Hi! I’m setting up a new Elasticsearch cluster in Kubernetes and I’m having some issues configuring SSO with keycloak. When I try to login to Kibana using keycloak I get this error:
After doing some debugging, I saw that I have this JWT in the user
column (that does not match any ACL block) and, after decoding it, I saw that the information corresponds to the same user that appears below natalia.mellino@avature.net
where and ACL block does match.
When the JWT appears as user
in that column I cannot login because none of the ACL block matches. The question would be, why sometimes appears the JWT and other times the username in the user
column? Are we maybe missing some config? It seems that when the username appears instead of the JWT an ACL block matches but not when it appears the JWT.
Elasticsearch version: 8.14.0
Kibana version: 8.12.1
Elasticsearch Readonlyrest version: 1.57.3
Kibana readonlyrest version: 1.55.0
Logs in Kibana:
[13:33:19:167] [error][plugins][ReadonlyREST][esClient] ES Authorization error: 403 Error: ES Authorization error: 403
at l.e (/opt/bitnami/kibana/plugins/readonlyrestkbn/proxy/core/esClient.js:1:17932)
at l.e (/opt/bitnami/kibana/plugins/readonlyrestkbn/proxy/core/esClient.js:1:5483)
at tryCatch (/opt/bitnami/kibana/plugins/readonlyrestkbn/node_modules/regenerator-runtime/runtime.js:45:40)
at Generator.invoke [as _invoke] (/opt/bitnami/kibana/plugins/readonlyrestkbn/node_modules/regenerator-runtime/runtime.js:274:22)
at Generator.prototype.<computed> [as next] (/opt/bitnami/kibana/plugins/readonlyrestkbn/node_modules/regenerator-runtime/runtime.js:97:21)
at asyncGeneratorStep (/opt/bitnami/kibana/plugins/readonlyrestkbn/node_modules/@babel/runtime/helpers/asyncToGenerator.js:3:24)
at _next (/opt/bitnami/kibana/plugins/readonlyrestkbn/node_modules/@babel/runtime/helpers/asyncToGenerator.js:25:9)
at processTicksAndRejections (node:internal/process/task_queues:95:5)
[13:33:19:168] [info][plugins][ReadonlyREST][authorizationHeadersValidation] Could not revalidate the session against ES: + WRONG_CREDENTIALS
Elasticsearch logs:
elasticsearch [2024-08-28T13:33:19,148][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [elasticsearch-coordinating-0] FORBIDDEN by default req={ ID:06071f46-4e56-4a24-a413-b1b3e0ed81b4-1192484672#7894539, TYP:RRUserMetadataRequest, CGR:<N/A>, USR:[no info about user], BRS:true, KDX:null, ACT:cluster:internal_ror/user_metadata/get, OA:192.168.34.155/32, XFF:192.168.33.192, DA:192.168.33.6/32, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/current_user, CNT:<N/A>, HDR:Accept-Encoding=gzip,deflate, Accept=*/*, Authorization=<OMITTED>, Connection=close, Host=elasticsearch-coordinating-hl.elasticstack-logs.svc.cluster.local:9200, User-Agent=node-fetch/1.0 (+https://github.com/bitinn/node-fetch), content-length=0, cookie=x-csrf-token-ba270930-4335-402e-9835-7b22da6667a6=e2b62507ae3de216550c3ed98809315acf004246e2905d63f0afd9ff6442214104b0f4ffbde311b59605aae701f09a13acaa6b36d0ecc900c69ae2342e894e40%7C1a06bdf1e87417aee7a5005e4554bda59fff3a23c80e5372296dd9dd948f5bac; kibana-session-cookie=1724851998.979.545.177311|a3c0f09ad87dd5aafd62e8cf9b06e3a7; rorCookie=Fe26.2**ac2a7fed04dc8906ff34579ae83de4bcef4bc5cd45de85681f81a002f61381d2*HbS9U_tUihhykupHhvzbRw*8e_bRty6y-T2G69inVtcz0F8_P4f9HHO1fe3KiLuYSdD8JlCLtrxNQnoMitDRnYp**64ece0275d4d04fd3081823d8805d8802ff475a43bb7546a7029279d8c1c8f43*2lA9umj-0sWMzL1AaqUPCL9V7Dpvw1o13LA51XGpyRs, traceparent=00-172384a5dea294bc370b1ad0a1db1d0c-e8428fac967f45d3-00, tracestate=es=s:0, x-forwarded-for=192.168.33.192, x-ror-correlation-id=06071f46-4e56-4a24-a413-b1b3e0ed81b4, x-ror-current-group=[object Object], x-ror-kibana-request-method=get, x-ror-kibana-request-path=/, x-ror-origin=saml_serv1, HIS:[::KIBANA-SRV::-> RULES:[auth_key_sha256->false] RESOLVED:[group=[object Object]]], [::LOGSTASH-SRV::-> RULES:[auth_key_sha256->false] RESOLVED:[group=[object Object]]], [::MONITORING::-> RULES:[auth_key_sha256->false] RESOLVED:[group=[object Object]]], [::OBSERVABILITY-ADMIN::-> RULES:[auth_key_sha256->false] RESOLVED:[group=[object Object]]], [Observability SSO-> RULES:[ror_kbn_auth->false] RESOLVED:[group=[object Object]]], [Avature avasso - rObservability actions-> RULES:[ror_kbn_auth->true, actions->true] RESOLVED:[user=natalia.mellino@avature.net;group=[object Object];av_groups=adminAccessToKibanaQA]], [Avature avasso - rObservability-> RULES:[ror_kbn_auth->true, kibana_access->true, indices->true] RESOLVED:[user=natalia.mellino@avature.net;group=[object Object];av_groups=adminAccessToKibanaQA;kibana_idx=.kibana]], [Keycloak-> RULES:[ror_kbn_auth->true, kibana_access->true, indices->true] RESOLVED:[user=natalia.mellino@avature.net;group=[object Object];av_groups=readAccessToQAIndex;kibana_idx=.kibana]], }
Thanks in advance for any help you can provide