Question on Kibana Integration

(I haven’t yet purchased the Kibana PRO/ENTERPRISE license and neither do I have a Trial license yet. Am trying to do some basic Kibana Integration with my ROR enabled elastic stack. Successful POC will allow me to trigger a purchase of the PRO License FYI). POC intent is to get Kibana to Load successfully with the default internal kibana/kibana elasticpassword and allow me to navigate all the features of kibana-elasticsearch by default without any Basic Authentication Popups.

  • WITHOUT purchasing the PRO/ENTERPRISE/TRIAL license, what all can I do by default?
  • Am getting a Basic Authentication Challenge whilst bringing up Kibana! I was hoping with the kibana/kibana yml configuration - at the very least Kibana will come up - write the necessary indexes etc. However, I get a foribidden error RANDOMLY with this configuration. The odd thing is - sometimes I do get the user correctly as kibana and the KIBANA-SRV rule passes, but other most of the other times it fails as below. Any suggestions?

FORBIDDEN by default req={ ID:419936870-1449684158#181, TYP:GetFieldMappingsRequest, CGR:N/A, USR:[no basic auth header], BRS:false, ACT:indices:admin/mappings/fields/get, OA:10.203.122.154, DA:10.203.121.87, IDX:.kibana, MET:GET, PTH:/.kibana/_mapping/*/field/_source, CNT:<N/A>, HDR:{Connection=keep-alive, content-length=0, host=converse-elasticsearch.clouddqt.capitalone.com, X-Forwarded-For=10.203.121.86, 10.203.123.205, X-Forwarded-Port=443, X-Forwarded-Proto=https}, HIS:[Rout53 Access->[actions->false, x_forwarded_for->true]], [Global Write/Admin Access->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::RO::->[auth_key->false]], [::RW::->[auth_key->false]] }

I have configured

kibana.yml

elasticsearch:username: "kibana"
elasticsearch.password: “kibana”

readonlyrest.yml

readonlyrest:
access_control_rules:

- name: "Rout53 Access"
  type: allow
  x_forwarded_for: ["0.0.0.0/0"]
  actions: ["cluster:monitor/*","indices:data/read/*", "indices:admin/get", "indices:admin/aliases", "indices:admin/aliases/*", "indices:admin/analyze", "indices:monitor/*"]
  verbosity: error

- name: "Global Write/Admin Access"
  auth_key: "elastic:$apr1$JRxL0HOz$ndMHCirazDfTZznLy.icH1"
  type: allow
  actions: ["indices:data/write/*","indices:admin/*", "cluster:admin/*"]

- name: "::KIBANA-SRV::"
  kibana_access: ro
  auth_key: **kibana:kibana**

- name: "::RO::"
  auth_key: ro:dev
  kibana_access: ro
  indices: [ ".kibana", ".kibana-devnull", "logstash-*"]
  kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]

- name: "::RW::"
  auth_key: rw:dev
  kibana_access: rw
  indices: [".kibana", ".kibana-devnull", "logstash-*"]
  kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]

Well, you are describing the long standing Kibana bug I was talking about.

However, a very shitty way to mitigate this is to open up the ACL for those certain actions. A bit like you did for the ELB health checks.
Maybe as a “proof of concept” it will momentarily do the trick.

Talking about POC and demos: I’d hate to come across as the classical pushy seller, but - if you need - I can simply hand you over a link to the trial of the Kibana plugin. No strings attached.

@sscarduzio Thank you. Thats very forthcoming - once I had my kibana working I was planning on using the trial to prototype and demo to mesh the last part of this - multi tenancy. A readiliy available link would help speed things along.

to this point : Maybe as a “proof of concept” it will momentarily do the trick.
I assume this bug is regardless of whether or not its a Proof of Concept or not? Are you suggesting that I hack the Kibana flow across the environment spectrum (DEV/QA/PROD) until an “official” fix is available?

Maybe it’s semantics, but in my understanding I supposed a POC would not reach QA/PROD.
I just suggested to pin some holes in the ACL in a controlled environment, if you just need to show off what’s possible.

About the bug. This bug in Kibana in 2016 and never resolved. I know because was the one reporting it. Personally I lost hope.

@sscarduzio Ah - I meant if the Proof of Concept is approved - when we take it to PROD - we cant depend on the kibana/kibana due to the bug so the same “hack” for allowing a custom ACL for kibana events would need to get promoted to PROD?

Well of course if you promote the PoC to prod as is, you will expose production data to flaws. So by all means, I suggest to use the appropriate tools if your PoC has chances to go straight to prod.