Kibana still trying to use some unauthenticated access to ES

hbigault · April 29, 2021, 3:49pm

Hello,

Kibana looks to have the bad habit of making some requests to the ES without account info even if we use elasticsearch.username: and elasticsearch.password:

On 7.8.1 I already needed to allow unauthenticated access to make it work:
actions: [“cluster:monitor/xpack/info”, “cluster:monitor/main”, “cluster:monitor/xpack/license/get”, “cluster:admin/xpack/monitoring/bulk”]

With 7.11.12 I needed to also allow unauthenticated access for the following action to have kibana started and working fine:
actions: [“indices:data/read/search”, “indices:data/read/get”]
indices: [".kibana"]

The 8.0 Upgrade Assistant still fail with a Error: Internal Server Error
at HapiResponseAdapter.toError (/home/kibana/src/core/server/http/router/response_adapter.js:121:19)
at HapiResponseAdapter.toHapiResponse (/home/kibana/src/core/server/http/router/response_adapter.js:75:19)
at HapiResponseAdapter.handle (/home/kibana/src/core/server/http/router/response_adapter.js:70:17)
at Router.handle (/home/kibana/src/core/server/http/router/router.js:164:34)
at runMicrotasks ()

I tried to cover the reject I had in the audits (unauthenticated) allowing unauthenticated action:
“cluster:admin/xpack/deprecation/info”
“indices:admin/mappings/get” (for apm-* indexes)

The 8.0 upgrade page still end with a system error

I don’t know if it is a normal behavior. I may have misconfigured something in kibana.

sscarduzio · April 29, 2021, 4:07pm

Can we see your settings? And, just to get this out of the way: have you patched Kibana?

hbigault · April 29, 2021, 4:51pm

Sure.

Here is my kibana config:

server.host: host1
path.data: ${ELK_ROOT}/kibana-data
xpack.graph.enabled: false
xpack.ml.enabled: false
xpack.watcher.enabled: false
elasticsearch.hosts: [“https://host1:9200”, “https://host2:9200”]
elasticsearch.username: “kibana”
elasticsearch.password: “xxxx”
elasticsearch.ssl.verificationMode: none
server.ssl.keystore.path: “${ES_PATH_CONF}/host.p12”
server.ssl.keystore.password: “xxxx”
server.ssl.enabled: true
elasticsearch.ssl.certificateAuthorities: [ “${ES_PATH_CONF}/cacert.pem” ]
logging.dest: ${ELK_ROOT}/log/kibana/kibana.log
logging.json: false
xpack.encryptedSavedObjects.encryptionKey: “xxxx”
xpack.reporting.encryptionKey: “xxxx”
xpack.security.encryptionKey: “xxxx”

I’ve checked a second time and the Kibana instance I was using for the test was well patched. I’m using 1.29.0_es7.11.2.

On ES plugin I’m having the following block to deal with kibana needs:

- name: "::KIBANA-SRV::"
 type: allow
 auth_key: kibana:xxxx
 verbosity: error

It should have worked if kibana was not trying to reach ES sometime without the expected login:

FORBIDDEN by default req={ ID:1916462101-2035573290#58436, TYP:GetMappingsRequest, CGR:N/A, USR:[no info about user], BRS:false, KDX:null, ACT:indices:admin/mappings/get, OA:IP/32, XFF:null, DA:IP/32, IDX:apm-, MET:GET, PTH:/apm-/_mapping

FORBIDDEN by default req={ ID:805340606-939176580#139223, TYP:GetRequest, CGR:N/A, USR:[no info about user], BRS:true, KDX:null, ACT:indices:data/read/get, OA:IP/32, XFF:null, DA:IP/32, IDX:.kibana, MET:GET, PTH:/.kibana/_doc/space:default, CNT:<N/A>, HDR:Accept-Charset=utf-8, Host=host1:9200, connection=close, content-length=0, user-agent=elasticsearch-js/7.11.0-rc.1 (linux 3.10.0-1160.11.1.el7.x86_64-x64; Node.js v14.16.0), x-elastic-client-meta=es=7.11.0-rc.1,js=14.16.0,t=7.11.0-rc.1,hc=14.16.0, x-elastic-product-origin=kibana, x-opaque-id=79c08611-3688-49b5-812b-672ae8ece4e4

hbigault · April 30, 2021, 11:50am

Having a look again to the kibana interface I was surprised by the Fleet page asking be to be super user.

It looks like some recommended parameters have disappeared in my kibana config at some point :

xpack.monitoring.enabled: true
xpack.security.enabled: false
xpack.telemetry.enabled: false

Adding these helped (security mainly) to have a normal kibana behavior. I will test later if the additional actions I have added are still necessary or not.

I don’t have anymore Error: Internal Server Error on the upgrade page.

Now the fleet page tell me that I need to activate xpack security to be able to use it. Are you planning to support the fleet page in the free ROR kibana plugin ?

sscarduzio · May 2, 2021, 1:49pm

Yes we will try to make fleet and other parts that require xpack security to work. We are still in explorative phase. Will update with more.

Darius · May 15, 2024, 12:34pm

Hello everyone!

maybe there are some news regarding xpack security? Or is it still not working and should be disabled for ROR to work correctly?

coutoPL · May 15, 2024, 3:08pm

Hi @Darius,

Yes, it’s possible to use ES with enabled xpack security. It was added in ROR 1.50.0. But when you do enable the xpack security, you have to use xpack SSL instead of ROR SSL.

It was done for a sake of ECK integration (see our example)