ROR Pro doesn't move past the Login page when using ELB with more than 1 active instance

Using 6.2.4 PRO trial. I have two Kibana instances fronted by an ELB. Its odd - when I have BOTH instances configured and running - though the kibana login page comes up - when clicking on Login - I see a successful negotiation with Elastic Search - however the page simply refreshes and comes back to the login prompt.

If I STOP one instance - and attempt the same - elastic search gives back the same successful authetnication and but NOW Kibana navigates to the Discovery page. I tested this by randomly turning off one or the other kibana instance (I have TWO behind the ELB). The behaviour is the same. When I bring back BOTH instances, ROR remains in Login.

Any ideas what could be the cause?


elasticsearch.username: "kibana"
elasticsearch.password: "kibana"

elasticsearch.requestHeadersWhitelist: [ authorization, x-forwarded-user, x-forwarded-group ]
readonlyrest_kbn.proxy_auth_passthrough: true

logging.verbose: true

This is my elasticlog:

ALLOWED by { name: '::RO::', policy: ALLOW} req={ ID:1024606461-985348909#5395, TYP:GetRequest, CGR:N/A, USR:myuser, BRS:false, KDX:null, ACT:indices:data/read/get, OA:, DA:, IDX:.kibana, MET:GET, PTH:/.kibana/doc/config%3A6.2.4, CNT:<N/A>, HDR:{authorization=Basic Y29udmVyc2U6Y29udmVyc2VyZWFk, Authorization=<OMITTED>, content-length=0, Connection=keep-alive,, X-Forwarded-Proto=https, X-Forwarded-For=, X-Forwarded-Port=443}, HIS:[::KIBANA-SRV 1::->[auth_key->false]], [::RO::->[kibana_access->true, indices->true, kibana_hide_apps->true, auth_key->true]] }

Yes I know why this happens. ROR randomly generates a key for encrypting cookies. When instance A creates your cookie, when you go to instance B it doesn’t recognise it and deletes it.

You need to enable sticky sessions.

any suggestions on “Expiration Period” or leave it blank?. I’m assuming i have to choose the LoadBalancer Generated Cookie stickiness based option here.

Enable load balancer generated cookie stickiness

You don’t need an expiration period, so AFAIK it will never expire (it’s fine, it does not contain any sensitive info).