We use Searchguard’s multitenancy on our Kibana.
Whenever users try to generate a report CSV, we keep getting the following error intermittently:
Error: Failed to decrypt report job data. Please ensure that xpack.reporting.encryptionKey is set and re-generate this report. Error: Unsupported state or unable to authenticate data
But after trying a couple of times the report csv works.
After reading this thread: https://discuss.elastic.co/t/couldnt-create-report-for-search/164486/3
we believe this is a bug related to multitenancy
With different kibana.index settings across Kibana instances connected to the same Elasticsearch cluster, you must also configure a different xpack.reporting.index setting per each unique kibana.index
But if searchguard multitenancy creates a unique .kibana_hash_tenantname index, how do we handle this?
- Kibana: 7.2.1
- Elasticsearch nodes: 7.2.1
- Searchguard Kibana Plugin: firstname.lastname@example.org
I would need to look into in more detail, but one thing that I can say for now is that this is not related to having multiple KIbana indices.
Neither Kibana nor the reporting plugin knows about the different indices, it’s transparent to them. Rewriting the .kibana index name happens in the SG plugin for Elasticsearch. So Kibana is accessing ES using the .kibana index name, however, as a very last step this name is rewritten to the .kibana_hash_tenantname index.
Usually, this means that the Kibana apps do not know what the final index name will be.
However, it could be that Kibana has some data cached regarding reporting, and this data is maybe not deleted when changing the tenant.
How can we reproduce the issue you are seeing? I guess you did not configure anything special, but it speeds up debugging on our side if you can post:
- The SG config files
Also, do you see anything in the ES log when you see the “Failed to decrypt” error in Kibana?
Actually my configuration was missing the
xpack.reporting.encryptionKey setting in kibana.yml.
Setting that fixed the issue.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.