ROR Pro doesn't move past the Login page when using ELB with more than 1 active instance


(Roger Seth) #1

Using 6.2.4 PRO trial. I have two Kibana instances fronted by an ELB. Its odd - when I have BOTH instances configured and running - though the kibana login page comes up - when clicking on Login - I see a successful negotiation with Elastic Search - however the page simply refreshes and comes back to the login prompt.

If I STOP one instance - and attempt the same - elastic search gives back the same successful authetnication and but NOW Kibana navigates to the Discovery page. I tested this by randomly turning off one or the other kibana instance (I have TWO behind the ELB). The behaviour is the same. When I bring back BOTH instances, ROR remains in Login.

Any ideas what could be the cause?

kibana.yml

server.host: 0.0.0.0

elasticsearch.url: https://myapp-elasticsearch.foo.myhost.com:443/
elasticsearch.username: "kibana"
elasticsearch.password: "kibana"

elasticsearch.requestHeadersWhitelist: [ authorization, x-forwarded-user, x-forwarded-group ]
readonlyrest_kbn.proxy_auth_passthrough: true

logging.verbose: true

This is my elasticlog:

ALLOWED by { name: '::RO::', policy: ALLOW} req={ ID:1024606461-985348909#5395, TYP:GetRequest, CGR:N/A, USR:myuser, BRS:false, KDX:null, ACT:indices:data/read/get, OA:10.203.122.225, DA:10.203.123.123, IDX:.kibana, MET:GET, PTH:/.kibana/doc/config%3A6.2.4, CNT:<N/A>, HDR:{authorization=Basic Y29udmVyc2U6Y29udmVyc2VyZWFk, Authorization=<OMITTED>, content-length=0, Connection=keep-alive, host=converse-myapp.foo.myhost.com, X-Forwarded-Proto=https, X-Forwarded-For=10.203.123.55, X-Forwarded-Port=443}, HIS:[::KIBANA-SRV 1::->[auth_key->false]], [::RO::->[kibana_access->true, indices->true, kibana_hide_apps->true, auth_key->true]] }


(Simone Scarduzio) #2

Yes I know why this happens. ROR randomly generates a key for encrypting cookies. When instance A creates your cookie, when you go to instance B it doesn’t recognise it and deletes it.

You need to enable sticky sessions.


(Roger Seth) #3

any suggestions on “Expiration Period” or leave it blank?. I’m assuming i have to choose the LoadBalancer Generated Cookie stickiness based option here.

Enable load balancer generated cookie stickiness


(Simone Scarduzio) #4

You don’t need an expiration period, so AFAIK it will never expire (it’s fine, it does not contain any sensitive info).