Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/wasilak/elastauth

forwardAuth proxy for Kibana providing integration for ldap
https://github.com/wasilak/elastauth

authelia forwardauth-proxy kibana kibana-proxy ldap

Last synced: about 9 hours ago
JSON representation

forwardAuth proxy for Kibana providing integration for ldap

Host: GitHub
URL: https://github.com/wasilak/elastauth
Owner: wasilak
License: mit
Created: 2021-03-03T13:54:58.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2024-11-09T10:25:40.000Z (6 days ago)
Last Synced: 2024-11-09T10:27:19.653Z (6 days ago)
Topics: authelia, forwardauth-proxy, kibana, kibana-proxy, ldap
Language: Go
Homepage: https://github.com/wasilak/elastauth
Size: 671 KB
Stars: 17
Watchers: 4
Forks: 1
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# elastauth

[![Docker Repository on Quay](https://quay.io/repository/wasilak/elastauth/status "Docker Repository on Quay")](https://quay.io/repository/wasilak/elastauth) [![CI](https://github.com/wasilak/elastauth/actions/workflows/main.yml/badge.svg)](https://github.com/wasilak/elastauth/actions/workflows/main.yml) [![Maintainability](https://api.codeclimate.com/v1/badges/d75cc6b44c7c33f0b530/maintainability)](https://codeclimate.com/github/wasilak/elastauth/maintainability) [![Go Reference](https://pkg.go.dev/badge/github.com/wasilak/elastauth.svg)](https://pkg.go.dev/github.com/wasilak/elastauth)

Designed to work as a forwardAuth proxy for Traefik (possibly others, like nginx, but not tested) in order to use LDAP/Active Directory for user access in Elasticsearch without paid subscription.

1. Request goes to Traefik
2. Traefik proxies it to Authelia in order to verify user
3. If it receives `200` forwards headers from Authelia to second auth -> kibana-auth-proxy
4. kibana-proxy-auth:
- generates random password for local Kibana user (has nothing to do with LDAP password)
- uses information from Authelia headers to create/update local user in Kibana + AD group/kibana roles mappings from config file
- generates and passes back to Traefik header:

```
Authorization: Basic XXXYYYZZZZ
```

5. Traefik passes user to Kibana with `Authorization` header which has password already set by kibana-proxy-pass and logs him/her in :)
6. Passwords are meant to have short time span of life and are regenerated transparently for user while using Kibana

Headers used by Authelia and kibana-auth-proxy:

```
remote-email
remote-groups
remote-name
remote-user
```

![architecture](https://github.com/wasilak/kibana-auth-proxy/blob/main/kibana-auth-proxy.png?raw=true)