[RoR PRO] Can't login to Kibana via API

For some reason creating the topic via Customer Portal returns the following error An error occurred: You are not permitted to view the requested resource., hence trying to create a topic here.

Support request

Hey, after upgrading our ELK to 7.17.12 and bumping RoR to 1.50.0, our integration tooling that interacts with Kibana via API and utilises RoR cookie can no longer get the cookie and instead gets 401 Unauthorized error. Note, that everything worked correctly when using RoR 1.44.0 and ES/Kibana 7.16.2.

ROR Version: 1.50.0

Kibana Version: 7.17.12

Elasticsearch Version: 7.17.12

Steps to reproduce the issue: Try getting the RoR cookie by sending the POST request to https://HOSTNAME/login with Basic Auth.

Expected result: Response with 200 status code and RoR cookie in the headers

Actual Result: Response with 401 status code and no RoR cookie in the headers

{“customer_id”: “a2d8a38b-1070-4845-aa8e-6f38fb585857”, “subscription_id”: “c6f3569d-3d8e-46ce-ac53-92f19301b69e”}

Hello @deimantastumas try again making sure you are logged in the forum first?

About the Kibana issue: do you see this in Kibana logs? [error][plugins][ReadonlyREST][csrf] invalid csrf token?

I couldn’t even create a new topic without logging into the forum. After logging-in and then using the customer page to get into the new topic creation page I was marked as a PRO User, but I got the mentioned error when trying to create a ticket.

Indeed, we’re seeing this error message:

[error][plugins][ReadonlyREST][csrf] invalid csrf token

Tried again creating the support ticket, got the same error:

@Dzuming correct me if I’m wrong, but AFAIR in the newer ROR versions you can simply add Basic auth headers to the /api/* requests in Kibana and it ROR will authenticate fine. No need to use the cookie anymore.

@deimantastumas can you give it a try?

About the support ticket in the portal: thanks for the screenshot. I have raised the privileges of your forum user. Try if it fixes it?

Yes, exactly, you are right. Since we introduced CSRF protection to the login form, there is no way to generate it via direct HTTP call to the /login endpoint.

1 Like

Thank you for the tip - adding auth header in all requests instead of using /login helped. @sscarduzio I’ve tried creating the ticket again, but got the same error :man_shrugging:

1 Like

I encountered the same invalid csrf token issue in Kibana. Could you tell me how exactly to add Basic auth headers to the /api/* requests in Kibana?

Do you confirm you experience the same using ROR 1.52.0?

I am experiencing this invalid csrf token issue using ROR 1.52.0

Here is the Kibana definition yaml file that the ECK-operator uses for creating kibana

# cat hostname-kb.yaml 
apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
  name: hostname
  namespace: hostname-es
  version: 7.17.13
  image: internal_gitea_addr:443/otg/kibana-7.17.13_ror-1.52.0-ssl:v0.1
  count: 1
    name: hostname
    namespace: hostname-es
    serviceName: hostname-es-http

    #telemetry.optIn: false
    #telemetry.enabled: false
    monitoring.enabled: true
    elasticsearch.hosts: "https://hostname-es-client.hostname-es.svc:9200"
    elasticsearch.serviceAccountToken: ${KIBANA_SERVICE_ACCOUNT_TOKEN}
    elasticsearch.requestTimeout: 600000
    elasticsearch.ssl.verificationMode: none
    xpack.security.enabled: false
    xpack.watcher.enabled: false
    readonlyrest_kbn.session_timeout_minutes: 60
    readonlyrest_kbn.clearSessionOnEvents: ["never"]
    readonlyrest_kbn.whitelistedPaths: [".*/api/status$"]
    #readonlyrest_kbn.kibanaIndexTemplate: ".kibana_operator"
    readonlyrest_kbn.sessions_probe_interval_seconds: 360
    readonlyrest_kbn.cookiePass: 'Just-A-Random_tring_4_C00kiePass'
        app: kibana
      - name: kibana
            memory: 2Gi
            cpu: 1
            memory: 8Gi
            cpu: 4
            port: 5601
          initialDelaySeconds: 30
          periodSeconds: 2
              name: hostname-kibana-user
              key: token