ROR Kibana PRO -


(Damocles) #1

Have followed the instructions in setting up kibana PRO against my ES (5.5.2) cluster. The plugin install was successful and when I navigate to the localhost:5601 - it looks to be loading the login page correctly (and the kibana logs indicate ElasticSearch was GREEN). However, IF I enter anything in the credentials - kibana tries to log me in but then returns back to the Login page. The debug logs are at the bottom - I’ve added the prerequistie entries for readonlyrest AND kibana as indicated in the instructions. Any ideas where I should look at to debug / resolve this?

readonlyrest.yml

readonlyrest:
prompt_for_basic_auth: false

access_control_rules:
- name: "Rout53 Access"
  type: allow
  x_forwarded_for: ["0.0.0.0/0"]
  actions: ["cluster:monitor/*", "indices:admin/get", "indices:admin/aliases", "indices:admin/aliases/*", "indices:admin/analyze", "indices:monitor/*", "indices:data/read/*"]
  verbosity: error

- name: "Global Write/Admin Access"
  type: allow
  actions: ["indices:data/write/*","indices:admin/*", "cluster:admin/*", "cluster:monitor/*", "indices:monitor/*"]
  verbosity: error

- name: "::KIBANA-SRV 1::"
  kibana_access: admin
  auth_key: kibana:kibana
  verbosity: error

- name: "::KIBANA-SRV 2::"
  kibana_access: admin
  uri_re: ^/.kibana/.*
  indices: [".kibana"]
  verbosity: error

- name: "::RO::"
  auth_key: ro:dev
  kibana_access: ro
  indices: [ ".kibana", ".kibana-devnull", "logstash-*"]
  kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]

- name: "::RW::"
  auth_key: rw:dev
  kibana_access: rw
  indices: [".kibana", ".kibana-devnull", "logstash-*"]
  kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]

- name: "::ADMIN::"
  auth_key: admin:dev
  # KIBANA ADMIN ACCESS NEEDED TO EDIT SECURITY SETTINGS IN ROR KIBANA APP!
  kibana_access: admin

Kibana Debug Logs

>   log   [16:38:57.648] [debug][plugin] Checking Elasticsearch version
>   log   [16:39:00.838] [debug][plugin] Checking Elasticsearch version
>   ops   [16:39:01.812]  memory: 47.9MB uptime: 0:01:08 load: [0.00 0.00 0.00] delay: 4.977
>   log   [16:39:04.028] [debug][plugin] Checking Elasticsearch version
>   ops   [16:39:06.812]  memory: 47.3MB uptime: 0:01:13 load: [0.00 0.00 0.00] delay: 5.040
>   log   [16:39:07.213] [debug][plugin] Checking Elasticsearch version
>   log   [16:39:10.428] [debug][plugin] Checking Elasticsearch version
>   log   [16:39:10.587] [debug][readonlyrest_kbn] try extract credentials from JSON
>   log   [16:39:10.589] [debug][readonlyrest_kbn] try extract credentials from JSON
>   log   [16:39:10.590] [debug][readonlyrest_kbn] groupCurrent not found in cookie, that's ok.
>   log   [16:39:10.591] [debug][readonlyrest_kbn] try extract credentials from JSON
>   log   [16:39:10.592] [debug][readonlyrest_kbn] Configuring HTTPS agent
>   log   [16:39:10.594] [debug][readonlyrest_kbn] groupCurrent not found in cookie, that's ok.
>   log   [16:39:11.010] [debug][readonlyrest_kbn] ON_IDENTITY setting kibana index to .kibana
>   log   [16:39:11.013] [debug][readonlyrest] ensuring exists: .kibana
>   log   [16:39:11.014] [debug][readonlyrest_kbn] path already present in routing table /.kibana/{paths*}
> respons [16:39:11.019]  POST /login 302 433ms - 9.0B
> respons [16:39:11.030]  GET / 200 6ms - 9.0B
>   log   [16:39:11.114] [debug][readonlyrest_kbn] kbnIndex probably already existed: .kibana
>   log   [16:39:11.447] [debug][readonlyrest_kbn] ON_INJECT Found authenticated, injecting kibanaIndex: .kibana
> respons [16:39:11.458]  GET /app/kibana 200 411ms - 9.0B
> respons [16:39:11.524]  GET /ui/fonts/open_sans/open_sans_v13_latin_300.woff2 304 3ms - 9.0B
> respons [16:39:11.582]  GET /bundles/commons.style.css?v=15443 304 2ms - 9.0B
> respons [16:39:11.583]  GET /bundles/kibana.style.css?v=15443 304 3ms - 9.0B
> respons [16:39:11.586]  GET /bundles/commons.bundle.js?v=15443 304 2ms - 9.0B
> respons [16:39:11.607]  GET /ui/favicons/favicon-32x32.png 304 2ms - 9.0B
> respons [16:39:11.633]  GET /ui/favicons/favicon-16x16.png 304 5ms - 9.0B
> respons [16:39:11.713]  GET /bundles/kibana.bundle.js?v=15443 304 2ms - 9.0B
>   ops   [16:39:11.813]  memory: 45.3MB uptime: 0:01:18 load: [0.00 0.00 0.00] delay: 5.119
> respons [16:39:12.542]  GET /api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=es_5_0 200 20ms - 9.0B
> respons [16:39:12.545]  GET /plugins/readonlyrest_kbn/css/cookieconsent.min.css 304 7ms - 9.0B
> respons [16:39:12.548]  GET /plugins/readonlyrest_kbn/js/cookieconsent.min.js?_=1522341552083 200 10ms - 9.0B
> respons [16:39:12.672]  GET /plugins/kibana/assets/discover.svg 304 3ms - 9.0B
> respons [16:39:12.676]  GET /plugins/kibana/assets/visualize.svg 304 2ms - 9.0B
> respons [16:39:12.678]  GET /plugins/kibana/assets/dashboard.svg 304 4ms - 9.0B
> respons [16:39:12.682]  GET /plugins/readonlyrest_kbn/rorSVG.svg 304 5ms - 9.0B
> respons [16:39:12.684]  GET /plugins/timelion/icon.svg 304 8ms - 9.0B
> respons [16:39:12.689]  GET /plugins/kibana/assets/wrench.svg 304 9ms - 9.0B
> respons [16:39:12.695]  GET /plugins/kibana/assets/settings.svg 304 8ms - 9.0B
> respons [16:39:12.696]  GET /ui/fonts/open_sans/open_sans_v13_latin_regular.woff2 304 11ms - 9.0B
> respons [16:39:12.699]  GET /plugins/kibana/assets/play-circle.svg 304 7ms - 9.0B
> respons [16:39:12.702]  GET /bundles/0cebf3d61338c454670b1c5bdf5d6d8d.svg 304 3ms - 9.0B
> respons [16:39:12.704]  GET /ui/favicons/favicon-32x32.png 304 6ms - 9.0B
> respons [16:39:12.708]  GET /ui/favicons/favicon-32x32.png 304 2ms - 9.0B
> respons [16:39:12.754]  GET /ui/fonts/open_sans/open_sans_v13_latin_700.woff2 304 1ms - 9.0B
> respons [16:39:12.769]  GET /logout 302 1ms - 9.0B
> respons [16:39:12.775]  POST /es_admin/.kibana/index-pattern/_search?stored_fields= 302 1ms - 9.0B
> respons [16:39:12.780]  GET / 302 1ms - 9.0B
>   log   [16:39:12.794] [debug][readonlyrest_kbn] try extract credentials from JSON
> respons [16:39:12.799]  GET /ui/favicons/favicon-16x16.png 304 6ms - 9.0B
> respons [16:39:12.803]  GET /login 200 10ms - 9.0B
>   log   [16:39:12.809] [debug][readonlyrest_kbn] try extract credentials from JSON
> respons [16:39:12.812]  GET /login 200 4ms - 9.0B
> respons [16:39:12.842]  GET /plugins/readonlyrest_kbn/js/jquery-3.2.1.min.js 304 5ms - 9.0B
> respons [16:39:12.846]  GET /plugins/readonlyrest_kbn/js/jquery.shake.js 304 7ms - 9.0B
> respons [16:39:12.849]  GET /plugins/readonlyrest_kbn/css/normalize.min.css 304 10ms - 9.0B
> respons [16:39:12.854]  GET /plugins/readonlyrest_kbn/readonlyrest_square_white.png 304 2ms - 9.0B
> respons [16:39:12.860]  GET /plugins/readonlyrest_kbn/readonlyrest-logo-white.png 304 1ms - 9.0B

(Simone Scarduzio) #2

Hi @titan1978,

I invite you to read this closed issue

TL;DR: the order of the ACL blocks does matter and you should move the load balancer pass through block TO THE END of the ACL, so request that carry credentials can match the right rules and inform Kibana about the user identity.


(Damocles) #3

Looks like it was a config problem on the ELB. It had stickiness and wasn’t pulling in the instance where the rules were rectified. Thank for the rules ordering tip. it helped.

Feedback: Since the rules order are so critical for this - some kind of a visual cue would help to alert the developer why access is failing? A “developer mode” that returns the cue perhaps that kibana rules are not being matched in the UI ? Or maybe add this blurb to the readonlyreast PRO documentation under the Very important section !


(Simone Scarduzio) #4

You are absolutely right. This very issue is way more common than I anticipated (i.e. third customer in a month). Will proceed to:

  • :white_check_mark: Add the paragraph in the Kibana plugin docs
  • :white_check_mark: Add an alert message in Kibana when login is successful, but no identity headers are pulled from ES. The alert will point to the documentation paragraph.

(Damocles) #5

@sscarduzio hey - was checking to see if the trial license could be extended by a couple of weeks? My director has approved the request but he’s sent it out to our Global Architecture group for OSS clearance within our enterprise. That could take upto a week and it looks like the license is set to expire in a couple of days!

Thank You