"Empty metadata" error in Kibana login + customHeaders request headers forwarding not working in (old) ROR

driveirk · August 30, 2022, 8:27am

I’m using ldap to login, when I enter the wrong password I get an “Empty metadata” error. See screenshot:

Can I somehow change the text of the error to something more understandable?
version ROR
Enterprise-1.39.0_es7.15.1

sscarduzio · August 30, 2022, 8:51am

The “empty metadata” error message is presented in ReadonlyREST Free/PRO/Enterprise when the login request is checked by the ACL and gets accepted by an ACL block with no authentication rule in it.

An example of this would be:

readonlyrest:
  access_control_rules:
   - name: "LDAP Auth"
     ldap_authentication: ...

   - name: "Allow requests from localhost"
     hosts: ["127.0.0.1"]

Imagine you run Elasticsearch and Kibana on the same host:

the Kibana user login request comes to Elasticsearch
Credentials are wrong, and the first block does not match
The second block is then evaluated, and the request is allowed because of its origin IP

As you can see, Elasticsearch has no user related information (metadata) to return to Kibana, and the error “Empty metadata” is shown.

If you remove or render more specific the second block, you will see “Wrong credentials” as expected.

driveirk · August 30, 2022, 9:03am

Can you tell me how to set up the block
name: “Allow requests from localhost”
So that local requests do not require authorization, but this does not concern kibana.

It only comes to my mind to change
elasticsearch.hosts: [“http://localhost:9200”]
in kibana.yml to
elasticsearch.hosts: [“http://white ip:9200”]
But this is a bad option because it will increase the connection time of kibana to elasticsearch.

sscarduzio · August 30, 2022, 9:31am

In general we highly discourage implementing access control using origin IPs alone, users should set up SSL, Basic HTTP auth in their agents in any case, even on localhost. The hosts rule would then be an extra protection.

If this is not possible for very important reasons, then I would prevent any Kibana originated request to match that rule by using the negated form of the headers rule. I.e.

readonlyrest.yml

  - name: "Allow requests from localhost"
    hosts: ["127.0.0.1"]
    headers: [ "~x-from-kibana:true" ]

kibana.yml (append)

  elasticsearch.customHeaders:  {"x-from-kibana":"true"}

driveirk · October 12, 2022, 2:27pm

Upgrading ROR from 1.39 to 1.43 fixed the header issue.