Auth problem after updating to 6.0

I have updates to Elastisearch and Kibana 6.0. I also updates to the RoR plugin which supports this version.

I have the stack to a point where everything is running. One problem I had to solve was the fact that the “.kibana” index was not compatible. So I followed a migration for this: https://www.elastic.co/guide/en/kibana/current/migrating-6.0-index.html.

When I now open Kibana, I need to login, when I do so, I get some errors in my log. Login in should not be required, as I am using nginx to take care of the read-only login for RoR.

My logs included:

[2017-11-25T15:35:42,189][INFO ][t.b.r.a.ACL ] e[35mFORBIDDEN by default req={ ID:1172552882-1280786755#664, TYP:UpdateRequest, CGR:N/A, USR:ez, BRS:false, ACT:indices:data/write/update, OA:127.0.0.1, IDX:.kibana-6, MET:POST, PTH:/.kibana-6/doc/index-pattern%3Aslack/_update?refresh=wait_for, CNT:<OMITTED, LENGTH=8272>, HDR:authorization,Connection,Content-Length,content-type,Host, HIS:[::KIBANA-SRV::->[auth_key_sha256->false]], [::RO DEVELOPER::->[kibana_access->false, auth_key_sha256->true]], [::RW DEVELOPER::->[auth_key_sha256->false]] } e[0m
[2017-11-25T15:35:42,190][INFO ][t.b.r.a.ACL ] e[35mFORBIDDEN by default req={ ID:1246710657-456782184#665, TYP:UpdateRequest, CGR:N/A, USR:ez, BRS:false, ACT:indices:data/write/update, OA:127.0.0.1, IDX:.kibana-6, MET:POST, PTH:/.kibana-6/doc/index-pattern%3Adiscourse/_update?refresh=wait_for, CNT:<OMITTED, LENGTH=5611>, HDR:authorization,Connection,Content-Length,content-type,Host, HIS:[::RO DEVELOPER::->[kibana_access->false, auth_key_sha256->true]], [::RW DEVELOPER::->[auth_key_sha256->false]], [::KIBANA-SRV::->[auth_key_sha256->false]] } e[0m
[2017-11-25T15:35:42,228][INFO ][t.b.r.a.ACL ] e[35mFORBIDDEN by default req={ ID:2121578520-892336636#666, TYP:UpdateRequest, CGR:N/A, USR:ez, BRS:false, ACT:indices:data/write/update, OA:127.0.0.1, IDX:.kibana-6, MET:POST, PTH:/.kibana-6/doc/index-pattern%3Agithub/_update?refresh=wait_for, CNT:<OMITTED, LENGTH=7756>, HDR:authorization,Connection,Content-Length,content-type,Host, HIS:[::RW DEVELOPER::->[auth_key_sha256->false]], [::KIBANA-SRV::->[auth_key_sha256->false]], [::RO DEVELOPER::->[kibana_access->false, auth_key_sha256->true]] } e[0m
[2017-11-25T15:35:43,189][INFO ][t.b.r.a.ACL ] e[35mFORBIDDEN by default req={ ID:1946456426-1504237983#671, TYP:UpdateRequest, CGR:N/A, USR:ez, BRS:false, ACT:indices:data/write/update, OA:127.0.0.1, IDX:.kibana-6, MET:POST, PTH:/.kibana-6/doc/index-pattern%3Arssblog/_update?refresh=wait_for, CNT:<OMITTED, LENGTH=3487>, HDR:authorization,Connection,Content-Length,content-type,Host, HIS:[::RO DEVELOPER::->[kibana_access->false, auth_key_sha256->true]], [::RW DEVELOPER::->[auth_key_sha256->false]], [::KIBANA-SRV::->[auth_key_sha256->false]] } e[0m
[2017-11-25T15:35:43,192][INFO ][t.b.r.a.ACL ] e[35mFORBIDDEN by default req={ ID:128451675-1136894506#672, TYP:UpdateRequest, CGR:N/A, USR:ez, BRS:false, ACT:indices:data/write/update, OA:127.0.0.1, IDX:.kibana-6, MET:POST, PTH:/.kibana-6/doc/index-pattern%3Arssforum/_update?refresh=wait_for, CNT:<OMITTED, LENGTH=3488>, HDR:authorization,Connection,Content-Length,content-type,Host, HIS:[::RW DEVELOPER::->[auth_key_sha256->false]], [::KIBANA-SRV::->[auth_key_sha256->false]], [::RO DEVELOPER::->[kibana_access->false, auth_key_sha256->true]] } e[0m

Does anyone have an idea what is wrong?

Note: with that kibana index migration, I no longer have .kibana, but .kibana-6. This is set in the kibana.yml. In my elasticsearch.yml I included the new .kibana-6 for authorization.

I have it working, all my dashboard are showing again.

What I did was remove the RoR plugin to verify that elastic itself, inclusing all my dashboards, we working. That was the case.

I then reinstalled the RoR plugin, and my dashboard keep showing. They are also in read only mode with the RoR plugin.

I am using this case to put authentication in place: GitHub - sscarduzio/elasticsearch-readonlyrest-plugin: Free Elasticsearch security plugin and Kibana security plugin: super-easy Kibana multi-tenancy, Encryption, Authentication, Authorization, Auditing

I now have another problem though, I normally enter my dashboard through the localhost url (VPN, tunneling etc), to bypass nginx and http auth. RoR then provides me with a login prompt, so I can login with the admin account. This provides me with edit rights.

However, after the upgrade, it does not allow me to edit my dashboards, even if I login with the admin account which has ‘rw’ rights instead of the default user ‘ez’ with ‘ro_strict’ rights.

I get this in my log when trying to edit:

[2017-11-25T17:57:23,639][INFO ][t.b.r.a.ACL ] FORBIDDEN by default req={ ID:1670990253-2060647013#7707, TYP:IndexRequest, CGR:N/A, USR:ez, BRS:false, ACT:indices:data/write/index, OA:127.0.0.1, IDX:.kibana-6, MET:POST, PTH:/.kibana-6/doc/dashboard%3A5fb6f850-7821-11e7-b44d-4109e3645476?refresh=wait_for, CNT:<OMITTED, LENGTH=2346>, HDR:authorization,Connection,Content-Length,content-type,Host, HIS:[::KIBANA-SRV::->[auth_key_sha256->false]], [::RO DEVELOPER::->[kibana_access->false, auth_key_sha256->true]], [::RW DEVELOPER::->[auth_key_sha256->false]] }
[2017-11-25T17:57:32,480][INFO ][t.b.r.a.ACL ] FORBIDDEN by default req={ ID:1671531371-1612262715#7760, TYP:IndexRequest, CGR:N/A, USR:ez, BRS:false, ACT:indices:data/write/index, OA:127.0.0.1, IDX:.kibana-6, MET:POST, PTH:/.kibana-6/doc/dashboard%3A5fb6f850-7821-11e7-b44d-4109e3645476?refresh=wait_for, CNT:<OMITTED, LENGTH=2346>, HDR:authorization,Connection,Content-Length,content-type,Host, HIS:[::RW DEVELOPER::->[auth_key_sha256->false]], [::RO DEVELOPER::->[kibana_access->false, auth_key_sha256->true]], [::KIBANA-SRV::->[auth_key_sha256->false]] }

As you can see it mentions USR:ez. And I logged in with my admin account, which is not ‘ez’.

Could this be a bug in the plugin?

Because this is a dashboard running in production, I’ve performed a full rollback. I might attempt an upgrade at a later point.

If you are using a kibana index other than the default .kibana you have to inform ROR by adding the kibana_index rule to the block that contains kibana_access, otherwise the kibana access logic will assume the kibana index is the default.

Find (a bit) more about this in the docs

I added that to my access block, but still had problems. But I also had other problems, so had no other option than to do a rollback.