Problems with Kibana 5 and SG 5.0.1-8

Hey all,

Trying to get Kibana 5 (latest) to work with my SG-enabled ES cluster.

I gave the kibana user maximum permissions in the roles/mappings configuration, and in fact Kibana is able to create its own index (.kibana) in ES, so it’s almost working. :slight_smile:

Kibana’s logs do show “Status changed from uninitialized to green - Ready”, so I’m hopeful…

However, when I try to access kibana’s “/app/kibana” path I get a HTTP 500 error. Kibana’s logs don’t show any further error info beyond

{
“type”: “error”,
@timestamp”: “2016-12-07T15:20:11Z”,
“tags”: ,
“pid”: 7,
“level”: “error”,
“message”: “Authentication Exception”,
“error”: {
“message”: “Authentication Exception”,
“name”: “Error”,
“stack”: “Error: Authentication Exception\n at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:289:15)\n at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:248:7)\n at HttpConnector. (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:164:7)\n at IncomingMessage.wrapper (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/lodash.js:4994:19)\n at emitNone (events.js:91:20)\n at IncomingMessage.emit (events.js:185:7)\n at endReadableNT (_stream_readable.js:974:12)\n at _combinedTickCallback (internal/process/next_tick.js:74:11)\n at process._tickDomainCallback (internal/process/next_tick.js:122:9)”
},
“url”: {
“protocol”: null,
“slashes”: null,
“auth”: null,
“host”: null,
“port”: null,
“hostname”: null,
“hash”: null,
“search”: “”,
“query”: {},
“pathname”: “/app/kibana”,
“path”: “/app/kibana”,
“href”: “/app/kibana”
}
}

The es username and password are set correctly (it’s succeeding in creating its own index, after all).

Certificates seem to be configured correctly (otherwise the above would not have worked).

What else could it be?

Any ideas how to debug this?

Much appreciated,

Assaf Lavie

I get the same error as you, see post: “Using search-guard-5:5.0.2-8 with Kibana 5.0.2”

···

On Wednesday, December 7, 2016 at 9:24:42 AM UTC-6, assaf...@forter.com wrote:

Hey all,

Trying to get Kibana 5 (latest) to work with my SG-enabled ES cluster.

I gave the kibana user maximum permissions in the roles/mappings configuration, and in fact Kibana is able to create its own index (.kibana) in ES, so it’s almost working. :slight_smile:

Kibana’s logs do show “Status changed from uninitialized to green - Ready”, so I’m hopeful…

However, when I try to access kibana’s “/app/kibana” path I get a HTTP 500 error. Kibana’s logs don’t show any further error info beyond

{
“type”: “error”,
@timestamp”: “2016-12-07T15:20:11Z”,
“tags”: ,
“pid”: 7,
“level”: “error”,
“message”: “Authentication Exception”,
“error”: {
“message”: “Authentication Exception”,
“name”: “Error”,
“stack”: “Error: Authentication Exception\n at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:289:15)\n at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:248:7)\n at HttpConnector. (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:164:7)\n at IncomingMessage.wrapper (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/lodash.js:4994:19)\n at emitNone (events.js:91:20)\n at IncomingMessage.emit (events.js:185:7)\n at endReadableNT (_stream_readable.js:974:12)\n at _combinedTickCallback (internal/process/next_tick.js:74:11)\n at process._tickDomainCallback (internal/process/next_tick.js:122:9)”
},
“url”: {
“protocol”: null,
“slashes”: null,
“auth”: null,
“host”: null,
“port”: null,
“hostname”: null,
“hash”: null,
“search”: “”,
“query”: {},
“pathname”: “/app/kibana”,
“path”: “/app/kibana”,
“href”: “/app/kibana”
}
}

The es username and password are set correctly (it’s succeeding in creating its own index, after all).

Certificates seem to be configured correctly (otherwise the above would not have worked).

What else could it be?

Any ideas how to debug this?

Much appreciated,

Assaf Lavie

There have been changes in Kibana from 5.0.2 onwards which break HTTP Basic Authentication. It also seems that this PR

will not be backported to 5.0.2 unfortunately.

We’re working on a solution which should be available in the next week.

···

Am Mittwoch, 7. Dezember 2016 16:57:28 UTC+1 schrieb Nicolas Castet:

I get the same error as you, see post: “Using search-guard-5:5.0.2-8 with Kibana 5.0.2”

On Wednesday, December 7, 2016 at 9:24:42 AM UTC-6, assaf...@forter.com wrote:

Hey all,

Trying to get Kibana 5 (latest) to work with my SG-enabled ES cluster.

I gave the kibana user maximum permissions in the roles/mappings configuration, and in fact Kibana is able to create its own index (.kibana) in ES, so it’s almost working. :slight_smile:

Kibana’s logs do show “Status changed from uninitialized to green - Ready”, so I’m hopeful…

However, when I try to access kibana’s “/app/kibana” path I get a HTTP 500 error. Kibana’s logs don’t show any further error info beyond

{
“type”: “error”,
@timestamp”: “2016-12-07T15:20:11Z”,
“tags”: ,
“pid”: 7,
“level”: “error”,
“message”: “Authentication Exception”,
“error”: {
“message”: “Authentication Exception”,
“name”: “Error”,
“stack”: “Error: Authentication Exception\n at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:289:15)\n at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:248:7)\n at HttpConnector. (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:164:7)\n at IncomingMessage.wrapper (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/lodash.js:4994:19)\n at emitNone (events.js:91:20)\n at IncomingMessage.emit (events.js:185:7)\n at endReadableNT (_stream_readable.js:974:12)\n at _combinedTickCallback (internal/process/next_tick.js:74:11)\n at process._tickDomainCallback (internal/process/next_tick.js:122:9)”
},
“url”: {
“protocol”: null,
“slashes”: null,
“auth”: null,
“host”: null,
“port”: null,
“hostname”: null,
“hash”: null,
“search”: “”,
“query”: {},
“pathname”: “/app/kibana”,
“path”: “/app/kibana”,
“href”: “/app/kibana”
}
}

The es username and password are set correctly (it’s succeeding in creating its own index, after all).

Certificates seem to be configured correctly (otherwise the above would not have worked).

What else could it be?

Any ideas how to debug this?

Much appreciated,

Assaf Lavie

We’ve just release alpha versions of our Kibana plugin which should solve the authentication problem. If you want to give it a try, we appreciate any feedback:

···

Am Samstag, 17. Dezember 2016 21:00:31 UTC+1 schrieb Jochen Kressin:

There have been changes in Kibana from 5.0.2 onwards which break HTTP Basic Authentication. It also seems that this PR

https://github.com/elastic/kibana/pull/9446

will not be backported to 5.0.2 unfortunately.

We’re working on a solution which should be available in the next week.

Am Mittwoch, 7. Dezember 2016 16:57:28 UTC+1 schrieb Nicolas Castet:

I get the same error as you, see post: “Using search-guard-5:5.0.2-8 with Kibana 5.0.2”

On Wednesday, December 7, 2016 at 9:24:42 AM UTC-6, assaf...@forter.com wrote:

Hey all,

Trying to get Kibana 5 (latest) to work with my SG-enabled ES cluster.

I gave the kibana user maximum permissions in the roles/mappings configuration, and in fact Kibana is able to create its own index (.kibana) in ES, so it’s almost working. :slight_smile:

Kibana’s logs do show “Status changed from uninitialized to green - Ready”, so I’m hopeful…

However, when I try to access kibana’s “/app/kibana” path I get a HTTP 500 error. Kibana’s logs don’t show any further error info beyond

{
“type”: “error”,
@timestamp”: “2016-12-07T15:20:11Z”,
“tags”: ,
“pid”: 7,
“level”: “error”,
“message”: “Authentication Exception”,
“error”: {
“message”: “Authentication Exception”,
“name”: “Error”,
“stack”: “Error: Authentication Exception\n at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:289:15)\n at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:248:7)\n at HttpConnector. (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:164:7)\n at IncomingMessage.wrapper (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/lodash.js:4994:19)\n at emitNone (events.js:91:20)\n at IncomingMessage.emit (events.js:185:7)\n at endReadableNT (_stream_readable.js:974:12)\n at _combinedTickCallback (internal/process/next_tick.js:74:11)\n at process._tickDomainCallback (internal/process/next_tick.js:122:9)”
},
“url”: {
“protocol”: null,
“slashes”: null,
“auth”: null,
“host”: null,
“port”: null,
“hostname”: null,
“hash”: null,
“search”: “”,
“query”: {},
“pathname”: “/app/kibana”,
“path”: “/app/kibana”,
“href”: “/app/kibana”
}
}

The es username and password are set correctly (it’s succeeding in creating its own index, after all).

Certificates seem to be configured correctly (otherwise the above would not have worked).

What else could it be?

Any ideas how to debug this?

Much appreciated,

Assaf Lavie

Many thanks, Jochen.

Will give this a try. ATM we’re back on 5.0.1 (which is how we worked around this issue) but we’ll soon upgrade and try it with the new plugin.

Assaf

···

On Thu, Dec 22, 2016 at 5:56 PM, Jochen Kressin jkressin@floragunn.com wrote:

We’ve just release alpha versions of our Kibana plugin which should solve the authentication problem. If you want to give it a try, we appreciate any feedback:

https://github.com/floragunncom/search-guard-kibana-plugin

Am Samstag, 17. Dezember 2016 21:00:31 UTC+1 schrieb Jochen Kressin:

There have been changes in Kibana from 5.0.2 onwards which break HTTP Basic Authentication. It also seems that this PR

https://github.com/elastic/kibana/pull/9446

will not be backported to 5.0.2 unfortunately.

We’re working on a solution which should be available in the next week.

Am Mittwoch, 7. Dezember 2016 16:57:28 UTC+1 schrieb Nicolas Castet:

I get the same error as you, see post: “Using search-guard-5:5.0.2-8 with Kibana 5.0.2”

On Wednesday, December 7, 2016 at 9:24:42 AM UTC-6, assaf...@forter.com wrote:

Hey all,

Trying to get Kibana 5 (latest) to work with my SG-enabled ES cluster.

I gave the kibana user maximum permissions in the roles/mappings configuration, and in fact Kibana is able to create its own index (.kibana) in ES, so it’s almost working. :slight_smile:

Kibana’s logs do show “Status changed from uninitialized to green - Ready”, so I’m hopeful…

However, when I try to access kibana’s “/app/kibana” path I get a HTTP 500 error. Kibana’s logs don’t show any further error info beyond

{
“type”: “error”,
@timestamp”: “2016-12-07T15:20:11Z”,
“tags”: ,
“pid”: 7,
“level”: “error”,
“message”: “Authentication Exception”,
“error”: {
“message”: “Authentication Exception”,
“name”: “Error”,
“stack”: “Error: Authentication Exception\n at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:289:15)\n at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:248:7)\n at HttpConnector. (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:164:7)\n at IncomingMessage.wrapper (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/lodash.js:4994:19)\n at emitNone (events.js:91:20)\n at IncomingMessage.emit (events.js:185:7)\n at endReadableNT (_stream_readable.js:974:12)\n at _combinedTickCallback (internal/process/next_tick.js:74:11)\n at process._tickDomainCallback (internal/process/next_tick.js:122:9)”
},
“url”: {
“protocol”: null,
“slashes”: null,
“auth”: null,
“host”: null,
“port”: null,
“hostname”: null,
“hash”: null,
“search”: “”,
“query”: {},
“pathname”: “/app/kibana”,
“path”: “/app/kibana”,
“href”: “/app/kibana”
}
}

The es username and password are set correctly (it’s succeeding in creating its own index, after all).

Certificates seem to be configured correctly (otherwise the above would not have worked).

What else could it be?

Any ideas how to debug this?

Much appreciated,

Assaf Lavie

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/Pta_cZLzW_k/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/a2a4f4f8-56dc-4a9b-854c-6d73667e8547%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.