The rest of the configuration such as Elasticsearch URL, password, etc are given as environment variables. This docker container runs inside a Nomad Cluster.
When running just one instance of Kibana with installed ROR, we find that the application works seamlessly.
We are using proxy auth, so it can be said that the setting --readonlyrest_kbn.proxy_auth_passthrough=true worked. So, we also added the cookiePass and the kibanaIndexTemplate settings as CLI arguments. However, we find that:
When a new user logs in, the .kibana_template is not copied to the .kibana_{tenant} index.
When we run multiple instances of kibana behind the proxy, the auth sessions is not retained and the user gets logged out abruptly.
Is it that these configurations cannot be passed as CLI arguments? Or we are doing something wrong here?
readonlyrest_kbn.cookiePass only works in old versions of Kibana as stated in our documentation. Please use sticky sessions in your load balancer and try again.
This will cause a huge amount of havoc in our system. All kibana’s run in the nomad/k8 cluster. They can be restarted/moved at any time. Sticky balancing will not help.
Indeed this would require us to run a kibana-per-tenant, which makes the RoR kibana plugin not needed. Am I misunderstanding?
We don’t see this behavior with xpack. We can login, then move across kibana instances. (@anishm , is this really correct?)
Yes, the setting in xpack setting XPACK_SECURITY_ENCRYPTIONKEY allows us to share a common “cookiePass” across x-pack Kibana instances.
Can you also please let me know why is the configuration for kibanaIndexTemplate not passing through? We have that setting enabled in command line, but the indices .kibana_{tenant} for new tenants don’t have the data that the template did.
Not sure why it didn’t pass, or simply something did not work. Maybe when you test the new build I’m giving you, try again after deleting the .kibana_tenant index after commenting out some “verbosity: error” in readonlyrest.yml so we shall see if the reindex request (copying the documents from template kibana index) comes in or not, and if fails.
I tested the build you sent, and the cookiePass setting worked. I ran multiple kibana indices and the cookie was able to maintain the session and did not get logged out.
However, the kibana_template is not working as of now. I tried with a new tenant, and an older one.
I ran with verbosity info, but did not see reindexing starting up.