Short url in kibana 8

driveirk · May 20, 2026, 10:44am

ROR Version: 1.69.1_es8.19.15

Kibana Version: 8.19.15

Elasticsearch Version: 8.19.15

Steps to reproduce the issue
Create short url in kibana

**Expected result:
short url

host/s/default/app/r/s/uP4M9

Actual Result:
long url

host/s/default/app/r/s/uP4M9?tenancy=U2FsdGVkX1%2Fr3jYX%2BVbx6gXvH2Nwm8Oiu6OJqgBk0ORHttaapa52Gz8zOLRSfDEogHJ8XDcAc5pblNjkSLaypGv9HBLivAL9a6t0dkOWmmE%3D

Is it possible to prevent Tenancy from being added to the short URL?

If I make a short URL from a lower level to a higher level,
rw user => Unrestricted user
I get an error.

but short url works
host/s/default/app/r/s/D8CZB

{“customer_id”: “6c4a385b-2ae8-4f02-a9cd-ef24addfb5b3”, “subscription_id”: “32d4073f-dc2f-4056-a868-842727c637cd”}

Dzuming · May 20, 2026, 11:41am

Hello,

Currently, the only way is to manually remove the tenancy context from the short URL, as you describe. We are similar to Kibana spaces here, where the context of the selected space is sent in the short URL.

One question: do RW users have a group configured, and an unrestricted user doesn’t have this group in a configuration, or is it a different case?

driveirk · May 20, 2026, 3:12pm

ror example:

- name: "admin"
  type: allow
  ldap_authentication:
    name: "ldap"
  ldap_authorization:
      name: "ldap"
      groups: \["Admin"\]
  kibana_access: unrestricted

- name: "elevated"
  type: allow
  ldap_authentication:
    name: "ldap"
  ldap_authorization:
    name: "ldap"
    groups: \["elevated"\]
  kibana_access: rw

- name: "basic user"
  type: allow
  ldap_authentication:
    name: "ldap"
  kibana_access: rw

Short links created under the “basic user” cannot be opened by other users.
But if the “basic user” first opens admin short link, then he will have my tenancy in the url and at that moment all the links created by the basic user will work.

Dzuming · May 21, 2026, 11:35am

Thanks, based on your ACL, this behaviour is a bug, we are working on fixing it.

driveirk · May 21, 2026, 1:15pm

@Dzuming Before this, we had version 1.68 and kibana 8.18.8 there was no such error.

Is the issue reproducible in ROR version 1.68 for Kibana 8.19?
If this error does not exist, then tell us how to get the ROR version 1.68.0 for 8.19.15 kibana and elasticsearch?

Unfortunately, due to a vulnerability in Kibana, we cannot wait long for an update.

coutoPL · May 21, 2026, 2:06pm

Yes, this problem was likely introduced in ROR 1.69.x. If this is really important for you, please downgrade to ROR 1.68.x.

You can download an older version using our API. See here: For Kibana | ReadonlyREST

driveirk · May 21, 2026, 2:11pm

I try:

wget “https://portal.readonlyrest.com/download/kbn?email=asd@ya.ru&edition=kbn_universal&esVersion=8.19.15&pluginVersion=1.68.0”

But I see error
2026-05-21 16:10:24 error 404: Not Found.

coutoPL · May 21, 2026, 2:13pm

We will check this.
For now, please try URL found here: readonlyrest-examples/runner/images/kbn/install-ror-kbn-using-api.sh at c242b2011154df699fbaed895fd438d87d401a0b · beshu-tech/readonlyrest-examples · GitHub

driveirk · May 21, 2026, 2:13pm

I remembered that there was no old version of ROR for 8.19.15.
I try

 wget "https://portal.readonlyrest.com/download/kbn?email=asd@ya.ru&edition=kbn_universal&esVersion=8.19.14&pluginVersion=1.68.0"

but i see error too
2026-05-21 16:11:53 error 404: Not Found.

coutoPL · May 21, 2026, 2:15pm

oh, you use 8.19.15
Ok, I will prepare ROR 1.68.x with 8.19.15 for you. Will send it later today.

driveirk · May 21, 2026, 2:18pm

Downloading via API does not work.
Tell me what I’m doing wrong?

wget "https://api.beshu.tech/download/kbn?esVersion=8.19.14&pluginVersion=8.19.14&email=asd@ya.ru"
--2026-05-21 14:16:50--  https://api.beshu.tech/download/kbn?esVersion=8.19.14&pluginVersion=8.19.14&email=bora-bora23@ya.ru
Resolving api.beshu.tech (api.beshu.tech)... 104.21.14.182, 172.67.160.34, 2606:4700:3037::6815:eb6, ...
Connecting to api.beshu.tech (api.beshu.tech)|104.21.14.182|:443... connected.
HTTP request sent, awaiting response... 401 Unauthorized

Username/Password Authentication Failed.

coutoPL · May 21, 2026, 2:21pm

e.g.

 wget "https://api.beshu.tech/download/kbn?esVersion=8.19.10&pluginVersion=1.68.0&edition=kbn_universal&email=asd@ya.ru"

There is additional edition param.
Moreover, ROR plugin version was wrong.

driveirk · May 21, 2026, 2:22pm

Yes, I read it. Thank you.

Dzuming · May 21, 2026, 3:40pm

@driveirk

I found an option to disable tenancy-based behaviour in the newest ROR version

Please, add it to the kibana.yml:

    readonlyrest_kbn.kibana_custom_js_inject: '(function removeTenancyFromUrl() { var url = new URL(window.location.href); if (url.searchParams.has("tenancy")) { url.searchParams.delete("tenancy"); window.history.replaceState(null, "", url.pathname + url.search + url.hash); } })();'
    readonlyrest_kbn.custom_middleware_inject: 'function test(req, res, next) { if (req.path.endsWith("/pkp/injections/tenancy-context-injector.js")) { return res.status(403).type("text/plain").send("Tenancy disabled"); } next(); }'

readonlyrest_kbn.kibana_custom_js_inject → will remove tenancy query param from URL

readonlyrest_kbn.custom_middleware_inject → tenancy won’t be added to the short URL

driveirk · May 22, 2026, 12:28pm

Yes, it works. Thank you very much.

coutoPL · June 4, 2026, 5:46pm

this is fixed in ROR 1.70.0