elastauth

Designed to work as a forwardAuth proxy for Traefik (possibly others, like nginx, but not tested) in order to use LDAP/Active Directory for user access in Elasticsearch without paid subscription.

Request goes to Traefik
Traefik proxies it to Authelia in order to verify user
If it receives 200 forwards headers from Authelia to second auth -> kibana-auth-proxy
kibana-proxy-auth:
- generates random password for local Kibana user (has nothing to do with LDAP password)
- uses information from Authelia headers to create/update local user in Kibana + AD group/kibana roles mappings from config file
- generates and passes back to Traefik header:
```
Authorization: Basic XXXYYYZZZZ
```
Traefik passes user to Kibana with Authorization header which has password already set by kibana-proxy-pass and logs him/her in :)
Passwords are meant to have short time span of life and are regenerated transparently for user while using Kibana

Headers used by Authelia and kibana-auth-proxy:

remote-email
remote-groups
remote-name
remote-user

Name		Name	Last commit message	Last commit date
Latest commit History 124 Commits
.github/workflows		.github/workflows
cache		cache
libs		libs
logger		logger
.env.example		.env.example
.gitignore		.gitignore
Dockerfile		Dockerfile
LICENSE		LICENSE
README.md		README.md
air.toml		air.toml
config.yml		config.yml
docker-compose.yml		docker-compose.yml
go.mod		go.mod
go.sum		go.sum
gopher.png		gopher.png
kibana-auth-proxy.png		kibana-auth-proxy.png
main.go		main.go

License

wasilak/elastauth

Folders and files

Latest commit

History

Repository files navigation

elastauth

About

Topics

Resources

License

Stars

Watchers

Forks

Languages