For some reason I can’t seem to get Kibana working with ReadonlyREST. My kibana.stderr log shows a number of the following messages, and Kibana is not prompting me to enter any user credentials. Not sure what I’m doing wrong.
Unhandled rejection Authentication Exception :: {"path":"/_xpack","statusCode":401,"response":"Forbidden by ReadonlyREST ES plugin","wwwAuthenticateDirective":"Basic"}
at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:295:15)
at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:254:7)
at HttpConnector.<anonymous> (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:157:7)
at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)
at emitNone (events.js:91:20)
at IncomingMessage.emit (events.js:185:7)
at endReadableNT (_stream_readable.js:974:12)
at _combinedTickCallback (internal/process/next_tick.js:80:11)
at process._tickDomainCallback (internal/process/next_tick.js:128:9)
My configuration is essentially the following:
readonlyrest:
enable: true
response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
access_control_rules:
# allow someone directly logged in to the server to perform any action
- name: "::LOCALHOST::"
auth_key: name:password
hosts: [127.0.0.1]
type: allow
# we trust Logstash; access allowed via HTTP auth
- name: "::LOGSTASH::"
auth_key: logstash:logstash
type: allow
actions: ["cluster:monitor/main", "indices:admin/types/exists", "indices:data/read/*", "indices:data/write/*", "indices:admin/template/*", "indices:admin/create"]
indices: ["logs-*"]
# we trust Kibana; access allowed via HTTP auth
- name: "::KIBANA-SERVER::"
auth_key: kibana:kibana
type: allow
verbosity: error # don't log successful requests
# this is for read-write user access via LDAP
- name: "::RW ACCESS::"
ldap_auth:
name: "ldap1"
groups: ["group_does_not_exist"]
type: allow
kibana_access: rw
indices: [".kibana", ".kibana-devnull", "logs-*"]
# this is for read-only user access via LDAP
- name: "::RO ACCESS::"
ldap_auth:
name: "ldap1"
groups: ["group_does_not_exist"]
type: allow
kibana_access: ro
indices: [".kibana", ".kibana-devnull", "logs-*"]
ldaps:
- name: ldap1
host: "xxx.xxx.com"
port: 389
ssl_enabled: false
ssl_trust_all_certs: true
search_user_base_DN: "ou=Users,ou=xxx,dc=xxx,dc=com"
user_id_attribute: "uid"
search_groups_base_DN: "ou=ELK,dc=xxx,dc=com"
unique_member_attribute: "uniqueMember"
connection_pool_size: 10
connection_timeout_in_sec: 10
request_timeout_in_sec: 10
cache_ttl_in_sec: 60
Thoughts? Thanks!