Keycloak integration failing with 403 forbidden

1

Hi! I’m using the trial for ROR Enterprise and I’m working on setting up SAML with keycloak on my local ELK running in Kubernetes. I followed the instructions from the documentation to setup both Keycloak side and ELK side. But I am not able to login with Keycloak because I get redirected to the login screen again. I’ll leave here the config that I’m using and the output from the logs.

Elasticsearch version: 8.10.4
Kibana version 8.10.4
ROR-ES version: 1.53.0_es8.10.4
ROR-Kibana version: 1.53.0_es8.10.4

My configs:

readonlyrest.yml:

readonlyrest:
  audit_collector: true
  audit_index_template: "'readonlyrest_audit'-yyyy"
  prompt_for_basic_auth: false
  response_if_req_forbidden: Access forbidden
  access_control_rules:
    - name: "Allow requests for cluster health"
      hosts:
        - elasticsearch-all-master-hl.elk.svc.cluster.local,
    - name: "::KIBANA-SRV::"
      auth_key: kibana:kibana
      verbosity: error
    - name: "ReadonlyREST Enterprise instance #1"
      kibana:
        access: admin
        index: "*"
      ror_kbn_auth:
        name: "keycloak"
  ror_kbn:
    - name: keycloak
      signature_key: <some_key>

kibana.yml

pid.file: /opt/bitnami/kibana/tmp/kibana.pid
server.host: "::"
server.port: 5601
elasticsearch.hosts: [http://elasticsearch-all-master-hl.elk.svc.cluster.local:9200]
server.rewriteBasePath: false
elasticsearch.password: kibana
elasticsearch.requestHeadersWhitelist:
- authorization
- x-forwarded-user
- x-access-group
elasticsearch.username: kibana
readonlyrest_kbn.auth:
  saml_serv1:
    buttonName: Keycloak
    cert: <cert_from_keycloak>
    enabled: true
    entryPoint: https://vkeycloak.obs/realms/vkibana/protocol/saml
    groupsParameter: memberOf
    issuer: http://kibana.local/
    kibanaExternalHost: kibana.local
    logoutUrl: https://vkeycloak.obs/realms/vkibana/protocol/saml/resolve
    protocol: http
    type: saml
    usernameParameter: nameID
  signature_key: <some_key>
readonlyrest_kbn.license.activationKeyFilePath: /etc/kibana/ROR_ACTIVATION_KEY.txt
readonlyrest_kbn.license.activationKeyRetrievalModes:
- file
readonlyrest_kbn.logLevel: debug
readonlyrest_kbn.login_subtitle: Blah
readonlyrest_kbn.login_title: Welcome to Kibana
readonlyrest_kbn.multiTenancyEnabled: false
readonlyrest_kbn.session_timeout_minutes: 720
readonlyrest_kbn.store_sessions_in_index: true
server.publicBaseUrl: http://vkibana.local
xpack.apm.enabled: false
xpack.apm.ui.enabled: false
xpack.canvas.enabled: false
xpack.infra.enabled: false
xpack.reporting.roles.enabled: false
xpack.security.enabled: false

Output from Kibana:

[warning][plugins][ReadonlyREST][samlController] JWT token size is approaching the limit (size: 7444 of 8185 Bytes)! Please set "readonlyrest_kbn.logLevel: debug", look for "Created JWT for ROR with claims" in Kibana logs, and inspect for any data duplication in the JSON Object. If no data is being duplicated, this user has too many groups, or the individual group strings length are too long.
...
Created JWT for ROR with claims: {"user":"natalia.mellino@avature.net","groups":[....],,"assertion":{"issuer":"https://vkeycloak.obs/realms/vkibana","inResponseTo":"_c1e6609e5960c84ab711","sessionIndex":"f6e22e53-c24e-4e3f-934d-a112fd6ede0f::fcebcc76-f673-4ea7-a4d8151742a85b14","nameID":"user@email","nameIDFormat":"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress","Role":"default-roles-vkibana"},"x-ror-origin":"saml_serv1"}, (size: 7444 of 8185 Bytes))
...
[15:24:52:231] [error][plugins][ReadonlyREST][esClient] ES Authorization error: 403 Error: ES Authorization error: 403
at l.e (/opt/bitnami/kibana/plugins/readonlyrestkbn/proxy/core/esClient.js:1:17932)                                                                                                                         
at l.e (/opt/bitnami/kibana/plugins/readonlyrestkbn/proxy/core/esClient.js:1:5483)                                                                                                                          
at tryCatch (/opt/bitnami/kibana/plugins/readonlyrestkbn/node_modules/regenerator-runtime/runtime.js:45:40)
at Generator.invoke [as _invoke (/opt/bitnami/kibana/plugins/readonlyrestkbn/node_modules/regenerator-runtime/runtime.js:274:22)                                                            
at Generator.prototype.<computed> [as next] (/opt/bitnami/kibana/plugins/readonlyrestkbn/node_modules/regenerator-runtime/runtime.js:97:21)                                                                 
at asyncGeneratorStep (/opt/bitnami/kibana/plugins/readonlyrestkbn/node_modules/@babel/runtime/helpers/asyncToGenerator.js:3:24)                                                               
at _next (/opt/bitnami/kibana/plugins/readonlyrestkbn/node_modules/@babel/runtime/helpers/asyncToGenerator.js:25:9)  
at processTicksAndRejections (node:internal/process/task_queues:95:5)                                                                                                                                       
[15:24:52:231] [debug][plugins][ReadonlyREST][authController] login request rejected: username: user@email                                                                                 
 [15:24:52:231] [info][plugins][ReadonlyREST][authController] Could not login in: WRONG_CREDENTIALS                                                                                                              
[15:24:52:232] [debug][plugins][ReadonlyREST][authorizationHeadersValidation] There is no identity session. Token revalidation aborted

Output from ES:

FORBIDDEN by default req={ ID:1302400855-1579723820#7672, TYP:RRUserMetadataRequest
, CGR:<N/A>, USR:[no info about user], BRS:true, KDX:null, ACT:cluster:internal_ror/user_metadata/ge
t, OA:10.42.2.185/32, XFF:null, DA:10.42.2.187/32, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/c
urrent_user, CNT:<N/A>, HDR:Accept-Encoding=gzip,deflate, Accept=*/*, Authorization=<OMITTED>, Conne
ction=close, Host=elasticsearch-all-master-hl.elk.svc.cluster.local:9200, User-Agent=node-fetch/1.0 
(+https://github.com/bitinn/node-fetch), content-length=0, cookie=x-csrf-token-e4dbaf9d-cf83-4b04-84
9c-b7c2dcbf1ea2=db98b0855dc77aa82550b6b0ed2826dc3be1f4233c17a7b2cf7fb1fc87c923c7; x-csrf-token-3bc0d
56a-79f6-4130-ad92-e22db46786aa=68210960520eeb131adb624a5c05da862f6aee2116d325ae1f02fc6912b18b70; x-
csrf-token-fac7fd9d-31b9-492a-b02a-4e04ab1c0210=ec233016b9cdeee750e2b628f9769b374d69661c5fe90322cdf3
c4083905bf9e; x-csrf-token-305fcb86-d097-4029-93ce-c0174c5d92cc=a65ec15ebe34a5731f014565965d49baca22
3e6fb9a056a5ac1141abfb28d268; rorCookie_saml_serv1=s%3A79U7QZvIqOufONWwDebIyrzWIHmxTt3w.87Ol7zTjoH%2
F%2FHjB3dEuGY5Ezq%2BFCmuHU9nmUD6JBPoU, elastic-apm-traceparent=00-0b6e3b4ff53c79217176d95e9ee87090-e
ef4e51fd8970620-00, traceparent=00-0b6e3b4ff53c79217176d95e9ee87090-eef4e51fd8970620-00, tracestate=
es=s:0, x-ror-origin=saml_serv1, HIS:[Allow requests for cluster health-> RULES:[hosts->false]], [::
KIBANA-SRV::-> RULES:[auth_key->false]], [ReadonlyREST Enterprise instance #1-> RULES:[ror_kbn_auth-
>false]], }

It is not a problem with my credentials since I’ve already checked that they are correct, and I see in Keycloak that I’m getting authenticated, but ES is throwing me a ‘forbidden’. Another thing that caught my attention is that in the ES logs I see USR:[no info about user] instead of my username I don’t know if that’s the expected behavior or not but I point it out just in case.

Any help with this will be appreciated, thanks in advance!

2

I think ROR ES was not able to decode the JWT passed in the Authorization header. Could you please enable ROR ES debug logs and find the FORBIDDEN log. Instead of Authorization=<OMITTED> you should see the token. Could you please send it to us to analyze?

3

Ok, I don’t know what happened but I redeployed my cluster to try out the debug mode and when I login now I can see that ES allowed me, I didn’t change anything though. But now I see a different error:

ES shows success:

elasticsearch [2023-12-04T19:50:29,278][INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [elasticsearch-all-master-1] ALLOWED by { name: 'ReadonlyREST Enterprise instance #1', policy: ALLOW, rules: [ror_kbn_auth,kibana] req={ ID:1945613643-2144972806#1286, TYP:RRUserMetadataRequest, CGR:<N/A>, USR:user@email, BRS:true, KDX:*, ACT:cluster:internal_ror/user_metadata/get, OA:10.42.2.222/32, XFF:null, DA:10.42.2.220/32, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/current_user, CNT:<N/A>, HDR:Accept-Encoding=gzip,deflate, Accept=*/*, Authorization=<OMITTED>, Connection=close, Host=elasticsearch-all-master-hl.elk.svc.cluster.local:9200, User-Agent=node-fetch/1.0 (+https://github.com/bitinn/node-fetch), content-length=0, cookie=x-csrf-token-e4dbaf9d-cf83-4b04-849c-b7c2dcbf1ea2=db98b0855dc77aa82550b6b0ed2826dc3be1f4233c17a7b2cf7fb1fc87c923c7; x-csrf-token-3bc0d56a-79f6-4130-ad92-e22db46786aa=68210960520eeb131adb624a5c05da862f6aee2116d325ae1f02fc6912b18b70; x-csrf-token-fac7fd9d-31b9-492a-b02a-4e04ab1c0210=ec233016b9cdeee750e2b628f9769b374d69661c5fe90322cdf3c4083905bf9e; x-csrf-token-305fcb86-d097-4029-93ce-c0174c5d92cc=aa6aaf8103ed6a001330ac540272255e3037b7ecdafade41719f5ef1db3d7284; x-csrf-token-7ce823ab-1aa0-44bc-bd9f-fead7b598ae2=f5df3f972db9ef6e717fcbbd3fed57400923dfe48529500ccf092c6242921579; x-csrf-token-219ecff9-ba4f-4f95-a79c-042af9d45e30=d7a47aea897d905af7a92404f907f9a64face05308f72680a39ba14ea92d8962; x-csrf-token-226c57d7-c26c-458b-9d19-1ab217c92bc4=567fbeb7249cb40973fa1d2d894df277a908be1551bc77854a6a831b43e68860; x-csrf-token-f13d2833-cab1-4218-99b2-0aef70ab3e03=235adbc4e798f4c0c216d274607a589e1f475094720a7aea48801cf037bfe143; x-csrf-token-e322cf66-f1d1-40c6-9d6e-ea309a5a8ac2=b01fd66df7eafbacccf659b92d1d4faa6af2b302d18de3b26f0b127f59c8e964; x-csrf-token-36599ae2-1683-4ef3-8250-8a1a4e995eb2=f7ebbb8cb0d0d892215c0f6929c75ad5e82c40361fc4e127780732b99b3ee211; x-csrf-token-fe33758f-0513-4f98-b74d-53cae6ec98d4=dbf12871a167849d8f52aa4b425402c472f329f55e45fe697093fb757aff7fba; x-csrf-token-41e79e67-bde0-4ce2-b91b-1b00b2805ea0=177affd4f50077c0ecb6a87128ae1e113c9e14b4c94a66e53606e05ea93af80e; rorIgnoreActivationKeyInfo=true; x-csrf-token-a443af65-6e10-4eff-a2f5-59fdd3430ae4=2274fcf5db68ebc277cbcdb67ccb2e376981472cef003f7e54a4715e49d3103d; x-csrf-token-4f38b9f7-567c-41a0-aae3-3e8119070c7b=6cfc5cc5b992de61625c9477ebd41b35167e6166f8a5905c9cafad4d0de8c120; rorCookie_saml_serv1=s%3ABY86V_fvEJzjhAdSN4BG2gIeaziPqZFu.Jyj7KsA2blXXPaPEVvX2mD2RKVaG1dML8rI49EMdbPQ, elastic-apm-traceparent=00-4e950815e9a29dc067a1e6757d9a1407-5c2e2e4e923d2b0f-00, traceparent=00-4e950815e9a29dc067a1e6757d9a1407-5c2e2e4e923d2b0f-00, tracestate=es=s:0, x-ror-origin=saml_serv1, HIS:[Allow requests for cluster health-> RULES:[hosts->false]], [::KIBANA-SRV::-> RULES:[auth_key->false]], [ReadonlyREST Enterprise instance #1-> RULES:[ror_kbn_auth->true, kibana->true] RESOLVED:[user=user@email;kibana_idx=*]], }

But in Kibana now I get this:

 [19:54:51:086] [debug][plugins][ReadonlyREST][tenantIndexBasedOnTemplateApplier] Template index not defined. Returning
[2023-12-04T19:54:51.136+00:00][INFO ][savedobjects-service] [*] INIT -> CREATE_REINDEX_TEMP. took: 18ms.
[2023-12-04T19:54:51.149+00:00][ERROR][savedobjects-service] [*] Unexpected Elasticsearch ResponseError: statusCode: 400, method: PUT, url: /*_8.10.4_reindex_temp?wait_for_active_shards=all&timeout=60s error: [invalid_index_name_exception]: Invalid index name [*_8.10.4_reindex_temp], must not contain the following characters ['/',',','|','>','?','*','<','"',' ','\'],
[19:54:51:149] [debug][plugins][ReadonlyREST][authController] login request rejected: username: natalia.mellino@avature.net
[19:54:51:149] [info][plugins][ReadonlyREST][authController] Could not login in: Unable to complete saved object migrations for the [*] index. Please check the health of your Elasticsearch cluster and try again. Unexpected Elasticsearch ResponseError: statusCode: 400, method: PUT, url: /*_8.10.4_reindex_temp?wait_for_active_shards=all&timeout=60s error: [invalid_index_name_exception]: Invalid index name [*_8.10.4_reindex_temp], must not contain the following characters ['/',',','|','>','?','*','<','"',' ','\'],
[19:54:51:150] [debug][plugins][ReadonlyREST][authorizationHeadersValidation] There is no identity session. Token revalidation aborted

I checked my cluster health status and it’s green, and I only have two indexes:

green open readonlyrest_audit-2023    l-OGYEmlQZmAHBjarH5T3w 1 1 312 0   1.1mb 563.2kb
green open .readonlyrest_kbn_sessions Mnc2ZCC1RgSyOhLLBZzHNw 1 1   4 0 273.9kb 136.9kb

On the other hand, I could not enable the debug mode in ES side, I think I’m putting the configuration in the wrong place

I’ve tried:

rootLogger.level: debug
readonlyrest:
 ...

and

readonlyrest:
  rootLogger.level: debug
  ...

None of them seemed to do the trick. Is this setting supposed to go in another config file?

Thanks for your quick response.

4

This is weird. When you experience the same issue as before and you can reproduce it, please let us know.

The debug log level should be set in a different file:

$ES_PATH_CONF/config/log4j2.properties file (Elasticsearch 5.x)

@Dzuming according to the current issue, do you know what this is CREATE_REINDEX_TEMP?
Unable to complete saved object migrations for the [*] index … and why “*”. Any idea?

5

@Dzuming according to the current issue, do you know what this is CREATE_REINDEX_TEMP?
Unable to complete saved object migrations for the [*] index … and why “*”. Any idea?

Yes, it’s because there is an * index declared in the readonlyrest.yml

- name: "ReadonlyREST Enterprise instance #1"
      kibana:
        access: admin
        index: "*"
      ror_kbn_auth:
        name: "keycloak"

I think before these provided logs it should be something like:

[06:31:24:707] [trace][plugins][ReadonlyREST][defaultSpaceCreator] Creating default space document for index: *
[06:31:24:714] [trace][plugins][ReadonlyREST][defaultSpaceCreator] createDefaultSpaceDocument response 400: {"error":{"root_cause":[{"type":"invalid_index_name_exception","reason":"Invalid index name [*], must not contain the following characters ['/',',','|','>','?','*','<','\"',' ','\\']","index_uuid":"_na_","index":"*"}],"type":"invalid_index_name_exception","reason":"Invalid index name [*], must not contain the following characters ['/',',','|','>','?','*','<','\"',' ','\\']","index_uuid":"_na_","index":"*"},"status":400}

do you know what this is CREATE_REINDEX_TEMP?

Yes, it’s related to the automatic index migration and it’s one of the Kibana migration steps, but index * doesn’t exist

6

I’ve added the debug mode on ES but now I don’t see the FORBIDDEN block, all I see is the exception whenever I try to login and some logs regarding Kibana but no info about my user:

[2023-12-05T11:13:21,432][DEBUG][t.b.r.e.h.r.c.t.ReflectionBasedIndicesEsRequestContext] [elasticsearch-all-master-1] [35571763-2118355833#36746] Discovered indices: *_8.10.4_reindex_temp
[2023-12-05T11:13:21,432][DEBUG][t.b.r.a.l.AccessControlLoggingDecorator] [elasticsearch-all-master-1] checking request: 35571763-2118355833#36746
[2023-12-05T11:13:21,432][DEBUG][t.b.r.a.b.r.t.HostsRule  ] [elasticsearch-all-master-1] [35571763-2118355833#36746] address IPs [10.42.2.223/32] resolved to [NonEmptyList(10.42.2.223/32)], allowed addresses [elasticsearch-all-master-hl] resolved to [NonEmptyList(10.42.2.225/32, 10.42.0.125/32, 10.42.1.248/32)], isMatching=false
[2023-12-05T11:13:21,432][DEBUG][t.b.r.a.b.r.t.HostsRule  ] [elasticsearch-all-master-1] [35571763-2118355833#36746] address IPs [10.42.2.223/32] resolved to [NonEmptyList(10.42.2.223/32)], allowed addresses [elasticsearch-all.elk.svc.cluster.local] resolved to [NonEmptyList(10.43.15.189/32)], isMatching=false
[2023-12-05T11:13:21,433][DEBUG][t.b.r.a.b.Block          ] [elasticsearch-all-master-1] [Allow requests for cluster health] the request matches no rules in this block: { ID:35571763-2118355833#36746, TYP:CreateIndexRequest, CGR:<N/A>, USR:kibana (attempted), BRS:true, KDX:null, ACT:indices:admin/create, OA:10.42.2.223/32, XFF:null, DA:10.42.2.225/32, IDX:*_8.10.4_reindex_temp, MET:PUT, PTH:/*_8.10.4_reindex_temp, CNT:{"mappings":{"dynamic":false,"properties":{"type":{"type":"keyword"},"typeMigrationVersion":{"type":"version"}}},"aliases":{"*_8.10.4_reindex_temp_alias":{}},"settings":{"index":{"number_of_shards":1,"auto_expand_replicas":"0-1","refresh_interval":"1s","priority":10,"mapping":{"total_fields":{"limit":1500}}}}}, HDR:Accept-Charset=utf-8, Authorization=<OMITTED>, Content-Length=311, Host=elasticsearch-all-master-hl.elk.svc.cluster.local:9200, accept=application/vnd.elasticsearch+json; compatible-with=8, connection=close, content-type=application/vnd.elasticsearch+json; compatible-with=8, elastic-apm-traceparent=00-35062f39c18584b7c57da0222ad7ee5c-5e5557ad43e7a859-00, traceparent=00-35062f39c18584b7c57da0222ad7ee5c-5e5557ad43e7a859-00, tracestate=es=s:0, user-agent=Kibana/8.10.4, x-elastic-client-meta=es=8.9.1p,js=18.17.1,t=8.3.3,hc=18.17.1, x-elastic-product-origin=kibana, x-opaque-id=unknownId, HIS:[Allow requests for cluster health-> RULES:[hosts->false] RESOLVED:[indices=*_8.10.4_reindex_temp]], }
[2023-12-05T11:13:21,433][DEBUG][t.b.r.a.b.r.a.AuthKeyRule] [elasticsearch-all-master-1] Attempting Login as: kibana rc: 35571763-2118355833#36746
[2023-12-05T11:13:21,433][DEBUG][t.b.r.a.b.Block          ] [elasticsearch-all-master-1] matched { name: '::KIBANA-SRV::', policy: ALLOW, rules: [auth_key] { found: user=kibana;indices=*_8.10.4_reindex_temp }
[2023-12-05T11:13:21,434][DEBUG][t.b.r.e.h.RegularRequestHandler] [elasticsearch-all-master-1] [35571763-2118355833#36746] Request processing time: 1ms
[2023-12-05T11:13:21,434][DEBUG][o.e.c.s.MasterService    ] [elasticsearch-all-master-1] executing cluster state update for [create-index [*_8.10.4_reindex_temp], cause [api]]
[2023-12-05T11:13:21,434][DEBUG][o.e.c.s.MasterService    ] [elasticsearch-all-master-1] took [0s] to compute cluster state update for [create-index [*_8.10.4_reindex_temp], cause [api]]
[2023-12-05T11:13:21,434][DEBUG][o.e.c.m.MetadataCreateIndexService] [elasticsearch-all-master-1] [*_8.10.4_reindex_temp] failed to create [*_8.10.4_reindex_temp] org.elasticsearch.indices.InvalidIndexNameException: Invalid index name [*_8.10.4_reindex_temp], must not contain the following characters ['"',' ','\','/',',','|','>','?','*','<']
	at org.elasticsearch.server@8.10.4/org.elasticsearch.cluster.metadata.MetadataCreateIndexService.validateIndexOrAliasName(MetadataCreateIndexService.java:222)
	at org.elasticsearch.server@8.10.4/org.elasticsearch.cluster.metadata.MetadataCreateIndexService.validateIndexName(MetadataCreateIndexService.java:168)
	at org.elasticsearch.server@8.10.4/org.elasticsearch.cluster.metadata.MetadataCreateIndexService.validate(MetadataCreateIndexService.java:1368)
	at org.elasticsearch.server@8.10.4/org.elasticsearch.cluster.metadata.MetadataCreateIndexService.applyCreateIndexRequest(MetadataCreateIndexService.java:344)
	at org.elasticsearch.server@8.10.4/org.elasticsearch.cluster.metadata.MetadataCreateIndexService$1.execute(MetadataCreateIndexService.java:299)
	at org.elasticsearch.server@8.10.4/org.elasticsearch.cluster.service.MasterService$UnbatchedExecutor.execute(MasterService.java:550)
	at org.elasticsearch.server@8.10.4/org.elasticsearch.cluster.service.MasterService.innerExecuteTasks(MasterService.java:1039)
	at org.elasticsearch.server@8.10.4/org.elasticsearch.cluster.service.MasterService.executeTasks(MasterService.java:1004)
	at org.elasticsearch.server@8.10.4/org.elasticsearch.cluster.service.MasterService.executeAndPublishBatch(MasterService.java:232)
	at org.elasticsearch.server@8.10.4/org.elasticsearch.cluster.service.MasterService$BatchingTaskQueue$Processor.lambda$run$2(MasterService.java:1626)
	at org.elasticsearch.server@8.10.4/org.elasticsearch.action.ActionListener.run(ActionListener.java:368)
	at org.elasticsearch.server@8.10.4/org.elasticsearch.cluster.service.MasterService$BatchingTaskQueue$Processor.run(MasterService.java:1623)
	at org.elasticsearch.server@8.10.4/org.elasticsearch.cluster.service.MasterService$5.lambda$doRun$0(MasterService.java:1237)
	at org.elasticsearch.server@8.10.4/org.elasticsearch.action.ActionListener.run(ActionListener.java:368)
	at org.elasticsearch.server@8.10.4/org.elasticsearch.cluster.service.MasterService$5.doRun(MasterService.java:1216)
	at org.elasticsearch.server@8.10.4/org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:983)
	at org.elasticsearch.server@8.10.4/org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:26)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:833)

Should I change the "*" in my readonlyrest.yml ?

7

Ok, I’ve tried changing my settings in readonlyrest.yml with something similar we have now for our current ELK cluster:

before (this does not work):

- name: "ReadonlyREST Enterprise instance #1"
  kibana:
    access: admin
    index: "*"
  ror_kbn_auth:
    name: "keycloak"

after:

- name: "ReadonlyREST Enterprise instance #1"
  kibana_access: admin
  indices: ["*"]
  ror_kbn_auth:
    name: "keycloak"

And now I am able to login to the UI and see the ALLOWED block in the ES logs. I’m not sure what’s the difference between both settings (besides the syntax).

8

Thanks @Dzuming. I didn’t notice this obvious issue.

@natalia.mellino When you use kibana.index, you define a name for the kibana index. By default, it’s “.kibana” or “.kibana-{ES-VERSION-NUM}”. You can change it using this rule. You can read more about it here and here. You cannot use * in this rule, because * cannot be used in index names (we will add proper validation in the future).

On the other hand, the indices: ["*"] means that “any index are allowed”. In this rule, we can use wildcards, not only full index names. For details, take a look here.

9

Okay, I see. Thank you for all the help, I think I can mark this as solved for now. I’ll let you know if I get to replicate the original issue.

1 Like