Cannot login to Kibana using Keycloak

Hi! I’m setting up a new Elasticsearch cluster in Kubernetes and I’m having some issues configuring SSO with keycloak. When I try to login to Kibana using keycloak I get this error:

image

After doing some debugging, I saw that I have this JWT in the user column (that does not match any ACL block) and, after decoding it, I saw that the information corresponds to the same user that appears below natalia.mellino@avature.net where and ACL block does match.

When the JWT appears as user in that column I cannot login because none of the ACL block matches. The question would be, why sometimes appears the JWT and other times the username in the user column? Are we maybe missing some config? It seems that when the username appears instead of the JWT an ACL block matches but not when it appears the JWT.

Elasticsearch version: 8.14.0
Kibana version: 8.12.1
Elasticsearch Readonlyrest version: 1.57.3
Kibana readonlyrest version: 1.55.0

Logs in Kibana:

[13:33:19:167] [error][plugins][ReadonlyREST][esClient] ES Authorization error: 403 Error: ES Authorization error: 403
    at l.e (/opt/bitnami/kibana/plugins/readonlyrestkbn/proxy/core/esClient.js:1:17932)
    at l.e (/opt/bitnami/kibana/plugins/readonlyrestkbn/proxy/core/esClient.js:1:5483)
    at tryCatch (/opt/bitnami/kibana/plugins/readonlyrestkbn/node_modules/regenerator-runtime/runtime.js:45:40)
    at Generator.invoke [as _invoke] (/opt/bitnami/kibana/plugins/readonlyrestkbn/node_modules/regenerator-runtime/runtime.js:274:22)
    at Generator.prototype.<computed> [as next] (/opt/bitnami/kibana/plugins/readonlyrestkbn/node_modules/regenerator-runtime/runtime.js:97:21)
    at asyncGeneratorStep (/opt/bitnami/kibana/plugins/readonlyrestkbn/node_modules/@babel/runtime/helpers/asyncToGenerator.js:3:24)
    at _next (/opt/bitnami/kibana/plugins/readonlyrestkbn/node_modules/@babel/runtime/helpers/asyncToGenerator.js:25:9)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
[13:33:19:168] [info][plugins][ReadonlyREST][authorizationHeadersValidation] Could not revalidate the session against ES: + WRONG_CREDENTIALS

Elasticsearch logs:

elasticsearch [2024-08-28T13:33:19,148][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [elasticsearch-coordinating-0] FORBIDDEN by default req={ ID:06071f46-4e56-4a24-a413-b1b3e0ed81b4-1192484672#7894539, TYP:RRUserMetadataRequest, CGR:<N/A>, USR:[no info about user], BRS:true, KDX:null, ACT:cluster:internal_ror/user_metadata/get, OA:192.168.34.155/32, XFF:192.168.33.192, DA:192.168.33.6/32, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/current_user, CNT:<N/A>, HDR:Accept-Encoding=gzip,deflate, Accept=*/*, Authorization=<OMITTED>, Connection=close, Host=elasticsearch-coordinating-hl.elasticstack-logs.svc.cluster.local:9200, User-Agent=node-fetch/1.0 (+https://github.com/bitinn/node-fetch), content-length=0, cookie=x-csrf-token-ba270930-4335-402e-9835-7b22da6667a6=e2b62507ae3de216550c3ed98809315acf004246e2905d63f0afd9ff6442214104b0f4ffbde311b59605aae701f09a13acaa6b36d0ecc900c69ae2342e894e40%7C1a06bdf1e87417aee7a5005e4554bda59fff3a23c80e5372296dd9dd948f5bac; kibana-session-cookie=1724851998.979.545.177311|a3c0f09ad87dd5aafd62e8cf9b06e3a7; rorCookie=Fe26.2**ac2a7fed04dc8906ff34579ae83de4bcef4bc5cd45de85681f81a002f61381d2*HbS9U_tUihhykupHhvzbRw*8e_bRty6y-T2G69inVtcz0F8_P4f9HHO1fe3KiLuYSdD8JlCLtrxNQnoMitDRnYp**64ece0275d4d04fd3081823d8805d8802ff475a43bb7546a7029279d8c1c8f43*2lA9umj-0sWMzL1AaqUPCL9V7Dpvw1o13LA51XGpyRs, traceparent=00-172384a5dea294bc370b1ad0a1db1d0c-e8428fac967f45d3-00, tracestate=es=s:0, x-forwarded-for=192.168.33.192, x-ror-correlation-id=06071f46-4e56-4a24-a413-b1b3e0ed81b4, x-ror-current-group=[object Object], x-ror-kibana-request-method=get, x-ror-kibana-request-path=/, x-ror-origin=saml_serv1, HIS:[::KIBANA-SRV::-> RULES:[auth_key_sha256->false] RESOLVED:[group=[object Object]]], [::LOGSTASH-SRV::-> RULES:[auth_key_sha256->false] RESOLVED:[group=[object Object]]], [::MONITORING::-> RULES:[auth_key_sha256->false] RESOLVED:[group=[object Object]]], [::OBSERVABILITY-ADMIN::-> RULES:[auth_key_sha256->false] RESOLVED:[group=[object Object]]], [Observability SSO-> RULES:[ror_kbn_auth->false] RESOLVED:[group=[object Object]]], [Avature avasso - rObservability actions-> RULES:[ror_kbn_auth->true, actions->true] RESOLVED:[user=natalia.mellino@avature.net;group=[object Object];av_groups=adminAccessToKibanaQA]], [Avature avasso - rObservability-> RULES:[ror_kbn_auth->true, kibana_access->true, indices->true] RESOLVED:[user=natalia.mellino@avature.net;group=[object Object];av_groups=adminAccessToKibanaQA;kibana_idx=.kibana]], [Keycloak-> RULES:[ror_kbn_auth->true, kibana_access->true, indices->true] RESOLVED:[user=natalia.mellino@avature.net;group=[object Object];av_groups=readAccessToQAIndex;kibana_idx=.kibana]], }

Thanks in advance for any help you can provide

@natalia.mellino

In the ROR ES log you sent us I see sth like this:

group=[object Object];

And you wrote that you use:

Elasticsearch Readonlyrest version: 1.57.3
Kibana readonlyrest version: 1.55.0

I pretty sure that the issue is caused by different versions of plugins. Both, the ES and the KBN one, should be in the same version.

Could you please upgrade the Kibana one and check again?

Hi! I’ll try upgrading Kibana to the same version and I’ll let you know if the issue persists. Thanks!

1 Like