Kibana monitoring with Metricbeat

When using Metricbeat to monitor Kibana, it sends requests to Kibana’s /api/* endpoints. Unfortunately, it seems these requests are not authorized (even with basic auth enabled) so they will by default be redirected to the login page.

To get around this, I can add:
readonlyrest_kbn.whitelistedPaths: ["/api/.*"]
But, this is obviously a huge security hole, since it will allow requests from any source to hit the API without authentication.

It would be ideal if i could combine/replace this with something like:
readonlyrest_kbn.whitelistedSourceIPs: ["10.0.x.x"] or something similar

Thoughts?

you mean they carry no authorization header? I.e. a bug in Metricbeat?

They do carry the authorization header, but Kibana rejects them. I assume because no session has been created for the ROR basic auth user.

I can replicate this in Postman, sending basic auth with a ROR user that has full access to all indices and unrestricted Kibana access… I get redirected to the login page:

1 Like

OK so Metricbeat is behaving correctly.

Historically we disabled the pure HTTP “Basic” authentication in favour of requiring all sessions to go through the login page + set cookie. We did this because browsers have the bad habit to letting you in with basic auth, and if that works the first time, it continues to send Basic auth credentials across no matter what, even if you have a proper cookie.
This is not god for security, plus it can create ambiguous situations, like when Basic auth credentials (valid for user X) and cookie based session (for user Y) coexist in the same request: which one should preveal? :man_shrugging:

Maybe what we could do is to enable basic auth for /api/* paths?