Running ROR Kibana Pro on ES cluster at 6.6.0.
Just got the paid ROR Kibana pro plugin (our purchasing moves slowly) and got it installed and was trying to do things but am running into permission issues. Thought I had this sorted but apparently not.
I can login as the kibana admin user, and I can go to the readonlyrest tab and see and change the YAML file, so that level of auth is working, but several things aren’t working. There’s a query about usage statistics at the top of the kibana page, and whenever I try to answer yes or no, I get a forbidden message. With this being a new cluster, I don’t have an index pattern defined yet, and when I try to do that, it looks like it’s doing things, but when I check the ES logs, I can see the deny message in there.
Here’s the relevant portion of the ROR yaml config:
access_control_rules:
# LOCAL: Kibana admin account
- name: "local-admin"
auth_key: "admin:derpderp"
kibana_access: admin
I’ve got several other local accounts defined (for logstash, kibana server, puppet control, and elastalert) as well as two LDAP group-based auth, but this kibana admin account is at the top of the access control rules.
Elasticsearch logs on a successful update of the config:
[2019-04-23T15:48:49,557][INFO ][t.b.r.a.ACL ] [elasticsearch2-0.example.com] ALLOWED by { name: 'local-admin', policy: ALLOW, rules: [auth_key, kibana_access]} req={ ID:2091769102-1464602925#43465, TYP:RRAdminRequest, CGR:N/A, USR:admin, BRS:false, KDX:null, ACT:cluster:admin/rradmin/refreshsettings, OA:1.2.3.4, DA:1.2.3.4, IDX:<N/A>, MET:POST, PTH:/_readonlyrest/admin/config, CNT:<OMITTED, LENGTH=2819>, HDR:{authorization=<OMITTED>, Connection=close, content-length=2819, content-type=application/json, Host=elasticsearch2-0.example.com:9200}, HIS:[local-admin->[kibana_access->true, auth_key->true]] }
But if I try to dismiss the “Help us improve the Elastic Stack by providing usage statistics for basic features. We will not share this data outside of Elastic.” prompt at the top of the window:
[2019-04-23T15:50:33,626][INFO ][t.b.r.a.ACL ] [elasticsearch2-0.example.com] FORBIDDEN by default req={ ID:796808818-1511533555#44970, TYP:IndexRequest, CGR:N/A, USR:admin(?), BRS:false, KDX:null, ACT:indices:data/write/index, OA:1.2.3.4, DA:1.2.3.4, IDX:.iz1kibana, MET:POST, PTH:/.iz1kibana/doc/telemetry%3Atelemetry?refresh=wait_for, CNT:<OMITTED, LENGTH=90>, HDR:{authorization=<OMITTED>, Connection=keep-alive, content-type=application/json, Host=iz1elasticsearch2-0.bl.internal.maas360.com:9200, Content-Length=90}, HIS:[local-admin->[kibana_access->false, auth_key->true]], [local-logstash->[auth_key->false]], [local-kibana->[auth_key->false]], [local-puppet->[auth_key->false]], [elastalert->[auth_key->false]], [ldap-admin->[ldap_authentication->false]], [ldap-all->[ldap_authentication->false]], [localhost->[hosts->false]] }
One thing worth noting is that despite the kibana index being set in kibana.yml:
kibana.index: ".iz1kibana"
The index that is being created is .iz1kibana_1
, not .iz1kibana
. I changed the kibana.index to .iz1kibana_1
and restarted kibana but now I’m getting the same denial on the index that exists.
I’m at a bit of a loss as this new cluster was provisioned with the same settings as an earlier cluster where the admin account works.