Using Kibana/ES 5.6.3 and RoR 1.16.13_es5.6.3, I’ve been running into a problem where auth appears to work, then fails. That is, the first login attempt succeeds, but Kibana shows a 403 in the logs. Then all subsequent attempts fail. This appears to slightly be the double login problem people have mentioned in the past, but I’m not sure…
Successful Login: https://pastebin.com/KAumFg1U
Failure Login: https://pastebin.com/RpaWMt0y
What’s particularly strange to me is the failure run seems to be missing the Basic Auth header (which is explicitly disabled in my config…right?)
Anyone have any ideas?
Since I can only paste 2 links, here’s my RoR config:
readonlyrest:
enable: true
audit_collector: true
prompt_for_basic_auth: false
response_if_req_forbidden: Access Forbidden by FreeIPA
ssl:
enable: true
key_alias: "elasticsearch"
keystore_file: "/usr/share/elasticsearch/config/keystore.jks"
keystore_pass: "{{ s3.environment[domain].keypass }}"
key_pass: "{{ s3.environment[domain].keypass }}"
access_control_rules:
- name: Access to Ops team indices
type: allow
verbosity: error
kibana_access: ro
ldap_authentication: "ldap1"
ldap_authorization:
name: "ldap1"
groups: ["es_ops"]
indices: ["logmash-*-ops-*", ".kibana"]
kibana_hide_apps: ["readonlyrest_kbn", "kibana:management", "timelion"]
- name: Access to FrontEnd team indices
type: allow
kibana_access: ro
verbosity: error
ldap_authentication: "ldap1"
ldap_authorization:
name: "ldap1"
groups: ["es_fe"]
indices: ["logmash-*-fe-*", ".kibana"]
kibana_hide_apps: ["readonlyrest_kbn", "kibana:management", "timelion"]
- name: Kibana Admins
type: allow
ldap_authentication: "ldap1"
kibana_access: admin
ldap_authorization:
name: "ldap1"
groups: ["es_admin"]
indices: ["*"]
- name: cli access
type: allow
verbosity: error
ldap_authentication: "ldap1"
ldap_authorization:
name: "ldap1"
groups: ["es_cli"]
- name: "::LOCALHOST::"
type: allow
verbosity: error
hosts:
- localhost
- 127.0.0.1
ldaps:
- name: ldap1
host: "{{ s3.environment.env.KDC.master }}"
port: 636
ssl_enabled: true
ssl_trust_all_certs: true
bind_dn: "uid={{ s3.application[role].app.bind_user }},cn=users,cn=accounts,{{ s3.environment.env.KDC.dc }}"
bind_password: "{{ s3.application[role].app.bind_password }}"
search_user_base_DN: "cn=users,cn=accounts,{{ s3.environment.env.KDC.dc }}"
user_id_attribute: "uid"
search_groups_base_DN: "cn=groups,cn=accounts,{{ s3.environment.env.KDC.dc }}"
unique_member_attribute: "member"
group_name_attribute: "cn"
group_search_filter: "(objectClass=posixGroup)(cn=es_*)"
connection_timeout_in_sec: 10