Can't Authenticate Kibana to Elasticsearch

Running ELK version 6.0 on Ubuntu 16.0.4 LTS virtual machine.

I have run through the X-Pack setup guide and created the passwords for: elastic, kibana and logstash_system. I then added the kibana username and password to the kibana.yml file under elasticsearch.username and elasticsearch.password, I then restarted ES and Kibana. Now when I go to the Kibana web interface I am not asked for login (I thought X-Pack would?).
I see this in Kibana:

Elasticsearch plugin is red
Unable to connect to Elasticsearch at http://localhost:9200.

I see the below in the ES logs:

[2017-12-06T17:14:58,706][ERROR][o.e.x.s.a.e.ReservedRealm] [WSkSjG5] failed to retrieve password hash for reserved user [kibana]
[2017-12-06T17:14:58,706][INFO ][o.e.x.s.a.AuthenticationService] [WSkSjG5] Authentication of [kibana] was terminated by realm [reserved] - failed to authenticate user [kibana]

Also I try to setup Kibana so it can log by adding /var/log/kibana/kibana.log to the logging dest option. I have created the kibana folder and set permissions to 655 and also created the kibana.log file and set the permissions to 644. When I save the config and try to start Kibana, it just keeps restarting.

Cheers

George

Hi George,

Did you install X-Pack in Kibana as well as Elasticsearch ? If you're not getting prompted for a login from Kibana that would be my first guess of the problem.

https://www.elastic.co/guide/en/x-pack/current/installing-xpack.html

Regards,
Lee

1 Like

Hi LeeDr,

I also thought this may be the issue, but I checked the version in Kibana, Logstash and Elasticsearch. Each came back as 6.0 so I'm unsure what the issue is. I may just fully reinstall ELK.

Cheers

George

You could just run;
bin/kibana-plugin list

and verify it returns something like x-pack@6.0.0 to verify it was installed. If you installed x-pack while Kibana was running you would need to restart it and wait for an optimizing step to complete (which can take several minutes).

That was the command I used and it did return something like you stated. Kibana was stopped when I installed and the optimization of browser bundles took about 20 minutes.

This is the key.
Was there any more infomation before or after that line? It is an indication that X-Pack security was unable to retrieve data from your cluster for some reason, and it should have more information that explains the problem (depending on the type of the problem is could be immediately before or immediately after that message).

There are a few possibilities for why that probably might be including:

  1. Your cluster is red for some reason and the security index isn't available
  2. Your security index was created on a 5.x version of elasticsearch and hasn't been upgraded

What happens if you try the following:

curl -uelastic 'http://localhost:9200/'

You will need the elastic password from when you configured the passwords.

A few days ago I deleted all of the indices, I am new to ELK and from my previous experience with Graylog and Elastisearch the indices just held our log data that we had shipped into Elastisearch. From what I now understand, these indices hold other information used for the running of ELK. Is there anyway to rebuild the security index?

failed to retrieve built in user [kibana] info
org.elasticsearch.action.NoShardAvailableActionException: No shard available for [get [.security][doc][reserved-user-kibana]: routing [null]]

When I run the curl command you suggested I am prompted for the elastic user password and I input the password I set and it works, below is the output. I have set this username and password combination in the kibana.yml and also tried the kibana username and password I set but they didn't allow Kibana to authenticate to Elasticsearch.

curl -uelastic 'http://localhost:9200/'
  "cluster_uuid" : "13slUMBySJeMGU46kFU7cw",
  "version" : {
    "number" : "6.0.0",
    "build_hash" : "8f0685b",
    "build_date" : "2017-11-10T18:41:22.859Z",
    "build_snapshot" : false,
    "lucene_version" : "7.0.1",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

Cheers,

George

Okay so I just checked to see which indices were there as I had previously ran a delete * indices curl command. I have found that the security index seems to exist and its status is green:
.security-6 aOu--AgTQ4-mavmqyb5yVQ 1 0 3 0 10.5kb 10.5kb

So looking further into this, I realise that log I sent previously is stating that there are no shards available. I ran the curl command to check the shards and they are all unassigned.

I have tried the below to reassign them but it throws up an error message.

curl -u elastic:INSERTPASSWORDHERE -XPOST "http://localhost:9200/_cluster/reroute" -H'Content-Type: application/json' -d'   
{ 
    "commands" : [ { 
          "allocate" : { 
              "index" : "*", "shard" : 0, "node" : "WSkSjG5", "allow_primary": "true" 
          } 
        } 
    ] 
}' 

I get this error:

{ "error":{"root_cause":[{"type":"unknown_named_object_exception","reason":"Unknown AllocationCommand [allocate]","line":4,"col":24}],"type":"parsing_exception","reason":"[cluster_reroute] failed to parse field [commands]","line":4,"col":24,"caused_by":{"type":"unknown_named_object_exception","reason":"Unknown AllocationCommand [allocate]","line":4,"col":24}},"status":400}

Cheers,

George

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.