[RoR PRO] Can't login to Kibana via API

deimantastumas · August 25, 2023, 9:28am

For some reason creating the topic via Customer Portal returns the following error An error occurred: You are not permitted to view the requested resource., hence trying to create a topic here.

Support request

Hey, after upgrading our ELK to 7.17.12 and bumping RoR to 1.50.0, our integration tooling that interacts with Kibana via API and utilises RoR cookie can no longer get the cookie and instead gets 401 Unauthorized error. Note, that everything worked correctly when using RoR 1.44.0 and ES/Kibana 7.16.2.

ROR Version: 1.50.0

Kibana Version: 7.17.12

Elasticsearch Version: 7.17.12

Steps to reproduce the issue: Try getting the RoR cookie by sending the POST request to https://HOSTNAME/login with Basic Auth.

Expected result: Response with 200 status code and RoR cookie in the headers

Actual Result: Response with 401 status code and no RoR cookie in the headers

{“customer_id”: “a2d8a38b-1070-4845-aa8e-6f38fb585857”, “subscription_id”: “c6f3569d-3d8e-46ce-ac53-92f19301b69e”}

sscarduzio · August 28, 2023, 8:29am

Hello @deimantastumas try again making sure you are logged in the forum first?

About the Kibana issue: do you see this in Kibana logs? [error][plugins][ReadonlyREST][csrf] invalid csrf token?

deimantastumas · August 28, 2023, 12:27pm

I couldn’t even create a new topic without logging into the forum. After logging-in and then using the customer page to get into the new topic creation page I was marked as a PRO User, but I got the mentioned error when trying to create a ticket.

Indeed, we’re seeing this error message:

[error][plugins][ReadonlyREST][csrf] invalid csrf token

deimantastumas · August 28, 2023, 12:50pm

Tried again creating the support ticket, got the same error:

sscarduzio · August 29, 2023, 3:21pm

@Dzuming correct me if I’m wrong, but AFAIR in the newer ROR versions you can simply add Basic auth headers to the /api/* requests in Kibana and it ROR will authenticate fine. No need to use the cookie anymore.

@deimantastumas can you give it a try?

About the support ticket in the portal: thanks for the screenshot. I have raised the privileges of your forum user. Try if it fixes it?

Dzuming · August 29, 2023, 4:31pm

Yes, exactly, you are right. Since we introduced CSRF protection to the login form, there is no way to generate it via direct HTTP call to the /login endpoint.

deimantastumas · August 30, 2023, 5:54am

Thank you for the tip - adding auth header in all requests instead of using /login helped. @sscarduzio I’ve tried creating the ticket again, but got the same error

deng47 · November 5, 2023, 4:16pm

I encountered the same invalid csrf token issue in Kibana. Could you tell me how exactly to add Basic auth headers to the /api/* requests in Kibana?
https://forum.readonlyrest.com/t/support-kbn-ent-lawrence-berkeley-lab/2426/13?u=deng47

coutoPL · November 5, 2023, 6:36pm

Do you confirm you experience the same using ROR 1.52.0?

deng47 · November 5, 2023, 6:39pm

I am experiencing this invalid csrf token issue using ROR 1.52.0

deng47 · November 5, 2023, 6:43pm

Here is the Kibana definition yaml file that the ECK-operator uses for creating kibana

# cat hostname-kb.yaml 
apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: hostname
  namespace: hostname-es
spec:
  version: 7.17.13
  image: internal_gitea_addr:443/otg/kibana-7.17.13_ror-1.52.0-ssl:v0.1
  count: 1
  elasticsearchRef:
    name: hostname
    namespace: hostname-es
    serviceName: hostname-es-http

  config:
    #telemetry.optIn: false
    #telemetry.enabled: false
    monitoring.enabled: true
    elasticsearch.hosts: "https://hostname-es-client.hostname-es.svc:9200"
    elasticsearch.serviceAccountToken: ${KIBANA_SERVICE_ACCOUNT_TOKEN}
    elasticsearch.requestTimeout: 600000
    elasticsearch.ssl.verificationMode: none
    xpack.security.enabled: false
    xpack.watcher.enabled: false
    readonlyrest_kbn.session_timeout_minutes: 60
    readonlyrest_kbn.clearSessionOnEvents: ["never"]
    readonlyrest_kbn.whitelistedPaths: [".*/api/status$"]
    #readonlyrest_kbn.kibanaIndexTemplate: ".kibana_operator"
    readonlyrest_kbn.sessions_probe_interval_seconds: 360
    readonlyrest_kbn.cookiePass: 'Just-A-Random_tring_4_C00kiePass'
  podTemplate:
    metadata:
      labels:
        app: kibana
    spec:
      containers:
      - name: kibana
        resources:
          requests:
            memory: 2Gi
            cpu: 1
          limits:
            memory: 8Gi
            cpu: 4
        readinessProbe:
          tcpSocket:
            port: 5601
          initialDelaySeconds: 30
          periodSeconds: 2
        env:
        - name: KIBANA_SERVICE_ACCOUNT_TOKEN
          valueFrom:
            secretKeyRef:
              name: hostname-kibana-user
              key: token