Kibana - Error 401

daniele.saccon · June 14, 2021, 9:44am

Hi everybody

I have Elasticsearch and Kibana version 7.13.1 and readonlyrest 1.30.1 (free ES).
I can’t login into Kibana with the auth_key clause in the settings, if I remove it instead kibana works.

I have this error message:
{“statusCode”: 401, “error”: “Unauthorized”, “message”: “[Forbidden by ReadonlyREST ES plugin: Response Error]: Forbidden by ReadonlyREST ES plugin”}

With auth_key the authentication in ES works, the only problem appears in kibana where there isn’t a banner for entering user and password

ROR conf:

readonlyrest:
    response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
    audit_collector: true

    access_control_rules:
    - name: "00 - basic"
      auth_key: user:pass
      verbosity: error
      type: allow
      indices: ["*"]

Kibana conf:

elasticsearch.username: "user"
elasticsearch.password: "pass"

xpack.security.enabled: false
telemetry.enabled: false

ES conf:

cluster.name: xxx-elk-cluster
node.name: xxx-elk-node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch

xpack.security.enabled: false

ES log:

[INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [xxx-elk-node-1] e[35mFORBIDDEN by default req={ ID:16906169-1687150194#442, TYP:SearchRequest, CGR:N/A, USR:[no info about user], BRS:true, KDX:null, ACT:indices:data/read/search, OA:127.0.0.1/32, XFF:null, DA:127.0.0.1/32, IDX:.kibana_7.13.1, MET:POST, PTH:/.kibana_7.13.1/_search, CNT:<OMITTED, LENGTH=466.0 B> , HDR:Connection=keep-alive, Host=localhost:9200, content-length=466, content-type=application/json, user-agent=elasticsearch-js/7.13.0-canary.1 (linux 4.18.0-240.el8.x86_64-x64; Node.js v14.16.1), x-elastic-client-meta=es=7.13.0p,js=14.16.1,t=7.13.0p,hc=14.16.1, x-elastic-product-origin=kibana, HIS:[01 - basic-> RULES:[auth_key->false] RESOLVED:[indices=.kibana_7.13.1]], }e[0m
[INFO ][t.b.r.a.l.AccessControlLoggingDecorator] [xxx-elk-node-1] e[35mFORBIDDEN by default req={ ID:53542787-278737162#743, TYP:SearchRequest, CGR:N/A, USR:[no info about user], BRS:true, KDX:null, ACT:indices:data/read/search, OA:127.0.0.1/32, XFF:null, DA:127.0.0.1/32, IDX:.kibana_7.13.1, MET:POST, PTH:/.kibana_7.13.1/_search, CNT:<OMITTED, LENGTH=312.0 B> , HDR:Connection=keep-alive, Host=localhost:9200, content-length=312, content-type=application/json, user-agent=elasticsearch-js/7.13.0-canary.1 (linux 4.18.0-240.el8.x86_64-x64; Node.js v14.16.1), x-elastic-client-meta=es=7.13.0p,js=14.16.1,t=7.13.0p,hc=14.16.1, x-elastic-product-origin=kibana, x-opaque-id=a823f4a3-a598-4299-a372-65b1c704c868, HIS:[01 - basic-> RULES:[auth_key->false] RESOLVED:[indices=.kibana_7.13.1]], }e[0m

Kibana log:

{"type":"response","@timestamp":"2021-06-14T11:00:02+02:00","tags":[],"pid":33476,"method":"get","statusCode":401,"req":{"url":"/","method":"get","headers":{"host":"localhost:5601","cache-control":"max-age=0","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","accept-encoding":"gzip, deflate","accept-language":"it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7","x-forwarded-for":"xxxxx","x-forwarded-host":"xxxxx","x-forwarded-server":"xxxxx","connection":"Keep-Alive"},"remoteAddress":"127.0.0.1","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36"},"res":{"statusCode":401,"responseTime":45,"contentLength":144},"message":"GET / 401 45ms - 144.0B"}
{"type":"response","@timestamp":"2021-06-14T11:00:02+02:00","tags":[],"pid":33476,"method":"get","statusCode":404,"req":{"url":"/favicon.ico","method":"get","headers":{"host":"localhost:5601","pragma":"no-cache","cache-control":"no-cache","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36","accept":"image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","referer":"http://xxxxxxxx/","accept-encoding":"gzip, deflate","accept-language":"it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7","x-forwarded-for":"xxxxx","x-forwarded-host":"xxxxx","x-forwarded-server":"xxxxx","connection":"Keep-Alive"},"remoteAddress":"127.0.0.1","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36","referer":"http://xxxxxxxx/"},"res":{"statusCode":404,"responseTime":33,"contentLength":60},"message":"GET /favicon.ico 404 33ms - 60.0B"}

Can you help me?

Thank you

Daniele

sscarduzio · June 14, 2021, 10:20am

Hi Daniele,

We currently do not support the usage of Kibana with ROR for Elasticsearch alone. We need you to install ROR (Free) for Kibana as well. And at the moment we did not yet release a Kibana 7.13.x compatible version of the Free plugin.

Having said that, I noticed that in recent Kibana versions, the settings:

elasticsearch.username: "user"
elasticsearch.password: "pass"

get ignored more and more in various parts of Kibana. You could find more success by using:

elasticsearch.customHeaders: [ "Authorization: Basic xxx" ]

With xxx being the Base64 encoded version of the string “user:pass”

daniele.saccon · June 14, 2021, 1:43pm

Hi Simone,

I switched to 7.12.1, installed ROR Kibana and put elasticsearch.customHeaders.
Kibana works but doesn’t ask authentication.

I have another question: with ROR and consequently the security disabled is not possible to use fleet, correct?

Thanks

Daniele

sscarduzio · June 14, 2021, 2:54pm

Yeah for now we didn’t find a workaround for this yet.