Access to kibana /api/settings and /api/stats

brian · January 18, 2022, 2:13am

ELK version 7.16.2
SG version 56.5

We are using the Kibana module in Metricbeat for stack monitoring.

Kibana is set up for an OpenID authentication with a further 2fa integration with the OpenID. Metricbeat tries to connect on the following three URI’s to collect statistics.
/api/status
/api/stats
/api/settings

/api/status works. The other two get a redirect to the IDP and Metricbeat fails. Is there any way to whitelist /api/stats and /api/settings so that they are accessible without authentication in the same way that /api/status is?

brian · January 24, 2022, 4:19pm

The three API endpoints are called by default by Metricbeat and are not configurable. All three are needed in order for Kibana Monitoring to properly function.

The documentation for internal monitoring provided at the below link has been depreciated by Elastic.

Here are logs. Looking at the data available in each of the 3 endpoints there isn’t anything sensitive that is available in /api/stats or /api/settings that is also not already available in /api/status.

Can /api/stats and /api/settings be whitelisted to allow unauthenticated access just like /api/status currently is?

{"type":"response","@timestamp":"2022-01-17T19:54:16-06:00","tags":["api"],"pid":22305,"method":"get","statusCode":200,"req":{"url":"/api/status","method":"get","headers":{"host":"server:5601","user-agent":"Elastic-Metricbeat/7.16.2 (linux; amd64; 3c518f4d17a15dc85bdd68a5a03d5af51d9edd8e; 2021-12-18 21:17:33 +0000 UTC)","accept-encoding":"gzip"},"remoteAddress":"10.1.1.1","userAgent":"Elastic-Metricbeat/7.16.2 (linux; amd64; 3c518f4d17a15dc85bdd68a5a03d5af51d9edd8e; 2021-12-18 21:17:33 +0000 UTC)"},"res":{"statusCode":200,"responseTime":4,"contentLength":24241},"message":"GET /api/status 200 4ms - 23.7KB"}
{"type":"response","@timestamp":"2022-01-17T19:54:16-06:00","tags":["api"],"pid":22305,"method":"get","statusCode":302,"req":{"url":"/api/stats?extended=true&legacy=true&exclude_usage=true","method":"get","headers":{"host":"server:5601","user-agent":"Elastic-Metricbeat/7.16.2 (linux; amd64; 3c518f4d17a15dc85bdd68a5a03d5af51d9edd8e; 2021-12-18 21:17:33 +0000 UTC)","accept-encoding":"gzip"},"remoteAddress":"10.1.1.1","userAgent":"Elastic-Metricbeat/7.16.2 (linux; amd64; 3c518f4d17a15dc85bdd68a5a03d5af51d9edd8e; 2021-12-18 21:17:33 +0000 UTC)"},"res":{"statusCode":302,"responseTime":2},"message":"GET /api/stats?extended=true&legacy=true&exclude_usage=true 302 2ms"}
{"type":"response","@timestamp":"2022-01-17T19:54:16-06:00","tags":[],"pid":22305,"method":"get","statusCode":200,"req":{"url":"/auth/openid/encode?extended=true&legacy=true&exclude_usage=true&nextUrl=%2Fapi%2Fstats%3Fextended%3Dtrue%26legacy%3Dtrue%26exclude_usage%3Dtrue","method":"get","headers":{"host":"server:5601","user-agent":"Elastic-Metricbeat/7.16.2 (linux; amd64; 3c518f4d17a15dc85bdd68a5a03d5af51d9edd8e; 2021-12-18 21:17:33 +0000 UTC)","referer":"https://server:5601/api/stats?extended=true&legacy=true&exclude_usage=true","accept-encoding":"gzip"},"remoteAddress":"10.1.1.1","userAgent":"Elastic-Metricbeat/7.16.2 (linux; amd64; 3c518f4d17a15dc85bdd68a5a03d5af51d9edd8e; 2021-12-18 21:17:33 +0000 UTC)","referer":"https://server:5601/api/stats?extended=true&legacy=true&exclude_usage=true"},"res":{"statusCode":200,"responseTime":2,"contentLength":170},"message":"GET /auth/openid/encode?extended=true&legacy=true&exclude_usage=true&nextUrl=%2Fapi%2Fstats%3Fextended%3Dtrue%26legacy%3Dtrue%26exclude_usage%3Dtrue 200 2ms - 170.0B"}
{"type":"response","@timestamp":"2022-01-17T19:54:16-06:00","tags":[],"pid":22305,"method":"get","statusCode":302,"req":{"url":"/api/settings?extended=true&legacy=true","method":"get","headers":{"host":"server:5601","user-agent":"Elastic-Metricbeat/7.16.2 (linux; amd64; 3c518f4d17a15dc85bdd68a5a03d5af51d9edd8e; 2021-12-18 21:17:33 +0000 UTC)","accept-encoding":"gzip"},"remoteAddress":"10.1.1.1","userAgent":"Elastic-Metricbeat/7.16.2 (linux; amd64; 3c518f4d17a15dc85bdd68a5a03d5af51d9edd8e; 2021-12-18 21:17:33 +0000 UTC)"},"res":{"statusCode":302,"responseTime":1},"message":"GET /api/settings?extended=true&legacy=true 302 1ms"}
{"type":"response","@timestamp":"2022-01-17T19:54:16-06:00","tags":[],"pid":22305,"method":"get","statusCode":200,"req":{"url":"/auth/openid/encode?extended=true&legacy=true&nextUrl=%2Fapi%2Fsettings%3Fextended%3Dtrue%26legacy%3Dtrue","method":"get","headers":{"host":"server:5601","user-agent":"Elastic-Metricbeat/7.16.2 (linux; amd64; 3c518f4d17a15dc85bdd68a5a03d5af51d9edd8e; 2021-12-18 21:17:33 +0000 UTC)","referer":"https://server:5601/api/settings?extended=true&legacy=true","accept-encoding":"gzip"},"remoteAddress":"10.1.1.1","userAgent":"Elastic-Metricbeat/7.16.2 (linux; amd64; 3c518f4d17a15dc85bdd68a5a03d5af51d9edd8e; 2021-12-18 21:17:33 +0000 UTC)","referer":"https://server:5601/api/settings?extended=true&legacy=true"},"res":{"statusCode":200,"responseTime":3,"contentLength":170},"message":"GET /auth/openid/encode?extended=true&legacy=true&nextUrl=%2Fapi%2Fsettings%3Fextended%3Dtrue%26legacy%3Dtrue 200 3ms - 170.0B"}

nils · January 27, 2022, 10:39am

Hi Brian!

The Kibana plugin indeed supports a way to whitelist endpoints from authentication. You can add this to kibana.yml:

searchguard.auth.unauthenticated_routes:
- /api/stats

However: This only works for endpoints which do not need to make authenticated calls to the Elasticsearch backend. At least for the settings API, it seems that an authenticated call to Elasticsearch is necessary.

If it is really absolutely necessary to have this endpoints without any authentication, you could have a look at anonymous auth for the Elasticsearch backend and thus give Kibana unautenticated access to the necessary actions:

https://docs.search-guard.com/latest/anonymous%20authentication#anonymous-authentication

brian · January 27, 2022, 9:22pm

It is critical as it is required for X-Pack monitoring. Your workaround has worked, thank you.

We have basic auth and oidc auth modules enabled in SearchGuard. When configuring the below:

    searchguard.auth.unauthenticated_routes:
      - /api/stats
      - /api/settings
      - /api/status

Kibana will revert to basic authentication on those URI’s. Metricbeat can then be configured with a valid SearchGuard user to log into the URI’s using basic auth while bypassing the OpenID redirect.

system · February 17, 2022, 9:23pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
KIbana api/status without auth? Search Guard	9	1118	July 6, 2017
OpenID authorization OPTIONS request Search Guard	9	2209	March 5, 2020
anonymous kibana read access by default, while still allowing users to authenticate when needed Search Guard	1	512	February 6, 2019
Basic Auth with SAML Search Guard	3	466	August 26, 2021
Monitoring Logstash 6 with Basic License XPack and Search Guard 6 Search Guard	3	648	February 1, 2018

Access to kibana /api/settings and /api/stats

Related Topics