Trying to configure kibana plugin but getting Server Error 404

rimitchell · February 19, 2018, 6:31pm

Tried with ES & Kibana on 5.6.7 and now on 6.2.1.

After setting up both plugins and the ES RoR configuration, I am able to hit the ES api directly using the basic auth headers and it works: I can read/write indices, etc. Passing incorrect user:pass returns forbidden.

Swapping to Kibana. After installing the enterprise plugin I am seeing the login screen. When I try and provide the same credentials used when hitting the ES api directly I get the response: Could not login: Server Error: 404.
Using incorrect creds I do see: Could not login: Forbidden. In the ES log I am also able to see both auth events (ALLOWED by and FORBIDDEN by).

Looking at my kibana logs I do not see anything that jumps out at me.

Am I missing something somewhere on the kibana setup?
Username/password are set in kibana.yaml.

Thanks,
Richard

sscarduzio · February 19, 2018, 7:08pm

Hi @rimitchell !

Can you provide the relevant ES log line? The one with a 404?

Do you have this same 404 error on both ES versions?

Also to be checked: if you enabled SSL in ES, remember to change to “https” in kibana.yml

elasticsearch.url: "https://localhost:9200"

If you still can’t resolve, please share the readonlyrest.yml

rimitchell · February 19, 2018, 8:31pm

Hi Simone,

I currently have SSL disabled.
And yes. I get the Could not login: Server Error: 404 on both versions when I click on the Enter Kibana button.

readonlyrest.yaml is below

The 404 in the logs was being displayed in the kibana logs and was only saying it couldn’t find css/normalize.min.css.map.

got an error [404] Not Found for path /plugins/readonlyrest_kbn/css/normalize.min.css.map { Error: Not Found
    at Items.serial (/usr/share/kibana/node_modules/inert/lib/directory.js:192:31)
    at done (/usr/share/kibana/node_modules/items/lib/index.js:31:25)
    at File.load (/usr/share/kibana/node_modules/inert/lib/directory.js:117:32)
    at internals.openStat (/usr/share/kibana/node_modules/inert/lib/file.js:102:20)
    at Fs.open (/usr/share/kibana/node_modules/inert/lib/file.js:240:24)
    at FSReqWrap.oncomplete (fs.js:123:15)
  data: null,
  isBoom: true,
  isServer: false,
  output:
   { statusCode: 404,
     payload: { statusCode: 404, error: 'Not Found' },
     headers: { 'kbn-name': 'kibana', 'kbn-version': '6.2.1' } },
  reformat: [Function],
  message: 'Not Found' }

http.type: ssl_netty4

readonlyrest:
    enable: true
    response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
    prompt_for_basic_auth: false

    ssl:
      enable: false

    audit_collector: true

    access_control_rules:

    # MACHINES ##################
    - name: "::Kafka::"
      auth_key: kafka:kafka123

    - name: "::LOGSTASH::"
      auth_key: logstash:logstash
      actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
      indices: ["logstash-*"]

    - name: "::KIBANA-SRV::"
      auth_key: kibana:kibana
      verbosity: error

    - name: Accept all requests from localhost
      hosts: [127.0.0.1]

    # Using "Basic HTTP Auth" from browsers, can RW Kibana settings, RO on logstash indices from 2017 .
    - name: "::RW DEVELOPER::"
      auth_key: rw:dev
      kibana_access: rw
      indices: [".kibana*", ".kibana-devnull", "logstash-*"]


    # GROUPS ####################

    - name: "::PERSONAL_GRP::"
      groups: ["Personal"]
      kibana_access: rw
      kibana_hide_apps: ["readonlyrest_kbn", "timelion"]
      kibana_index: ".kibana_@{user}"

    - name: "::ADMIN_GRP::"
      groups: ["ROR (admin)"]
      kibana_access: admin

    - name: "::Infosec::"
      groups: ["Infosec"]
      kibana_access: rw
      kibana_hide_apps: ["readonlyrest_kbn", "timelion"]
      kibana_index: ".kibana_infosec"

    # USERS TO GROUPS ############
    users:
    - username: admin
      auth_key: admin:dev
      groups: ["ROR (admin)", "Infosec"]

    - username: simone
      auth_key: simone:dev
      groups: ["ROR (admin)", "Personal", "Infosec"]

sscarduzio · February 19, 2018, 10:57pm

Can’t replicate this. What’s your OS?

Can you try to create that file? In Linux/OSX

 touch plugins/readonlyrest_kbn/css/normalize.min.css.map

rimitchell · February 19, 2018, 11:17pm

The OS for both ES and Kibana servers is: CentOS 7.3

Sorry, I think there might be a understanding.
The issue is this:

When I was looking at the logs, the only reference to a 404 error was that normalize.min.css.map file. Went in and created it but am still getting that error on the kibana login page.

I used the credentials “admin:dev” which as you see in the readonlyrest config should give admin permissions. When I try logging in, ES outputs this:

[2018-02-19T15:08:59,241][INFO ][t.b.r.a.ACL              ] ^{[36mALLOWED by { name: '::ADMIN_GRP::', policy: ALLOW} req={ ID:277241959-1458712188#32016, TYP:GetRequest, CGR:N/A, USR:admin, BRS:false, ACT:indices:data/read/get, OA:10.9.26.106, IDX:, MET:GET, PTH://_nodes/_local, CNT:<N/A>, HDR:Authorization,Connecti
on,content-length,Host, HIS:[::Kafka::->[auth_key->false]], [::LOGSTASH::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->false]], [::PERSONAL_GRP::->[groups->false]], [::ADMIN_GRP::->[kibana_access->true, auth_key->true]], [::RW DEVELOPER::->[auth_key->false]], [Accept all requests from localhost->[hosts->false]]
} ^{[0m