Search Guard is installed, everything is great, except:
I have a VRRP health check for Kibana which is using curl to hit https://kibana/api/status to check for ‘green’, in case we need to fail over to another Kibana node.
The problem is, since installing Search Guard and the Kibana plugin I’m hitting /searchguard/login?nextUrl=%2Fapi%2Fstatus instead.
I’ve passed basic auth credentials with the check but that doesn’t work. Any way I can get around this? Or is it possible to expose the status API without using auth?
Thanks!
So you created an internal user who is allowed to check health, and using curl -uuser:pass ?
Yes, I’m currently testing with a user that has sg_all_access role. Previously curl would fetch the JSON result from /api/status/, but it’s now getting stuck on the login page.
My question is how to pass the credentials correctly, or how to bypass the Search Guard Kibana login page for this URL.
$ curl -vk -usomeuser:somepass https://localhost/api/status
- Trying 127.0.0.1…
- Connected to localhost (127.0.0.1) port 443 (#0)
[…]
GET /api/status HTTP/1.1
Host: localhost
Authorization: Basic Y2t0ZXN0OnBsb2tq
User-Agent: curl/7.47.0
Accept: /
< HTTP/1.1 302 Found
< location: /searchguard/login?nextUrl=%2Fapi%2Fstatus
< kbn-name: kibana
< kbn-version: 5.4.2
< cache-control: no-cache
< content-length: 0
< Date: Wed, 28 Jun 2017 01:44:18 GMT
< Connection: keep-alive
When I say “previously” I mean “prior to installing the Search Guard Kibana plugin”
At the moment, you can’t. We always require an authenticated user to access Kibana. We’ll look into your issue, it’s been tracked here:
https://github.com/floragunncom/search-guard-kibana-plugin/issues/31
···
On Wednesday, June 28, 2017 at 3:51:15 AM UTC+2, CK wrote:
When I say “previously” I mean “prior to installing the Search Guard Kibana plugin”
OK, good to know you’re on it - thanks.
In the mean time I’ve adjusted my VRRP script to just check HTTP status, and hope that Kibana is OK 
···
On Friday, 30 June 2017 07:54:02 UTC+12, Jochen Kressin wrote:
At the moment, you can’t. We always require an authenticated user to access Kibana. We’ll look into your issue, it’s been tracked here:
https://github.com/floragunncom/search-guard-kibana-plugin/issues/31
On Wednesday, June 28, 2017 at 3:51:15 AM UTC+2, CK wrote:
When I say “previously” I mean “prior to installing the Search Guard Kibana plugin”
@CK which version of ES/KI are you using, so we can prepare a snapshot for you to test?
···
On Thursday, June 29, 2017 at 11:48:12 PM UTC+2, CK wrote:
OK, good to know you’re on it - thanks.
In the mean time I’ve adjusted my VRRP script to just check HTTP status, and hope that Kibana is OK
On Friday, 30 June 2017 07:54:02 UTC+12, Jochen Kressin wrote:
At the moment, you can’t. We always require an authenticated user to access Kibana. We’ll look into your issue, it’s been tracked here:
https://github.com/floragunncom/search-guard-kibana-plugin/issues/31
On Wednesday, June 28, 2017 at 3:51:15 AM UTC+2, CK wrote:
When I say “previously” I mean “prior to installing the Search Guard Kibana plugin”
Can you please try this snapshot for 5.4.3:
https://cdn.filestackcontent.com/I9YZTMFrTu663RBxQyj1
Since we needed to change some URLs, please follow these steps when installing the snapshot to avoid caching problems:
-
Uninstall the old version of the plugin
-
Start Kibana once without the SG plugin. This will clear the chaches
-
Install the snapshot, and start again
See also the last comments in this thread about the caching: https://github.com/floragunncom/search-guard/issues/345
Please let us know if the snapshot works for you, so we can work towards the next official release.
···
On Wednesday, July 5, 2017 at 1:52:59 AM UTC+2, CK wrote:
Hi Jochen,
ES/Kibana 5.4.3
Thanks very much.
On Wednesday, 5 July 2017 06:54:21 UTC+12, Jochen Kressin wrote:
@CK which version of ES/KI are you using, so we can prepare a snapshot for you to test?
On Thursday, June 29, 2017 at 11:48:12 PM UTC+2, CK wrote:
OK, good to know you’re on it - thanks.
In the mean time I’ve adjusted my VRRP script to just check HTTP status, and hope that Kibana is OK
On Friday, 30 June 2017 07:54:02 UTC+12, Jochen Kressin wrote:
At the moment, you can’t. We always require an authenticated user to access Kibana. We’ll look into your issue, it’s been tracked here:
https://github.com/floragunncom/search-guard-kibana-plugin/issues/31
On Wednesday, June 28, 2017 at 3:51:15 AM UTC+2, CK wrote:
When I say “previously” I mean “prior to installing the Search Guard Kibana plugin”
Hi Jochen,
This snapshot works great! Thank you!
···
On Friday, 7 July 2017 03:34:19 UTC+12, Jochen Kressin wrote:
Can you please try this snapshot for 5.4.3:
https://cdn.filestackcontent.com/I9YZTMFrTu663RBxQyj1
Since we needed to change some URLs, please follow these steps when installing the snapshot to avoid caching problems:
- Uninstall the old version of the plugin
- Start Kibana once without the SG plugin. This will clear the chaches
- Install the snapshot, and start again
See also the last comments in this thread about the caching: https://github.com/floragunncom/search-guard/issues/345
Please let us know if the snapshot works for you, so we can work towards the next official release.
On Wednesday, July 5, 2017 at 1:52:59 AM UTC+2, CK wrote:
Hi Jochen,
ES/Kibana 5.4.3
Thanks very much.
On Wednesday, 5 July 2017 06:54:21 UTC+12, Jochen Kressin wrote:
@CK which version of ES/KI are you using, so we can prepare a snapshot for you to test?
On Thursday, June 29, 2017 at 11:48:12 PM UTC+2, CK wrote:
OK, good to know you’re on it - thanks.
In the mean time I’ve adjusted my VRRP script to just check HTTP status, and hope that Kibana is OK
On Friday, 30 June 2017 07:54:02 UTC+12, Jochen Kressin wrote:
At the moment, you can’t. We always require an authenticated user to access Kibana. We’ll look into your issue, it’s been tracked here:
https://github.com/floragunncom/search-guard-kibana-plugin/issues/31
On Wednesday, June 28, 2017 at 3:51:15 AM UTC+2, CK wrote:
When I say “previously” I mean “prior to installing the Search Guard Kibana plugin”