X-Pack Monitoring

gtorrance · May 9, 2017, 3:02pm

Do I understand correctly that X-Pack monitoring is currently incompatible with ReadonlyREST?

I found this ticket which seems to indicate it won’t work. Not sure if there any updates on the situation, though.

github.com/sscarduzio/elasticsearch-readonlyrest-plugin

Unable to access Kibana monitoring plugin

opened 06:45PM - 19 Dec 16 UTC

closed 08:22PM - 01 Nov 20 UTC

gitime

Hi, I am using ELK GA 5.0.0 in my Linux. Below is my configuration; **elas…ticsearch.yml** ``` xpack.security.enabled: false xpack.monitoring.enabled: true xpack.graph.enabled: false xpack.watcher.enabled: false readonlyrest: enable: true response_if_req_forbidden: Invalid login access_control_rules: - name: Settings1 auth_key: kibana:kibanapassword type: allow - name: Settings2 auth_key: elastic:elasticpassword type: allow ``` **kibana.yml** ``` xpack.security.enabled: false xpack.monitoring.enabled: true xpack.graph.enabled: false xpack.reporting.enabled: false elasticsearch.username: "kibana" elasticsearch.password: "kibanapassword" ``` But when I try to access the monitoring plugin of Kibana, I am getting an error page in Kibana saying like; > Access Denied > You are not authorized to access Monitoring. To use Monitoring, you need the privileges granted by both the `kibana_user` and `monitoring_user` roles. > If you are attempting to access a dedicated monitoring cluster, this might be because you are logged in as a user that is not configured on the monitoring cluster. Below are the error traces in my elasticsearch and kibana consoles; **elasticsearch log** `[2016-12-15T18:16:29,005][INFO ][o.e.p.r.a.ACL ] no block has matched, forbidding by default: { action: indices:data/read/search, OA:192.168.0.1, indices:[.monitoring-data-2], M:POST, P:/.monitoring-data-2/_count, C:<OMITTED, LENGTH=0>, Headers:[Host=192.168.0.1:9200, Content-Length=0, Connection=keep-alive] }` **kibana log** ``` request [12:44:38.962] [error][monitoring-ui] Error: Unauthorized at Object.exports.create (/elk/kibana-5.0.0-linux-x86_64/node_modules/boom/lib/index.js:21:17) at Object.exports.unauthorized (/elk/kibana-5.0.0-linux-x86_64/node_modules/boom/lib/index.js:87:23) at /elk/kibana-5.0.0-linux-x86_64/src/core_plugins/elasticsearch/lib/call_with_request.js:48:63 at bound (domain.js:280:14) at runBound (domain.js:293:12) at tryCatcher (/elk/kibana-5.0.0-linux-x86_64/plugins/x-pack/node_modules/bluebird/js/release/util.js:11:23) at Promise._settlePromiseFromHandler (/elk/kibana-5.0.0-linux-x86_64/plugins/x-pack/node_modules/bluebird/js/release/promise.js:489:31) at Promise._settlePromise (/elk/kibana-5.0.0-linux-x86_64/plugins/x-pack/node_modules/bluebird/js/release/promise.js:546:18) at Promise._settlePromise0 (/elk/kibana-5.0.0-linux-x86_64/plugins/x-pack/node_modules/bluebird/js/release/promise.js:591:10) at Promise._settlePromises (/elk/kibana-5.0.0-linux-x86_64/plugins/x-pack/node_modules/bluebird/js/release/promise.js:670:18) at Async._drainQueue (/elk/kibana-5.0.0-linux-x86_64/plugins/x-pack/node_modules/bluebird/js/release/async.js:125:16) at Async._drainQueues (/elk/kibana-5.0.0-linux-x86_64/plugins/x-pack/node_modules/bluebird/js/release/async.js:135:10) at Immediate.Async.drainQueues (/elk/kibana-5.0.0-linux-x86_64/plugins/x-pack/node_modules/bluebird/js/release/async.js:16:14) at runCallback (timers.js:637:20) at tryOnImmediate (timers.js:610:5) at processImmediate [as _immediateCallback] (timers.js:582:5) ``` I have tried both credentials in kibana, but of no use. How can I access monitoring plugin (monitoring page in kibana). When i remove readonlyrest settings from elasticsearch.yml, everything works fine when I restart cluster. How can I fix this? Thank you.

sscarduzio · May 9, 2017, 4:03pm

Monitoring should work OK, the only thing to disable is xpack.security.enabled

gtorrance · May 9, 2017, 4:06pm

OK, thank you! Good news.

Does anything need to be added to the “indices” config in addition to “.kibana” and “.kibana-devnull”? I notice there are a number of “.monitoring” indices. Do these need to be available to Kibana?

gtorrance · May 10, 2017, 1:06pm

@sscarduzio FYI, it seems that monitoring is, unfortunately not working. I’m experiencing the exact same problem as gitime in the ticket above. And the associated Kibana ticket (Kibana sometimes sends HTTP requests to Elasticsearch without credentials · Issue #9583 · elastic/kibana · GitHub) still appears to be unresolved. I don’t think there is anything you can do at this point (beyond all of the analysis you already put into the issue). It’s in the Kibana dev’s hands. Just wanted to clarify for anyone reading this post that it’s not working

sscarduzio · May 10, 2017, 2:52pm

Damn. You hit that. It will go away with the ROR Kibana plugin because authorization is based on cookies rather than constant presence of auth headers.

From tomorrow I will work on that full time. It’s high time I get it out of the door.

gtorrance · May 10, 2017, 3:16pm

I’ve been meaning to ask about that. I see the following message in the logs, but wasn’t sure what that’s all about:

[2017-05-10T11:14:21,665][INFO ][o.e.p.r.w.ReadonlyRestPlugin] [CLUSTERWIDE SETTINGS] settings not found, please install ReadonlyREST Kibana plugin. Will keep on using elasticearch.yml.

So I guess that plugin’s a new feature that’s not yet available?

sscarduzio · May 10, 2017, 3:22pm

ROR Kibana plugin is a paid-for extra that will work side by side with the GPLv3 Elasticsearch plugin.
It is intended to smooth out the Kibana experience. I.e.

Login form
Logout button with current logged in user name
Show/Hide Kibana apps to certain users
Security settings editor UI
Refresh security settings w/o rebooting the cluster

And further down the line also access audit dashboard.

gtorrance · May 10, 2017, 3:23pm

Oh, OK, thanks for the info.