Kibana keystore not read by kbn ror plugin -- 8.5.2 and ror 1.47.0

Dear All, I’m currently using elasticsearch and kibana in 8.5.2 version with both ror plugins in 1.47.0

I would like to “mask” the elasticsearch.user and elasticsearch.password value from my kibana.yml file.

To achieve this, I remove these two entries from the kibana.yml file and add them to the kibana.keystore. When kibana starts it should read this keystore, find both entries and get the proper value.

Unfortunately, using kbn ror plugin, I receive this error message:

[error][plugins][ReadonlyREST][kibanaConfigInterceptor] ROR Cannot initialize Kibana: Valid values for\
 'elasticsearch.username' and 'elasticsearch.password' are required by ReadonlyREST. 'elasticsearch.password' is  missing.\

I maybe miss the obvious but searching with the keyword “keystore” in the kibana documentation, I don’t find anything …

Is anybody encouter the same issue ?

Thanks in advance for your time and help.


ps: Using a ci chain to deploy the stack, kibana is the last element to manage as I used the elasticsearch keystore to set my s3 keys and token value, the logstash keystore the beats keystore as well and everything is working fine :stuck_out_tongue:

@Dzuming maybe we should relax that check in kibana config interceptor all together? Make it a warning or something?

Sounds good, but maybe we should ignore this check if kibana.keystore is defined?


Yes! And also, let’s keep in mind that there’s an alternative to specifying username and password, that is elasticsearch.serviceAccountToken as seen here in Kibana docs.

1 Like

Hi @orsius

Could you check if this issue still occurs on plugin version 1.48.0? I tested it, and it works fine on my end. I created a keystone file and set variables via Secure settings | Kibana Guide [8.7] | Elastic. I didn’t need to restart Kibana, it was read automatically after the plugin’s automatic reinitialization.

1 Like

Hi @Dzuming , Thanks for following this case; I performed a test in my lab this morning (Enterprise 1.48.0_es8.5.2 :unicorn:) and it works fine.

Have a nice day,