Upgrade from 7.5.1 to 7.6.2

1

Hello!

We have been running Elasticsearch & Kibana 7.5.1 along with RoR readonlyrest-1.19.4_es7.5.1 for Elasticsearch & readonlyrest_kbn_free-1.19.4_es7.5.1.

We are using Netflix/zuul gateway to proxy:

All was working great in 7.5.1 environment with the following readonlyrest.yml

readonlyrest:
   access_control_rules:

  - name: "::KIBANA-SRV::"
    auth_key: user:pass

  - name: "::RO::"
    proxy_auth: 
         proxy_auth_config: "zuul-proxy"
         users: ["*"]
   headers: ["x-usr-group:kibana-viewers"]
   kibana_access: ro
   indices: [".kibana", "*"]
   kibana_hide_apps: ["readonlyrest_kbn"]

  - name: "::RW::"
    proxy_auth: 
         proxy_auth_config: "zuul-proxy"
         users: ["*"]
   headers: ["x-usr-group:kibana-admins"]
   kibana_access: rw
   indices: [".kibana", "*"]
   
  - name: "::ADMIN::"
    proxy_auth: 
         proxy_auth_config: "zuul-proxy"
         users: ["*"]
   headers: ["x-usr-group:kibana-admins"]
   kibana_access: ro
   indices: [".kibana", "*"]
   actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create/*"]

  - name: "::ADMIN-UPLOAD::"
    proxy_auth: 
         proxy_auth_config: "zuul-proxy"
         users: ["*"]
   headers: ["x-usr-group:kibana-admins"]
   kibana_access: ro
   indices: [".kibana", "*"]
   actions: ["cluster:monitor/xpack/ml/findfilestructure/*","cluster:admin/ingest/pipeline/*"]

  - name: "::INGEST::"
    proxy_auth: 
         proxy_auth_config: "zuul-proxy"
         users: ["*"]
   headers: ["x-usr-group:data-ingestion"]
   kibana_access: ro
   indices: [".kibana", "*"]
   actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create/*"]

 proxy_auth_configs:

 - name: "zuul-proxy"
   user_id_header: "x-forwarded-user"

 ssl:
     keystore_file: "path/to/file"
     keystore_pass: "pass"
     key_pass: "pass"
     truststore_file: "trustfile.jks"

our kibana.yml has the following directives set:

*elasticsearch.requestHeadersWhitelist: [x-usr-group, x-forwarded-user]*

*xpack.security.enabled: false*

*elasticsearch.username: "user"*
*elasticsearch.password: "pass"*

*readonlyrest_kbn.proxy_auth_passthrough: true*

All working great, bypassing login form and logging in the user.

Upon upgrading Elasticsearch & Kibana to 7.6.2 along with RoR readonlyrest-1.19.5_es7.6.2 for Elasticsearch & readonlyrest_kbn_free-1.19.5_es7.6.2 we ran into the following issue.

Hitting the login page and seeing a 401 unauthorized message and not being able to actually login.

We were able to get the login to work correctly with the proxy if we added the following directive to kibana.yml:

 elasticsearch.customHeaders:{x-usr-group:"kibana-admins"}

except for that last directive the readonlyrest.yml and the kibana.yml are exactly the same.

Thoughts on what is happening and how we fix?

Do we have to now use the elasticsearch.customHeaders directive?

Hoping to be more flexible if possible.

Sincerely,
Anthony Covert

2

Hi @strummer75, can you confirm you can reproduce this with 1.20.0?

3

I will try 1.20.0 and let you know.

4

@sscarduzio I can confirm that 1.20.0 has the same issue.

Are there any yaml changes I need to make from 1.19.4 to 1.19.5/1.20.0?

5

Hello!

@sscarduzio, any good news on this yet?

6

OK I understood what this is about. Took me a while to understand the issue: when a request with no valid cookie arrives to ROR KBN, and we call ROR ES with x-forwarded-user header, we should go through the original request headers and discover any headers starting with “x-” and add them to the login request.

@jan can you confirm and create the fix?

7

Hi,
sorry for the belated response.
Yes, of course, I’m on it. I’ll prepare the fix and let you know once it’s ready.

1 Like
8

Updating the thread: this is fixed, will be out in the next release.