Permissions for metricbeat to load dashboards into Kibana

Search Guard
1

  • Elasticsearch: 6.1.0

  • SearchGuard: 6.1.0-20

  • No enterprise modules enabled

I have ELK stack deployed on Docker with SearchGuard enabled, and the searchguard-kibana-plugin installed. I am using the docker-elk repo with SearchGuard enabled. ElasticSearch has the Searchguard demo roles and users enabled.

I am trying to ship Metricbeat logs to my ELK. I have the following configuration in my metricbeat.yml:

output.elasticsearch:

hosts: [“localhost:9200”]

username: “admin”

password: “admin”

setup.kibana:

host: “localhost:5601”

username: “admin”

password: “admin”

So I am basically using the demo ‘admin’ user (which I think has access to all indices. I also tried with the demo ‘kibanaserver’ user).

The issue is that whenever I run the metricbeat setup step, I get access denied from Kibana. The logs in Metricbeat look like this:

$ ./metricbeat setup

Loaded index template

Exiting: Error importing Kibana dashboards: fail to import the dashboards in Kibana: Error importing directory /Users/test/Code/Elastic/metricbeat-6.1.0-darwin-x86_64/kibana: Failed to import index-pattern: Failed to load directory /Users/test/Code/Elastic/metricbeat-6.1.0-darwin-x86_64/kibana/default/index-pattern:

error loading /Users/test/Code/Elastic/metricbeat-6.1.0-darwin-x86_64/kibana/default/index-pattern/metricbeat.json: 403 Forbidden. Response: {“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

The logs in Kibana look like this:

{“type”:“response”,“@timestamp”:“2018-01-18T22:47:17Z”,“tags”:,“pid”:1,“method”:“get”,“statusCode”:200,“req”:{“url”:“/api/status”,“method”:“get”,“headers”:{“host”:“localhost:5601”,“user-agent”:“Go-http-client/1.1”,“accept”:“application/json”,“content-type”:“application/json”,“accept-encoding”:“gzip”},“remoteAddress”:“172.18.0.1”,“userAgent”:“172.18.0.1”},“res”:{“statusCode”:200,“responseTime”:39,“contentLength”:9},“message”:“GET /api/status 200 39ms - 9.0B”}

{“type”:“response”,“@timestamp”:“2018-01-18T22:47:17Z”,“tags”:,“pid”:1,“method”:“post”,“statusCode”:403,“req”:{“url”:“/api/kibana/dashboards/import?force=true”,“method”:“post”,“headers”:{“host”:“localhost:5601”,“user-agent”:“Go-http-client/1.1”,“content-length”:“250474”,“accept”:“application/json”,“content-type”:“application/json”,“kbn-version”:“6.1.0”,“accept-encoding”:“gzip”},“remoteAddress”:“172.18.0.1”,“userAgent”:“172.18.0.1”},“res”:{“statusCode”:403,“responseTime”:13,“contentLength”:9},“message”:“POST /api/kibana/dashboards/import?force=true 403 13ms - 9.0B”}

When I use Kibana without SG, the dashboards I imported without any error. I am assuming this has to do with the permissions on SearchGuard. Can someone please guide me in the right direction?

2

I think this is a bug in the Kibana plugin. Can you please open an issue here: Issues · floragunncom/search-guard-kibana-plugin · GitHub?

···

On Friday, January 19, 2018 at 12:02:35 AM UTC+1, Imran Arshad wrote:

  • Elasticsearch: 6.1.0
  • SearchGuard: 6.1.0-20
  • No enterprise modules enabled

I have ELK stack deployed on Docker with SearchGuard enabled, and the searchguard-kibana-plugin installed. I am using the docker-elk repo with SearchGuard enabled. ElasticSearch has the Searchguard demo roles and users enabled.

I am trying to ship Metricbeat logs to my ELK. I have the following configuration in my metricbeat.yml:

output.elasticsearch:

hosts: [“localhost:9200”]

username: “admin”

password: “admin”

setup.kibana:

host: “localhost:5601”

username: “admin”

password: “admin”

So I am basically using the demo ‘admin’ user (which I think has access to all indices. I also tried with the demo ‘kibanaserver’ user).

The issue is that whenever I run the metricbeat setup step, I get access denied from Kibana. The logs in Metricbeat look like this:

$ ./metricbeat setup

Loaded index template

Exiting: Error importing Kibana dashboards: fail to import the dashboards in Kibana: Error importing directory /Users/test/Code/Elastic/metricbeat-6.1.0-darwin-x86_64/kibana: Failed to import index-pattern: Failed to load directory /Users/test/Code/Elastic/metricbeat-6.1.0-darwin-x86_64/kibana/default/index-pattern:

error loading /Users/test/Code/Elastic/metricbeat-6.1.0-darwin-x86_64/kibana/default/index-pattern/metricbeat.json: 403 Forbidden. Response: {“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

The logs in Kibana look like this:

{“type”:“response”,“@timestamp”:“2018-01-18T22:47:17Z”,“tags”:,“pid”:1,“method”:“get”,“statusCode”:200,“req”:{“url”:“/api/status”,“method”:“get”,“headers”:{“host”:“localhost:5601”,“user-agent”:“Go-http-client/1.1”,“accept”:“application/json”,“content-type”:“application/json”,“accept-encoding”:“gzip”},“remoteAddress”:“172.18.0.1”,“userAgent”:“172.18.0.1”},“res”:{“statusCode”:200,“responseTime”:39,“contentLength”:9},“message”:“GET /api/status 200 39ms - 9.0B”}

{“type”:“response”,“@timestamp”:“2018-01-18T22:47:17Z”,“tags”:,“pid”:1,“method”:“post”,“statusCode”:403,“req”:{“url”:“/api/kibana/dashboards/import?force=true”,“method”:“post”,“headers”:{“host”:“localhost:5601”,“user-agent”:“Go-http-client/1.1”,“content-length”:“250474”,“accept”:“application/json”,“content-type”:“application/json”,“kbn-version”:“6.1.0”,“accept-encoding”:“gzip”},“remoteAddress”:“172.18.0.1”,“userAgent”:“172.18.0.1”},“res”:{“statusCode”:403,“responseTime”:13,“contentLength”:9},“message”:“POST /api/kibana/dashboards/import?force=true 403 13ms - 9.0B”}

When I use Kibana without SG, the dashboards I imported without any error. I am assuming this has to do with the permissions on SearchGuard. Can someone please guide me in the right direction?

3

Thanks Jochen. I have raised an issue on Github.

···

On Friday, 19 January 2018 05:26:00 UTC-6, Jochen Kressin wrote:

I think this is a bug in the Kibana plugin. Can you please open an issue here: https://github.com/floragunncom/search-guard-kibana-plugin/issues?

On Friday, January 19, 2018 at 12:02:35 AM UTC+1, Imran Arshad wrote:

  • Elasticsearch: 6.1.0
  • SearchGuard: 6.1.0-20
  • No enterprise modules enabled

I have ELK stack deployed on Docker with SearchGuard enabled, and the searchguard-kibana-plugin installed. I am using the docker-elk repo with SearchGuard enabled. ElasticSearch has the Searchguard demo roles and users enabled.

I am trying to ship Metricbeat logs to my ELK. I have the following configuration in my metricbeat.yml:

output.elasticsearch:

hosts: [“localhost:9200”]

username: “admin”

password: “admin”

setup.kibana:

host: “localhost:5601”

username: “admin”

password: “admin”

So I am basically using the demo ‘admin’ user (which I think has access to all indices. I also tried with the demo ‘kibanaserver’ user).

The issue is that whenever I run the metricbeat setup step, I get access denied from Kibana. The logs in Metricbeat look like this:

$ ./metricbeat setup

Loaded index template

Exiting: Error importing Kibana dashboards: fail to import the dashboards in Kibana: Error importing directory /Users/test/Code/Elastic/metricbeat-6.1.0-darwin-x86_64/kibana: Failed to import index-pattern: Failed to load directory /Users/test/Code/Elastic/metricbeat-6.1.0-darwin-x86_64/kibana/default/index-pattern:

error loading /Users/test/Code/Elastic/metricbeat-6.1.0-darwin-x86_64/kibana/default/index-pattern/metricbeat.json: 403 Forbidden. Response: {“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

The logs in Kibana look like this:

{“type”:“response”,“@timestamp”:“2018-01-18T22:47:17Z”,“tags”:,“pid”:1,“method”:“get”,“statusCode”:200,“req”:{“url”:“/api/status”,“method”:“get”,“headers”:{“host”:“localhost:5601”,“user-agent”:“Go-http-client/1.1”,“accept”:“application/json”,“content-type”:“application/json”,“accept-encoding”:“gzip”},“remoteAddress”:“172.18.0.1”,“userAgent”:“172.18.0.1”},“res”:{“statusCode”:200,“responseTime”:39,“contentLength”:9},“message”:“GET /api/status 200 39ms - 9.0B”}

{“type”:“response”,“@timestamp”:“2018-01-18T22:47:17Z”,“tags”:,“pid”:1,“method”:“post”,“statusCode”:403,“req”:{“url”:“/api/kibana/dashboards/import?force=true”,“method”:“post”,“headers”:{“host”:“localhost:5601”,“user-agent”:“Go-http-client/1.1”,“content-length”:“250474”,“accept”:“application/json”,“content-type”:“application/json”,“kbn-version”:“6.1.0”,“accept-encoding”:“gzip”},“remoteAddress”:“172.18.0.1”,“userAgent”:“172.18.0.1”},“res”:{“statusCode”:403,“responseTime”:13,“contentLength”:9},“message”:“POST /api/kibana/dashboards/import?force=true 403 13ms - 9.0B”}

When I use Kibana without SG, the dashboards I imported without any error. I am assuming this has to do with the permissions on SearchGuard. Can someone please guide me in the right direction?

4

Imran,

Did you get this working? I am having the same issue. When I implemented the fix, I am still getting the error.

Thanks.

···

On Friday, January 19, 2018 at 1:29:22 PM UTC-6, Imran Arshad wrote:

Thanks Jochen. I have raised an issue on Github.

On Friday, 19 January 2018 05:26:00 UTC-6, Jochen Kressin wrote:

I think this is a bug in the Kibana plugin. Can you please open an issue here: https://github.com/floragunncom/search-guard-kibana-plugin/issues?

On Friday, January 19, 2018 at 12:02:35 AM UTC+1, Imran Arshad wrote:

  • Elasticsearch: 6.1.0
  • SearchGuard: 6.1.0-20
  • No enterprise modules enabled

I have ELK stack deployed on Docker with SearchGuard enabled, and the searchguard-kibana-plugin installed. I am using the docker-elk repo with SearchGuard enabled. ElasticSearch has the Searchguard demo roles and users enabled.

I am trying to ship Metricbeat logs to my ELK. I have the following configuration in my metricbeat.yml:

output.elasticsearch:

hosts: [“localhost:9200”]

username: “admin”

password: “admin”

setup.kibana:

host: “localhost:5601”

username: “admin”

password: “admin”

So I am basically using the demo ‘admin’ user (which I think has access to all indices. I also tried with the demo ‘kibanaserver’ user).

The issue is that whenever I run the metricbeat setup step, I get access denied from Kibana. The logs in Metricbeat look like this:

$ ./metricbeat setup

Loaded index template

Exiting: Error importing Kibana dashboards: fail to import the dashboards in Kibana: Error importing directory /Users/test/Code/Elastic/metricbeat-6.1.0-darwin-x86_64/kibana: Failed to import index-pattern: Failed to load directory /Users/test/Code/Elastic/metricbeat-6.1.0-darwin-x86_64/kibana/default/index-pattern:

error loading /Users/test/Code/Elastic/metricbeat-6.1.0-darwin-x86_64/kibana/default/index-pattern/metricbeat.json: 403 Forbidden. Response: {“statusCode”:403,“error”:“Forbidden”,“message”:“Error: Unauthorized”}

The logs in Kibana look like this:

{“type”:“response”,“@timestamp”:“2018-01-18T22:47:17Z”,“tags”:,“pid”:1,“method”:“get”,“statusCode”:200,“req”:{“url”:“/api/status”,“method”:“get”,“headers”:{“host”:“localhost:5601”,“user-agent”:“Go-http-client/1.1”,“accept”:“application/json”,“content-type”:“application/json”,“accept-encoding”:“gzip”},“remoteAddress”:“172.18.0.1”,“userAgent”:“172.18.0.1”},“res”:{“statusCode”:200,“responseTime”:39,“contentLength”:9},“message”:“GET /api/status 200 39ms - 9.0B”}

{“type”:“response”,“@timestamp”:“2018-01-18T22:47:17Z”,“tags”:,“pid”:1,“method”:“post”,“statusCode”:403,“req”:{“url”:“/api/kibana/dashboards/import?force=true”,“method”:“post”,“headers”:{“host”:“localhost:5601”,“user-agent”:“Go-http-client/1.1”,“content-length”:“250474”,“accept”:“application/json”,“content-type”:“application/json”,“kbn-version”:“6.1.0”,“accept-encoding”:“gzip”},“remoteAddress”:“172.18.0.1”,“userAgent”:“172.18.0.1”},“res”:{“statusCode”:403,“responseTime”:13,“contentLength”:9},“message”:“POST /api/kibana/dashboards/import?force=true 403 13ms - 9.0B”}

When I use Kibana without SG, the dashboards I imported without any error. I am assuming this has to do with the permissions on SearchGuard. Can someone please guide me in the right direction?

5

working on this here https://github.com/floragunncom/search-guard-kibana-plugin/issues/58

···

Am 01.02.2018 um 17:29 schrieb Chadwick Wendling <cadamwendling@gmail.com>:

Imran,
Did you get this working? I am having the same issue. When I implemented the fix, I am still getting the error.

Thanks.

On Friday, January 19, 2018 at 1:29:22 PM UTC-6, Imran Arshad wrote:
Thanks Jochen. I have raised an issue on Github.

On Friday, 19 January 2018 05:26:00 UTC-6, Jochen Kressin wrote:
I think this is a bug in the Kibana plugin. Can you please open an issue here: Issues · floragunncom/search-guard-kibana-plugin · GitHub?

On Friday, January 19, 2018 at 12:02:35 AM UTC+1, Imran Arshad wrote:
- Elasticsearch: 6.1.0
- SearchGuard: 6.1.0-20
- No enterprise modules enabled

I have ELK stack deployed on Docker with SearchGuard enabled, and the searchguard-kibana-plugin installed. I am using the docker-elk repo with SearchGuard enabled. ElasticSearch has the Searchguard demo roles and users enabled.

I am trying to ship Metricbeat logs to my ELK. I have the following configuration in my metricbeat.yml:

output.elasticsearch:

  hosts: ["localhost:9200"]

  username: "admin"

  password: "admin"

setup.kibana:

  host: "localhost:5601"

  username: "admin"

  password: "admin"

So I am basically using the demo 'admin' user (which I think has access to all indices. I also tried with the demo 'kibanaserver' user).

The issue is that whenever I run the metricbeat setup step, I get access denied from Kibana. The logs in Metricbeat look like this:

$ ./metricbeat setup

Loaded index template

Exiting: Error importing Kibana dashboards: fail to import the dashboards in Kibana: Error importing directory /Users/test/Code/Elastic/metricbeat-6.1.0-darwin-x86_64/kibana: Failed to import index-pattern: Failed to load directory /Users/test/Code/Elastic/metricbeat-6.1.0-darwin-x86_64/kibana/default/index-pattern:

  error loading /Users/test/Code/Elastic/metricbeat-6.1.0-darwin-x86_64/kibana/default/index-pattern/metricbeat.json: 403 Forbidden. Response: {"statusCode":403,"error":"Forbidden","message":"Error: Unauthorized"}

The logs in Kibana look like this:

{"type":"response","@timestamp":"2018-01-18T22:47:17Z","tags":,"pid":1,"method":"get","statusCode":200,"req":{"url":"/api/status","method":"get","headers":{"host":"localhost:5601","user-agent":"Go-http-client/1.1","accept":"application/json","content-type":"application/json","accept-encoding":"gzip"},"remoteAddress":"172.18.0.1","userAgent":"172.18.0.1"},"res":{"statusCode":200,"responseTime":39,"contentLength":9},"message":"GET /api/status 200 39ms - 9.0B"}

{"type":"response","@timestamp":"2018-01-18T22:47:17Z","tags":,"pid":1,"method":"post","statusCode":403,"req":{"url":"/api/kibana/dashboards/import?force=true","method":"post","headers":{"host":"localhost:5601","user-agent":"Go-http-client/1.1","content-length":"250474","accept":"application/json","content-type":"application/json","kbn-version":"6.1.0","accept-encoding":"gzip"},"remoteAddress":"172.18.0.1","userAgent":"172.18.0.1"},"res":{"statusCode":403,"responseTime":13,"contentLength":9},"message":"POST /api/kibana/dashboards/import?force=true 403 13ms - 9.0B"}

When I use Kibana without SG, the dashboards I imported without any error. I am assuming this has to do with the permissions on SearchGuard. Can someone please guide me in the right direction?

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/c9b7c580-1ad8-4569-a17a-f7a6cb88e668%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.