=admin,dc=example,dc=com',
+ :ldap_bind_password => 'foopass',
+ :ldap_user_search_base_dns => 'ou=groups,dc=example,dc=com',
+ :ldap_user_search_filter => '(&(objectClass=posixGroup)(memberUid=%s))',
+ :ldap_user_attribute => 'uid',
+ :ldap_authorization_enabled => true,
+ #:ldap_group_attribute => 'memberUid',
+ #:ldap_admin_group_dn => 'cn=admin_group,dc=example,dc=com',
+ #:ldap_viewer_group_dn => 'cn=viewer_group,dc=example,dc=com',
+ }
+ end
+
+ it { is_expected.to raise_error(Puppet::Error, /Missing/) }
+ end
end
diff --git a/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy.conf.erb b/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy.conf.erb
index f2fc6a4..5fbbbef 100644
--- a/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy.conf.erb
+++ b/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy.conf.erb
@@ -15,14 +15,32 @@
AuthName "Kibana Access"
AuthType Basic
AuthUserFile <%= @htpasswd_file %>
+<% if @ldap_enabled -%>
+ AuthBasicProvider file ldap
+ AuthLDAPURL "<%= @ldap_protocol %>://<%= @ldap_url %>"
+ AuthLDAPBindDN "<%= @ldap_bind_dn %>"
+ AuthLDAPBindPassword <%= @ldap_bind_password %>
+<% if @ldap_authorization_enabled -%>
+ AuthLDAPGroupAttribute <%= @ldap_group_attribute %>
+ AuthLDAPGroupAttributeIsDN off
+ AuthBasicAuthoritative on
+
+ require user <%= @username %>
+ Require ldap-group <%= @ldap_admin_group_dn %>
+
+<% else -%>
require valid-user
+<% end -%>
+<% else -%>
+ require valid-user
+<% end -%>
ProxyPass / http://<%= @kibana_address %>:<%= @kibana_port %>
ProxyPassReverse / http://<%= @kibana_address %>:<%= @kibana_port %>
RewriteEngine on
- RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
- RewriteRule .* http://<%= @kibana_address %>:<%= @kibana_port %>%{REQUEST_URI} [P,QSA]
+ # Passthrough the request to Kibana with the orginal query string
+ RewriteRule .* http://<%= @kibana_address %>:<%= @kibana_port %>%{REQUEST_URI} [P,QSA,L]
ErrorLog "/var/log/apache2/kibana_error.log"
ServerSignature Off
diff --git a/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy_viewer.conf.erb b/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy_viewer.conf.erb
new file mode 100644
index 0000000..28e8a35
--- /dev/null
+++ b/deployment_scripts/puppet/modules/lma_logging_analytics/templates/apache_kibana_proxy_viewer.conf.erb
@@ -0,0 +1,56 @@
+# ************************************
+# Vhost template in module lma_logging_analytics
+# Managed by Puppet
+# ************************************
+
+:<%= @listen_port_viewer %>>
+ ServerName kibana
+ DocumentRoot "/opt/kibana"
+
+ ProxyRequests Off
+
+
+ Order Allow,Deny
+ Allow From All
+ AuthName "Kibana Access"
+ AuthType Basic
+ AuthUserFile <%= @htpasswd_file %>
+<% if @ldap_enabled -%>
+ AuthBasicProvider file ldap
+ AuthLDAPURL "<%= @ldap_protocol %>://<%= @ldap_url %>"
+ AuthLDAPBindDN "<%= @ldap_bind_dn %>"
+ AuthLDAPBindPassword <%= @ldap_bind_password %>
+<% if @ldap_authorization_enabled -%>
+ AuthLDAPGroupAttribute <%= @ldap_group_attribute %>
+ AuthLDAPGroupAttributeIsDN off
+ AuthBasicAuthoritative on
+
+ require user <%= @username %>
+ Require ldap-group <%= @ldap_viewer_group_dn %>
+ Require ldap-group <%= @ldap_admin_group_dn %>
+
+<% else -%>
+ require valid-user
+<% end -%>
+<% else -%>
+ require valid-user
+<% end -%>
+
+
+ ProxyPass / http://<%= @kibana_address %>:<%= @kibana_port %>
+ ProxyPassReverse / http://<%= @kibana_address %>:<%= @kibana_port %>
+ RewriteEngine on
+ # Deleting is forbidden for viewers
+ RewriteCond %{REQUEST_METHOD} DELETE
+ RewriteRule .* - [F,L]
+ # Creation/update is forbidden for viewers
+ RewriteCond %{REQUEST_METHOD} POST
+ RewriteCond %{QUERY_STRING} op_type=create
+ RewriteRule .* - [F,L]
+ # Passthrough the request to Kibana with the orginal query string
+ RewriteRule .* http://<%= @kibana_address %>:<%= @kibana_port %>%{REQUEST_URI} [P,QSA,L]
+
+ ErrorLog "/var/log/apache2/kibana_error.log"
+ ServerSignature Off
+ CustomLog "/var/log/apache2/kibana_access.log" combined
+
diff --git a/environment_config.yaml b/environment_config.yaml
index 88847ab..1983edd 100644
--- a/environment_config.yaml
+++ b/environment_config.yaml
@@ -139,3 +139,177 @@ attributes:
- condition: "settings:elasticsearch_kibana.tls_enabled.value == false"
action: "hide"
# TLS Settings: END
+ # LDAP Settings: BEGIN
+ ldap_enabled:
+ value: false
+ label: 'Use LDAP for Kibana authentication'
+ description: ''
+ weight: 100
+ type: "checkbox"
+
+ ldap_protocol:
+ type: "radio"
+ value: 'ldap'
+ weight: 110
+ label: 'LDAP protocol'
+ values:
+ - data: "ldap"
+ label: "LDAP"
+ - data: "ldaps"
+ label: "LDAPS"
+ restrictions:
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: hide
+
+ ldap_servers:
+ value: ''
+ label: 'LDAP servers'
+ description: 'Specify one or several LDAP servers separated by space.'
+ weight: 120
+ type: "text"
+ regex:
+ source: '^\w[\w\-\s.]+$'
+ error: "You must provide a hostname or IP"
+ restrictions:
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: hide
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: disable
+
+ ldap_server_port:
+ value: ''
+ label: 'Port'
+ description: 'If empty, the default value is 389 for LDAP and 636 for LDAPS.'
+ weight: 130
+ type: "text"
+ regex:
+ source: '^\d{0,5}$'
+ error: "You must provide a valid port number"
+ restrictions:
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: hide
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: disable
+
+ ldap_bind_dn:
+ value: ''
+ label: 'Bind DN'
+ description: 'DN used to bind to the server when searching for entries.'
+ weight: 140
+ type: "text"
+ regex: ¬_empty_parameter
+ source: '\S'
+ error: "Invalid value"
+ restrictions:
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: hide
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: disable
+
+ ldap_bind_password:
+ value: ''
+ label: 'Bind password'
+ description: 'Password to use in conjunction with the bind DN.'
+ weight: 150
+ type: "password"
+ regex: *not_empty_parameter
+ restrictions:
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: hide
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: disable
+
+ ldap_user_search_base_dns:
+ value: ''
+ label: 'User search base DN'
+ description: 'The base DN to search for users.'
+ weight: 160
+ type: "text"
+ regex: *not_empty_parameter
+ restrictions:
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: hide
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: disable
+
+ ldap_user_attribute:
+ value: 'uid'
+ label: 'User attribute to search for'
+ description: "It's a good idea to choose an attribute that will be unique across all entries."
+ weight: 165
+ type: "text"
+ regex: *not_empty_parameter
+ restrictions:
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: hide
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: disable
+
+ ldap_user_search_filter:
+ value: '(objectClass=*)'
+ label: 'User search filter'
+ description: 'A valid LDAP search filter.'
+ weight: 170
+ type: "text"
+ regex: *not_empty_parameter
+ restrictions:
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: hide
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: disable
+
+ ldap_authorization_enabled:
+ value: false
+ label: 'Enable group-based authorization'
+ description: 'It allows to associate the users with the Admin or Viewer role. Otherwise all users are assigned to admin role.'
+ weight: 200
+ type: "checkbox"
+ restrictions:
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: hide
+
+ ldap_group_attribute:
+ value: 'memberUid'
+ label: 'LDAP group attribute'
+ description: 'LDAP attribute used to identify the user members of groups.'
+ weight: 205
+ type: "text"
+ regex: *not_empty_parameter
+ restrictions:
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: hide
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: disable
+ - condition: "settings:elasticsearch_kibana.ldap_authorization_enabled.value == false"
+ action: disable
+
+ ldap_admin_group_dn:
+ value: ''
+ label: 'Group DN mapping to the Admins role'
+ description: ''
+ weight: 210
+ type: "text"
+ regex: *not_empty_parameter
+ restrictions:
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: hide
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: disable
+ - condition: "settings:elasticsearch_kibana.ldap_authorization_enabled.value == false"
+ action: disable
+
+ ldap_viewer_group_dn:
+ value: ''
+ label: 'Group DN mapping to the Viewers role'
+ description: ''
+ weight: 220
+ type: "text"
+ regex: *not_empty_parameter
+ restrictions:
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: hide
+ - condition: "settings:elasticsearch_kibana.ldap_enabled.value == false"
+ action: disable
+ - condition: "settings:elasticsearch_kibana.ldap_authorization_enabled.value == false"
+ action: disable
+ # LDAP Settings: END