Clone- Error loading data” error observed in kibana when keycloak token expires

shubha02 · January 11, 2021, 3:20pm

Hi, since the original thread - "Error loading data" error observed in kibana when keycloak token expires has been auto closed , created this new query.

We are using keycloak openid authentication in kibana.
When Kibana session remains idle for sometime (10mins) and keycloak token expires (token life span is 5 mins) in between that, after that if the user try to do filter on discover page based on a particular time period then the error pop up “Error loading data”.But manually refreshing the page can recover the access, and load the logs"

Blockquote
TypeError: Failed to fetch
at Fetch._callee3$ (https://ip/baseurl/port/bundles/commons.bundle.js:9:1989293)
at l (https://ip/baseurl/port/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:288:969217)
at Generator._invoke (https://ip/baseurl/port/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:288:968970)
at Generator.forEach.e. [as throw] (https://ip/baseurl/port/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:288:969574)
at asyncGeneratorStep (https://ip/baseurl/port/bundles/commons.bundle.js:9:1983787)
at _throw (https://ip/baseurl/port/bundles/commons.bundle.js:9:1984184)

When checked Elasticsearch client logs it says : “log”:“No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’”}

The expectation is it should be redirected to the login page when the keycloak token gets expires.
Searchguard version used is : 7.8.0-43.0.0.
below error seen in elasticsearch client

{“type”:“log”,“host”:“elasticsearch-client-68cd995bbd-crf8h”,“level”:“WARN”,“systemid”:“2106a117733f42d697284fbc54927928”,“system”:“XXXX”,“time”: “2020-09-24T12:00:55.992Z”,“logger”:“c.f.s.h.HTTPBasicAuthenticator”,“timezone”:“UTC”,“marker”:"[elasticsearch-client-68cd995bbd-crf8h] ",“log”:“No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’”}

srgbnd · January 12, 2021, 9:16am

Hi @shubha02. Thank you for reopening this.
To help us reproduce the issue send the following configurations:

kibana.yml
elasticsearch.yml
sg_config.yml

shubha02 · January 12, 2021, 11:27am

HI @srgbnd

Kibana yaml:

---
# Donot change sever name and host. This is default configuration.
server.name: kibana
server.customResponseHeaders: { "X-Frame-Options": "DENY" }
server.ssl.supportedProtocols: ["TLSv1.2"]
searchguard.cookie.secure: true
# uncomment below section for keycloak authentication and provide required correct parameters
searchguard.auth.type: "openid"
searchguard.openid.connect_url: "https://XX.XX.XXXX:XXXXX/auth/realms/master/.well-known/openid-configuration"
searchguard.openid.client_id: XXXXXXXX
searchguard.openid.client_secret: "XXXXX"
searchguard.openid.header: "Authorization"
### for kibana service on ingress port is not required
searchguard.openid.base_redirect_url: "https://XX.XX.XXXX"
### Do not change root_ca file path as this is the default mount path.
searchguard.openid.root_ca: "/XXXX/keycloak-root-ca.pem"
searchguard.openid.verify_hostnames: false

elasticsearch yaml:


cluster:
  name: ${CLUSTER_NAME}
  initial_master_nodes: ${CLUSTER_INITIAL_MASTER_NODES}

node:
  master: ${NODE_MASTER}
  data: ${NODE_DATA}
  name: ${NODE_NAME}
  ingest: ${NODE_INGEST}
  max_local_storage_nodes: ${MAX_LOCAL_STORAGE_NODES}

network.host: ${NETWORK_HOST}

path:
  data: /data/data
  logs: /data/log
  repo: ${PATH_REPO}

#bootstrap.memory_lock: true

http:
  compression: true
  cors:
    enabled: ${HTTP_CORS_ENABLE}
    allow-origin: ${HTTP_CORS_ALLOW_ORIGIN}

discovery:
  seed_hosts: ${DISCOVERY_SERVICE}

searchguard:
    ssl.transport:
        enabled: true
        enable_openssl_if_available: false
        keystore_type: ${KEYSTORE_TYPE}
        keystore_filepath: ${KEYSTORE_FILEPATH}
        keystore_password: ${KS_PWD}
        truststore_type: ${TRUSTSTORE_TYPE}
        truststore_filepath: ${TRUSTSTORE_FILEPATH}
        truststore_password: ${TS_PWD}
        enforce_hostname_verification: false
    ssl.http:
        enabled: ${HTTP_SSL}
        clientauth_mode: OPTIONAL
        enable_openssl_if_available: true
        keystore_type: ${KEYSTORE_TYPE}
        keystore_filepath: ${KEYSTORE_FILEPATH}
        keystore_password: ${KS_PWD}
        truststore_type: ${TRUSTSTORE_TYPE}
        truststore_filepath: ${TRUSTSTORE_FILEPATH}
        truststore_password: ${TS_PWD}
    authcz.admin_dn:
      - "${AUTH_ADMIN_DN}"
    enterprise_modules_enabled: false
    nodes_dn:
      - "${NODES_DN}"

searchguard yaml:

_sg_meta:
  type: "config"
  config_version: 2
sg_config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '.+'
    authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false   # Set this to false when keycloak authentication is enabled
        authentication_backend:
          type: "intern"
      keycloak_auth_domain:
        http_enabled: true  # Set to true to enable keycloak authentication
        transport_enabled: true
        order: 1
        http_authenticator:
          type: keycloak
          challenge: false
          config:
            username_key: preferred_username
            roles_key: roles
            keycloak_connect_url: https://XXXXXX/auth/realms/master/.well-known/openid-configuration
            client_id: XXXX
            client_secret: XXXX
            ssl_validate: false
        authentication_backend:
            type: noop
      proxy_auth_domain:
        http_enabled: false
        transport_enabled: false
        order: 3
        http_authenticator:
          type: "proxy"
          challenge: false
          config:
            user_header: "x-proxy-user"
            #roles_header: "x-proxy-roles"
        authentication_backend:
          type: "noop"
      clientcert_auth_domain:
        http_enabled: false
        transport_enabled: false
        order: 2
        http_authenticator:
          challenge: false
          type: "clientcert"
          config:
            username_attribute: "cn"
        authentication_backend:
          type: "noop"

please let us know in case any other information is required.

srgbnd · January 18, 2021, 6:55pm

I can reproduce the issue. It was added to the bug queue. I’ll let you know when it is resolved.