"Empty metadata" error in Kibana login + customHeaders request headers forwarding not working in (old) ROR

I’m using ldap to login, when I enter the wrong password I get an “Empty metadata” error. See screenshot:

Can I somehow change the text of the error to something more understandable?
version ROR
Enterprise-1.39.0_es7.15.1 :unicorn:

The “empty metadata” error message is presented in ReadonlyREST Free/PRO/Enterprise when the login request is checked by the ACL and gets accepted by an ACL block with no authentication rule in it.

An example of this would be:

   - name: "LDAP Auth"
     ldap_authentication: ...

   - name: "Allow requests from localhost"
     hosts: [""]

Imagine you run Elasticsearch and Kibana on the same host:

  • the Kibana user login request comes to Elasticsearch
  • Credentials are wrong, and the first block does not match
  • The second block is then evaluated, and the request is allowed because of its origin IP

As you can see, Elasticsearch has no user related information (metadata) to return to Kibana, and the error “Empty metadata” is shown.

If you remove or render more specific the second block, you will see “Wrong credentials” as expected.

Can you tell me how to set up the block
name: “Allow requests from localhost”
So that local requests do not require authorization, but this does not concern kibana.

It only comes to my mind to change
elasticsearch.hosts: [“http://localhost:9200”]
in kibana.yml to
elasticsearch.hosts: [“http://white ip:9200”]
But this is a bad option because it will increase the connection time of kibana to elasticsearch.

In general we highly discourage implementing access control using origin IPs alone, users should set up SSL, Basic HTTP auth in their agents in any case, even on localhost. The hosts rule would then be an extra protection.

If this is not possible for very important reasons, then I would prevent any Kibana originated request to match that rule by using the negated form of the headers rule. I.e.


  - name: "Allow requests from localhost"
    hosts: [""]
    headers: [ "~x-from-kibana:true" ]

kibana.yml (append)

  elasticsearch.customHeaders:  {"x-from-kibana":"true"}

Upgrading ROR from 1.39 to 1.43 fixed the header issue.

1 Like