Kibana - Authentication Error

Hello,

I am trying to get Kibana with Searchguard going on a single-node cluster in Kubernetes. I am using OSS images for Elastic and Kibana. Trying to use Searchguard for credential management. Any help would be greatly appreciated.

Versions
elastic-oss: 7.4.0
kibana-oss: 7.4.0

Describe the issue:
Elasticsearch seems to be working/initializing as expected (index gets created, etc…), however, Kibana is throwing an ‘Authentication Exception’ which results in an ‘Out of Sync’ error.

Configuration:
Using demo configuration just to get things up and running.

elasticsearch.yml

searchguard.enterprise_modules_enabled: false

Enabling use of demo certificates

searchguard.allow_unsafe_democertificates: true

Configuring Transport Layer TLS

searchguard.allow_default_init_sgindex: true
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

Configuring REST Layer TLS

searchguard.ssl.http.enabled: false
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem

Additional configuration

name: searchguard.authcz.admin_dn: CN=kirk,OU=client,O=client,L=test, C=de
searchguard.enable_snapshot_restore_privilege: true
searchguard.restapi.roles_enabled: SGS_ALL_ACCESS
cluster.routing.allocation.disk.threshold_enabled: false
name: node.max_local_storage_nodes: 3

kibana.yml

elasticsearch.hosts: https://elasticsearch:9200
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.ssl.verificationMode: none
xpack.security.enabled: false

Kibana Logs
{“type”:“error”,"@timestamp":“2020-11-12T16:00:19Z”,“tags”:[“warning”,“process”],“pid”:6,“level”:“error”,“error”:{“message”:“Authentication Exception :: {“path”:”/_searchguard/kibanainfo",“query”:{},“statusCode”:401,“response”:“Unauthorized”,“wwwAuthenticateDirective”:“Basic realm=\“Search Guard\””}\n at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:349:15)\n at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:306:7)\n at HttpConnector. (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)\n at IncomingMessage.wrapper (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/lodash.js:4929:19)\n at IncomingMessage.emit (events.js:194:15)\n at endReadableNT (_stream_readable.js:1103:12)\n at process._tickCallback (internal/process/next_tick.js:63:19)",“name”:“UnhandledPromiseRejectionWarning”,“stack”:“UnhandledPromiseRejectionWarning: Authentication Exception :: {“path”:”/_searchguard/kibanainfo",“query”:{},“statusCode”:401,“response”:“Unauthorized”,“wwwAuthenticateDirective”:“Basic realm=\“Search Guard\””}\n at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:349:15)\n at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:306:7)\n at HttpConnector. (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)\n at IncomingMessage.wrapper (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/lodash.js:4929:19)\n at IncomingMessage.emit (events.js:194:15)\n at endReadableNT (_stream_readable.js:1103:12)\n at process._tickCallback (internal/process/next_tick.js:63:19)\n at emitWarning (internal/process/promises.js:81:15)\n at emitPromiseRejectionWarnings (internal/process/promises.js:120:9)\n at process._tickCallback (internal/process/next_tick.js:69:34)"},“message”:“Authentication Exception :: {“path”:”/_searchguard/kibanainfo",“query”:{},“statusCode”:401,“response”:“Unauthorized”,“wwwAuthenticateDirective”:“Basic realm=\“Search Guard\””}\n at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:349:15)\n at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:306:7)\n at HttpConnector. (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)\n at IncomingMessage.wrapper (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/lodash.js:4929:19)\n at IncomingMessage.emit (events.js:194:15)\n at endReadableNT (_stream_readable.js:1103:12)\n at process._tickCallback (internal/process/next_tick.js:63:19)"}

{“type”:“error”,"@timestamp":“2020-11-12T16:00:19Z”,“tags”:[“warning”,“process”],“pid”:6,“level”:“error”,“error”:{“message”:“Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1)”,“name”:“UnhandledPromiseRejectionWarning”,“stack”:“Authentication Exception :: {“path”:”/_searchguard/kibanainfo",“query”:{},“statusCode”:401,“response”:“Unauthorized”,“wwwAuthenticateDirective”:“Basic realm=\“Search Guard\””}\n at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:349:15)\n at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:306:7)\n at HttpConnector. (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)\n at IncomingMessage.wrapper (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/lodash.js:4929:19)\n at IncomingMessage.emit (events.js:194:15)\n at endReadableNT (_stream_readable.js:1103:12)\n at process._tickCallback (internal/process/next_tick.js:63:19)"},“message”:“Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1)”}
{“type”:“log”,"@timestamp":“2020-11-12T16:00:19Z”,“tags”:[“status”,“plugin:elasticsearch@7.4.0”,“error”],“pid”:6,“state”:“red”,“message”:“Status changed from yellow to red - Authentication Exception”,“prevState”:“yellow”,“prevMsg”:“Waiting for Elasticsearch”}

It looks like you want to configure SG and have users in its internal database. But you have no authentication type specified in Kibana. Configure basic authentication https://docs.search-guard.com/latest/kibana-authentication-http-basic Also, I would advise you to play with the demo first https://docs.search-guard.com/latest/demo-installer Then read the main concepts https://docs.search-guard.com/latest/main-concepts and the first steps https://docs.search-guard.com/latest/first-steps-user-configuration