Sentinl supports authentication via Search Guard. There are several options available.
Authenticate search request
Kibana
- Authenticate Sentinl via single user -
sg_kibana_server
. Look this example.
Siren Platform (former Kibi)
- Authenticate Sentinl via single user - default
sentinl
from Access Controll app. For example, default kibi.yml
# Access Control configuration
kibi_access_control:
enabled: true
cookie:
password: "12345678123456781234567812345678"
admin_role: kibiadmin
sentinl:
elasticsearch:
username: sentinl
password: password
...
Kibana or Siren Platform
Also, there is a possibility to create multiple user credentials and assign these credentials to watchers, one credential per watcher. Thus authenticating each watcher separately. It is called impersonation. The credentials should be created in Search Guard and the required permissions should be assigned.
Then, put the following configuration inside kibana.yml
sentinl:
settings:
authentication:
enabled: true
mode: 'basic'
https: true
admin_username: 'sentinl'
admin_sha: '6859a748bc07b49ae761f5734db66848'
user_index: 'sentinl_users'
user_type: 'user'
verify_certificate: false
path_to_pem: '/home/kibi/.pem/sentinl.pem'
encryption:
algorithm: 'aes256'
key: 'b9726b04608ac48ecb0b6918214ade54'
iv_length: 16
Where admin_username
is Sentinl system user which should be added manualy in Search Guard. Create admin password hash admin_sha
using sentinl/scripts/encryptPassword.js
script. For this, edit variable plainTextPassword
value, replacing 'admin' with your password. Copy the generated hash and paste as the admin_sha
value.
The index defined by user_index
holds user documents, each one with username and sha hash. Set verify_certificate
to false
while using a self-signed certificate. Also, you can change password hashing complexity tunning options inside encryption
. Node.js crypto library is used to hash and unhash user password.
Finally, insert the user credentials into username
and password
input fields in the General tab of the watcher UI editor.
Note, these fields are visible only when the impersonation authentication type is enabled: true
. The fields are one-way only, you can insert credentials but you don't see them. This was done to prevent other Sentinl admins to see the credentials set by you.