Cookie length should be less than or equal to 4096

1

Hello!

I faced very critical issue. Many users that have more than 30-40 groups in LDAP can’t access to Kibana due to oversize Cookie size. When I said oversize I mean from 5000 characters to 14000 characters. You can easily reproduce it with Keycloak. It makes using of Kibana RoR plugin impossible(((

 login:1 Set-Cookie header is ignored in response from url: https://dev.kibana.local/login. Cookie length should be less than or equal to 4096 characters.

I’d happy if you fix it.

2

Hello @Maligos,
What verison of ROR and what version of Kibana/Elasticsearch are you using?

3

6.7.1 ELK + Kibana
1.18.2ror(trial) We already use Pro version, and testing Enterprice. If it cover our cases we will upgrade to it.

4

Sure, working on this.

5

Hello @Maligos, can you try this build?

readonlyrest_kbn_enterprise-1.18.3-pre3-20190722_es6.7.1.zip

7

Hello @sscarduzio!

Didn’t work:

{"type":"log","@timestamp":"2019-07-23T10:54:42Z","tags":["fatal","root"],"pid":1,"message":"{ ValidationError: child \"readonlyrest_kbn\" fails because [child \"auth\" fails because [\"saml_kc\" is not allowed]]\n at Object.exports.process (/kibana/node_modules/joi/lib/errors.js:196:19)\n at internals.Object._validateWithOptions (/kibana/node_modules/joi/lib/types/any/index.js:675:31)\n at module.exports.internals.Any.root.validate (/kibana/node_modules/joi/lib/index.js:146:23)\n at Config._commit (/kibana/src/server/config/config.js:139:35)\n at Config.set (/kibana/src/server/config/config.js:108:10)\n at Config.extendSchema (/kibana/src/server/config/config.js:81:10)\n at extendConfigService (/kibana/src/plugin_discovery/plugin_config/extend_config_service.js:45:10) name: 'ValidationError' }"} FATAL ValidationError: child "readonlyrest_kbn" fails because [child "auth" fails because ["saml_kc" is not allowed]]

8

Strange! What’s the file name of the plugin you installed? And what’s your kibana.yml?

9

Filename: readonlyrest_kbn_enterprise-1.18.3-pre3-20190722_es6.7.1.zip
Kibana.yml is:

readonlyrest_kbn:
  logLevel: info
  auth:
    signature_key: 'HERE_IS_256_SYMBOLS'
    saml_kc:
      buttonName: "TEST SSO"
      enabled: true
      type: "saml"
      issuer: "c07eb4b5-67ec-40c4-99a7-e5aec833eb87"
      entryPoint: "https://keycloak.dev.local/auth/realms/master/protocol/saml"
      kibanaExternalHost: "dev.kibana.local"
      protocol: https
      usernameParameter: "nameID"
      groupsParameter: "samlGroups"
      logoutUrl: "https://keycloak.dev.local/auth/realms/master/broker/saml/endpoint"
elasticsearch.username: "kibana"
elasticsearch.password: "kibana"
elasticsearch.ssl.verificationMode: none
logging.quiet: false
server.port: 5601
# xpack.security.enabled: false
# xpack.graph.enabled: false
# xpack.ml.enabled: false
# xpack.monitoring.enabled: false
# xpack.reporting.enabled: false
# xpack.watcher.enabled: false
10

The build I sent you was defective. Sorry. Here is another, this time I also tested it in my laptop.

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/tmp/kibana/readonlyrest_kbn_enterprise-1.18.3-pre5_es6.7.1.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ/20190723/eu-west-1/s3/aws4_request&X-Amz-Date=20190723T135647Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=7e6d0f26d00775b50dc2ca7cc4eb26bf97b67eb40ed8aaf9e410aa5ff88edfec

11

@sscarduzio

Same error with large cookie size(
Can you check locally with about 70-80 groups in Keycloak for user? Each group must be at least 10 (larger is better) character for representative results.
The problem users have about 110 groups, I checked again.

12

And three errors in the js console. Maybe will be useful.

Capture
Capture.JPG3446×241 96.8 KB

13

I more than halved the cookie size, but 70-80 groups is entirely another level. Let’s see what we can do.

14

I can offer something. Use POST for receiving intermediate SAML groups instead of cookies and store in rorCookie only groups that contains in the rules. It is a workaround, but cover many cases. If it possible of course

15

Hello @sscarduzio
Do you have any news or updates for this bug?

16

Yes almost done, a lot of changes though, will need to have a good session of manual testing too.
We managed to remove the list of groups and hidden apps from the cookie entirely. Also we managed to remove the use of cookies from the SAML connector, replacing it with session storage (which has a limit of 5MB in some browsers, in other is unlimited)

17

Don’t hesitate to send me alpha/beta build for testing, I can help.

1 Like
18

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/tmp/kibana/readonlyrest_kbn_enterprise-1.18.3-20190725-pre6_es6.7.1.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ/20190725/eu-west-1/s3/aws4_request&X-Amz-Date=20190725T153133Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=c58ade853df5a9e7b70c01dcc333a27b662da37b9e567b624f5c70d81e1fdb66

19

@sscarduzio
No errors. Can’t login at all with the latest build(

{ isAuthenticated: false,
  isAuthorized: false,
  credentials: undefined,
  artifacts: undefined,
  strategy: 'single-sign-on',
  mode: 'try',
  error:
   { Error: Not authenticated
       at Object.<anonymous> (/kibana/plugins/readonlyrest_kbn/node_modules/hapi-passport-saml/lib/SchemeAuthenticate.js:39:20)
       at Generator.next (<anonymous>)
       at /kibana/plugins/readonlyrest_kbn/node_modules/hapi-passport-saml/lib/SchemeAuthenticate.js:7:71
       at new Promise (<anonymous>)
       at __awaiter (/kibana/plugins/readonlyrest_kbn/node_modules/hapi-passport-saml/lib/SchemeAuthenticate.js:3:12)
       at Object.authenticate (/kibana/plugins/readonlyrest_kbn/node_modules/hapi-passport-saml/lib/SchemeAuthenticate.js:12:84)
       at module.exports.internals.Manager.execute (/kibana/plugins/readonlyrest_kbn/node_modules/hapi/lib/toolkit.js:35:106)
       at module.exports.internals.Auth._authenticate (/kibana/plugins/readonlyrest_kbn/node_modules/hapi/lib/auth.js:265:58)
       at authenticate (/kibana/plugins/readonlyrest_kbn/node_modules/hapi/lib/auth.js:241:21)
       at Request._lifecycle (/kibana/plugins/readonlyrest_kbn/node_modules/hapi/lib/request.js:263:62)
     data: null,
     isBoom: true,
     isServer: false,
     output: { statusCode: 401, payload: [Object], headers: {} },
     reformat: [Function],
     typeof: [Function: unauthorized] } }
20

Do you have a forbidden log entry in ES as well?
Or any logs in the browser JS console? Or on the SAML server?

21

I tried to login with common user without many groups. It worked with all previous builds. Now I have a denied message but RoR config was not changed.

[2019-07-26T12:43:03,917][INFO ][t.b.r.a.l.AclLoggingDecorator] [es-client-659669b49f-rp726] FORBIDDEN by default req={  ID:699567731-1731378169#1443051,  TYP:RRAdminRequest,  CGR:N/A,  USR:[user not logged],  BRS:false,  KDX:null,  ACT:cluster:admin/rradmin/refreshsettings,  OA:10.255.73.46/32,  XFF:null,  DA:10.255.71.238/32,  IDX:<N/A>,  MET:GET,  PTH:/_readonlyrest/metadata/current_user,  CNT:<N/A>,  HDR:Connection=keep-alive, Content-Length=0, Host=elasticsearch:9200, authorization=<OMITTED>,  HIS:[::ADMINS::-> RULES:[ror_kbn_auth->false], RESOLVED:[]], [::GROUP2::-> RULES:[ror_kbn_auth->false], RESOLVED:[]], [::GROUP1::-> RULES:[ror_kbn_auth->false], RESOLVED:[]], [::DEFAULT::-> RULES:[ror_kbn_auth->false], RESOLVED:[]], [::KIBANA-SRV::-> RULES:[auth_key_sha256->false], RESOLVED:[]], [::LOGSTASH::-> RULES:[auth_key_sha256->false], RESOLVED:[]], [::STATS::-> RULES:[actions->false], RESOLVED:[]]  }