Cannot login into Kibana after installing SearchGuard

Hi,

I recently installed ElasticSearch + Kibana 7.17.2

After testing basic ES installation, I proceeded with SearchGuard 53.1.0 (ES) and 53.0.0 (Kibana) plugins.

When trying to login into Kibana it validates user correctly (no error because of wrong user or pass) but instead of getting into Kibana, it reloads login page.

Checking logs, this is registered every time I try to login:

Error: Internal Server Error
at HapiResponseAdapter.toError (/usr/share/kibana/src/core/server/http/router/response_adapter.js:128:19)
at HapiResponseAdapter.toHapiResponse (/usr/share/kibana/src/core/server/http/router/response_adapter.js:82:19)
at HapiResponseAdapter.handle (/usr/share/kibana/src/core/server/http/router/response_adapter.js:73:17)
at Router.handle (/usr/share/kibana/src/core/server/http/router/router.js:164:34)
at runMicrotasks ()
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at handler (/usr/share/kibana/src/core/server/http/router/router.js:124:50)
at exports.Manager.execute (/usr/share/kibana/node_modules/@hapi/hapi/lib/toolkit.js:60:28)
at Object.internals.handler (/usr/share/kibana/node_modules/@hapi/hapi/lib/handler.js:46:20)
at exports.execute (/usr/share/kibana/node_modules/@hapi/hapi/lib/handler.js:31:20)
at Request._lifecycle (/usr/share/kibana/node_modules/@hapi/hapi/lib/request.js:371:32)
at Request._execute (/usr/share/kibana/node_modules/@hapi/hapi/lib/request.js:281:9)

Here are some of the config files. sg_config was deployed with default settings.

elasticsearch.yml

cluster.name: es-cluster
node.name: es-node
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true
discovery.type: single-node
network.host: [  _site_ , _local_ , _global_ ]
http.port: 9200
http.cors.enabled: true
http.cors.allow-origin: "*"
searchguard.ssl.transport.pemcert_filepath: ssl/es-node.pem
searchguard.ssl.transport.pemkey_filepath: ssl/es-node.key
searchguard.ssl.transport.pemkey_password: **********
searchguard.ssl.transport.pemtrustedcas_filepath: ssl/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: ssl/es-node_http.pem
searchguard.ssl.http.pemkey_filepath: ssl/es-node_http.key
searchguard.ssl.http.pemkey_password: **********
searchguard.ssl.http.pemtrustedcas_filepath: ssl/root-ca.pem
searchguard.nodes_dn:
- CN=es-node,OU=IT,O=domain,DC=domain,DC=local
searchguard.authcz.admin_dn:
- CN=admin,OU=IT,O=domain,DC=domain,DC=local
searchguard.restapi.roles_enabled: ["sg_all_access"]
http.compression: true
xpack.security.enabled: false
searchguard.enterprise_modules_enabled: false

sg_config.yml

---
_sg_meta:
  type: "config"
  config_version: 2

sg_config:
  dynamic:
      http:
        anonymous_auth_enabled: false
        xff:
          enabled: false
          internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
      auth_token_provider: # NOT FREE FOR COMMERCIAL USE
        enabled: false
        jwt_signing_key_hs512: "********"
        max_validity: "1y"
        max_tokens_per_user: 100
      authc:
        kerberos_auth_domain:
          http_enabled: false
          transport_enabled: false
          order: 6
          http_authenticator:
            type: kerberos # NOT FREE FOR COMMERCIAL USE
            challenge: true
            config:
              krb_debug: false
              strip_realm_from_principal: true
          authentication_backend:
            type: noop
        basic_internal_auth_domain:
          description: "Authenticate via HTTP Basic against internal users database"
          http_enabled: true
          transport_enabled: true
          order: 4
          http_authenticator:
            type: basic
            challenge: true
          authentication_backend:
            type: intern
        proxy_auth_domain:
          description: "Authenticate via proxy"
          http_enabled: false
          transport_enabled: false
          order: 3
          http_authenticator:
            type: proxy
            challenge: false
            config:
              user_header: "x-proxy-user"
              roles_header: "x-proxy-roles"
          authentication_backend:
            type: noop
        jwt_auth_domain:
          description: "Authenticate via Json Web Token"
          http_enabled: false
          transport_enabled: false
          order: 0
          http_authenticator:
            type: jwt
            challenge: false
            config:
              signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
              jwt_header: "Authorization"
              jwt_url_parameter: null
              roles_key: null
              subject_key: null
          authentication_backend:
            type: noop
        sg_issued_jwt_auth_domain:
          description: "Authenticate via Json Web Tokens issued by Search Guard"
          http_enabled: false
          order: 1
          http_authenticator:
            type: sg_auth_token
            challenge: false
          authentication_backend:
            type: sg_auth_token
        clientcert_auth_domain:
          description: "Authenticate via SSL client certificates"
          http_enabled: false
          transport_enabled: false
          order: 2
          http_authenticator:
            type: clientcert
            config:
              username_attribute: cn #optional, if omitted DN becomes username
            challenge: false
          authentication_backend:
            type: noop
        ldap:
          description: "Authenticate via LDAP or Active Directory"
          http_enabled: false
          transport_enabled: false
          order: 5
          http_authenticator:
            type: basic
            challenge: false
          authentication_backend:
            type: ldap # NOT FREE FOR COMMERCIAL USE
            config:
              enable_ssl: false
              enable_start_tls: false
              enable_ssl_client_auth: false
              verify_hostnames: true
              hosts:
                - localhost:8389
              bind_dn: null
              password: null
              userbase: 'ou=people,dc=example,dc=com'
              usersearch: '(sAMAccountName={0})'
              username_attribute: null
      authz:
        roles_from_myldap:
          description: "Authorize via LDAP or Active Directory"
          http_enabled: false
          transport_enabled: false
          authorization_backend:
            type: ldap # NOT FREE FOR COMMERCIAL USE
            config:
              enable_ssl: false
              enable_start_tls: false
              enable_ssl_client_auth: false
              verify_hostnames: true
              hosts:
                - localhost:8389
              bind_dn: null
              password: null
              rolebase: 'ou=groups,dc=example,dc=com'
              rolesearch: '(member={0})'
              userroleattribute: null
              userrolename: disabled
              rolename: cn
              resolve_nested_roles: true
              userbase: 'ou=people,dc=example,dc=com'
              usersearch: '(uid={0})'
        roles_from_another_ldap:
          description: "Authorize via another Active Directory"
          http_enabled: false
          transport_enabled: false
          authorization_backend:
            type: ldap # NOT FREE FOR COMMERCIAL USE

kibana.yml

server.port: 5601
server.host: "0.0.0.0"
server.publicBaseUrl: "https://es.domain.com"
elasticsearch.hosts: ["https://es-node.domain.local:9200"]
xpack.security.encryptionKey: "******"
xpack.reporting.encryptionKey: "******"
xpack.encryptedSavedObjects.encryptionKey: "******"
xpack.reporting.capture.browser.chromium.disableSandbox: false
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"
elasticsearch.ssl.certificateAuthorities: /etc/kibana/ssl/root-ca.pem
elasticsearch.ssl.verificationMode: full
xpack.security.enabled: false
searchguard.cookie.secure: true
xpack.reporting.roles.enabled: false
searchguard.cookie.password: "******"

For sure I’m missing some configuration at sg_config but don’t know what.

Additional info: I can login directly using curl/browser to ES service at 9200 using any user.
curl -uadmin https://localhost:9200 -k
Enter host password for user ‘admin’:
{
“name” : “es-node”,
“cluster_name” : “es-cluster”,
“cluster_uuid” : “***************”,
…

Thanks!

/Marcos

@marcos.pastor Could you try commenting out all xpack configurations. Leave just the following.

xpack.security.encryptionKey: "******"
xpack.reporting.encryptionKey: "******"
xpack.encryptedSavedObjects.encryptionKey: "******"

Also, try setting elasticsearch.ssl.verificationMode: to none instead of full

Hi Pablo,

I have commented all xpack lines apart from encryptionkeys. Also set verification mode to none.

Kibana complains about xpack security to be disabled:

[error][plugins][searchguard][searchguard] X-Pack Security needs to be disabled for Search Guard to work properly. Please set "xpack.security.enabled" to false in your kibana.yml

Added xpack.security.enabled: false

Still getting same error when loading Kibana login page and try any user

 log   [23:20:47.733] [error][plugins][searchguard][signals-searchguard-routes] hasPermissions: AuthenticationError: Authentication finally failed
    at SearchGuardBackend.hasPermissions (/usr/share/kibana/plugins/searchguard/server/applications/searchguard/backend/searchguard.js:285:15)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at /usr/share/kibana/plugins/searchguard/server/applications/signals/routes/searchguard/has_permissions.js:23:36
    at Router.handle (/usr/share/kibana/src/core/server/http/router/router.js:163:30)
    at handler (/usr/share/kibana/src/core/server/http/router/router.js:124:50)
    at exports.Manager.execute (/usr/share/kibana/node_modules/@hapi/hapi/lib/toolkit.js:60:28)
    at Object.internals.handler (/usr/share/kibana/node_modules/@hapi/hapi/lib/handler.js:46:20)
    at exports.execute (/usr/share/kibana/node_modules/@hapi/hapi/lib/handler.js:31:20)
    at Request._lifecycle (/usr/share/kibana/node_modules/@hapi/hapi/lib/request.js:371:32)
    at Request._execute (/usr/share/kibana/node_modules/@hapi/hapi/lib/request.js:281:9)
 error  [23:20:47.723]  Error: Internal Server Error
    at HapiResponseAdapter.toError (/usr/share/kibana/src/core/server/http/router/response_adapter.js:128:19)
    at HapiResponseAdapter.toHapiResponse (/usr/share/kibana/src/core/server/http/router/response_adapter.js:82:19)
    at HapiResponseAdapter.handle (/usr/share/kibana/src/core/server/http/router/response_adapter.js:73:17)
    at Router.handle (/usr/share/kibana/src/core/server/http/router/router.js:164:34)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at handler (/usr/share/kibana/src/core/server/http/router/router.js:124:50)
    at exports.Manager.execute (/usr/share/kibana/node_modules/@hapi/hapi/lib/toolkit.js:60:28)
    at Object.internals.handler (/usr/share/kibana/node_modules/@hapi/hapi/lib/handler.js:46:20)
    at exports.execute (/usr/share/kibana/node_modules/@hapi/hapi/lib/handler.js:31:20)
    at Request._lifecycle (/usr/share/kibana/node_modules/@hapi/hapi/lib/request.js:371:32)
    at Request._execute (/usr/share/kibana/node_modules/@hapi/hapi/lib/request.js:281:9)

All sg_x.yaml files have been deployed with default settings. I see sg_roles.yml has nothing enabled, just these lines:

_sg_meta:
  type: "roles"
  config_version: 2

Could that be related?

Thanks

/Marcos

Hi again,

Found issue.

My apologies, when providing actual config and masking sensible info, I changed server.publicBaseUrl to https while I’m currently using http.

Problem was related with secure cookies enabled. As I’m not using HTTPS, it was failing. When changed

searchguard.cookie.secure: false

it starts working as expected.

Thanks!

/Marcos

However, error still happens when login page is loaded. Don’t know if affecting any internal process.

/Marcos

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.