Kibana still trying to use some unauthenticated access to ES

hbigault · April 29, 2021, 3:49pm

Hello,

Kibana looks to have the bad habit of making some requests to the ES without account info even if we use elasticsearch.username: and elasticsearch.password:

On 7.8.1 I already needed to allow unauthenticated access to make it work:
actions: [“cluster:monitor/xpack/info”, “cluster:monitor/main”, “cluster:monitor/xpack/license/get”, “cluster:admin/xpack/monitoring/bulk”]

With 7.11.12 I needed to also allow unauthenticated access for the following action to have kibana started and working fine:
actions: [“indices:data/read/search”, “indices:data/read/get”]
indices: [".kibana"]

The 8.0 Upgrade Assistant still fail with a Error: Internal Server Error
at HapiResponseAdapter.toError (/home/kibana/src/core/server/http/router/response_adapter.js:121:19)
at HapiResponseAdapter.toHapiResponse (/home/kibana/src/core/server/http/router/response_adapter.js:75:19)
at HapiResponseAdapter.handle (/home/kibana/src/core/server/http/router/response_adapter.js:70:17)
at Router.handle (/home/kibana/src/core/server/http/router/router.js:164:34)
at runMicrotasks ()

I tried to cover the reject I had in the audits (unauthenticated) allowing unauthenticated action:
“cluster:admin/xpack/deprecation/info”
“indices:admin/mappings/get” (for apm-* indexes)

The 8.0 upgrade page still end with a system error

I don’t know if it is a normal behavior. I may have misconfigured something in kibana.

sscarduzio · April 29, 2021, 4:07pm

Can we see your settings? And, just to get this out of the way: have you patched Kibana?

hbigault · April 29, 2021, 4:51pm

Sure.

Here is my kibana config:

server.host: host1
path.data: ${ELK_ROOT}/kibana-data
xpack.graph.enabled: false
xpack.ml.enabled: false
xpack.watcher.enabled: false
elasticsearch.hosts: [“https://host1:9200”, “https://host2:9200”]
elasticsearch.username: “kibana”
elasticsearch.password: “xxxx”
elasticsearch.ssl.verificationMode: none
server.ssl.keystore.path: “${ES_PATH_CONF}/host.p12”
server.ssl.keystore.password: “xxxx”
server.ssl.enabled: true
elasticsearch.ssl.certificateAuthorities: [ “${ES_PATH_CONF}/cacert.pem” ]
logging.dest: ${ELK_ROOT}/log/kibana/kibana.log
logging.json: false
xpack.encryptedSavedObjects.encryptionKey: “xxxx”
xpack.reporting.encryptionKey: “xxxx”
xpack.security.encryptionKey: “xxxx”

I’ve checked a second time and the Kibana instance I was using for the test was well patched. I’m using 1.29.0_es7.11.2.

On ES plugin I’m having the following block to deal with kibana needs:

- name: "::KIBANA-SRV::"
 type: allow
 auth_key: kibana:xxxx
 verbosity: error

It should have worked if kibana was not trying to reach ES sometime without the expected login:

FORBIDDEN by default req={ ID:1916462101-2035573290#58436, TYP:GetMappingsRequest, CGR:N/A, USR:[no info about user], BRS:false, KDX:null, ACT:indices:admin/mappings/get, OA:IP/32, XFF:null, DA:IP/32, IDX:apm-, MET:GET, PTH:/apm-/_mapping

FORBIDDEN by default req={ ID:805340606-939176580#139223, TYP:GetRequest, CGR:N/A, USR:[no info about user], BRS:true, KDX:null, ACT:indices:data/read/get, OA:IP/32, XFF:null, DA:IP/32, IDX:.kibana, MET:GET, PTH:/.kibana/_doc/space:default, CNT:<N/A>, HDR:Accept-Charset=utf-8, Host=host1:9200, connection=close, content-length=0, user-agent=elasticsearch-js/7.11.0-rc.1 (linux 3.10.0-1160.11.1.el7.x86_64-x64; Node.js v14.16.0), x-elastic-client-meta=es=7.11.0-rc.1,js=14.16.0,t=7.11.0-rc.1,hc=14.16.0, x-elastic-product-origin=kibana, x-opaque-id=79c08611-3688-49b5-812b-672ae8ece4e4

hbigault · April 30, 2021, 11:50am

Having a look again to the kibana interface I was surprised by the Fleet page asking be to be super user.

It looks like some recommended parameters have disappeared in my kibana config at some point :

xpack.monitoring.enabled: true
xpack.security.enabled: false
xpack.telemetry.enabled: false

Adding these helped (security mainly) to have a normal kibana behavior. I will test later if the additional actions I have added are still necessary or not.

I don’t have anymore Error: Internal Server Error on the upgrade page.

Now the fleet page tell me that I need to activate xpack security to be able to use it. Are you planning to support the fleet page in the free ROR kibana plugin ?

sscarduzio · May 2, 2021, 1:49pm

Yes we will try to make fleet and other parts that require xpack security to work. We are still in explorative phase. Will update with more.