Hello!
We have been running Elasticsearch & Kibana 7.5.1 along with RoR readonlyrest-1.19.4_es7.5.1 for Elasticsearch & readonlyrest_kbn_free-1.19.4_es7.5.1.
We are using Netflix/zuul gateway to proxy:
All was working great in 7.5.1 environment with the following readonlyrest.yml
readonlyrest:
access_control_rules:
- name: "::KIBANA-SRV::"
auth_key: user:pass
- name: "::RO::"
proxy_auth:
proxy_auth_config: "zuul-proxy"
users: ["*"]
headers: ["x-usr-group:kibana-viewers"]
kibana_access: ro
indices: [".kibana", "*"]
kibana_hide_apps: ["readonlyrest_kbn"]
- name: "::RW::"
proxy_auth:
proxy_auth_config: "zuul-proxy"
users: ["*"]
headers: ["x-usr-group:kibana-admins"]
kibana_access: rw
indices: [".kibana", "*"]
- name: "::ADMIN::"
proxy_auth:
proxy_auth_config: "zuul-proxy"
users: ["*"]
headers: ["x-usr-group:kibana-admins"]
kibana_access: ro
indices: [".kibana", "*"]
actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create/*"]
- name: "::ADMIN-UPLOAD::"
proxy_auth:
proxy_auth_config: "zuul-proxy"
users: ["*"]
headers: ["x-usr-group:kibana-admins"]
kibana_access: ro
indices: [".kibana", "*"]
actions: ["cluster:monitor/xpack/ml/findfilestructure/*","cluster:admin/ingest/pipeline/*"]
- name: "::INGEST::"
proxy_auth:
proxy_auth_config: "zuul-proxy"
users: ["*"]
headers: ["x-usr-group:data-ingestion"]
kibana_access: ro
indices: [".kibana", "*"]
actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create/*"]
proxy_auth_configs:
- name: "zuul-proxy"
user_id_header: "x-forwarded-user"
ssl:
keystore_file: "path/to/file"
keystore_pass: "pass"
key_pass: "pass"
truststore_file: "trustfile.jks"
our kibana.yml has the following directives set:
*elasticsearch.requestHeadersWhitelist: [x-usr-group, x-forwarded-user]*
*xpack.security.enabled: false*
*elasticsearch.username: "user"*
*elasticsearch.password: "pass"*
*readonlyrest_kbn.proxy_auth_passthrough: true*
All working great, bypassing login form and logging in the user.
Upon upgrading Elasticsearch & Kibana to 7.6.2 along with RoR readonlyrest-1.19.5_es7.6.2 for Elasticsearch & readonlyrest_kbn_free-1.19.5_es7.6.2 we ran into the following issue.
Hitting the login page and seeing a 401 unauthorized message and not being able to actually login.
We were able to get the login to work correctly with the proxy if we added the following directive to kibana.yml:
elasticsearch.customHeaders:{x-usr-group:"kibana-admins"}
except for that last directive the readonlyrest.yml and the kibana.yml are exactly the same.
Thoughts on what is happening and how we fix?
Do we have to now use the elasticsearch.customHeaders directive?
Hoping to be more flexible if possible.
Sincerely,
Anthony Covert