X-pack and basic license

plusque · November 4, 2016, 2:36pm

hi

i'am trying to use elastic stack 5.0 with x-pack in basic license mode. so monitoring only.

i installed x-pack on both, elasticsearch an kibana. everything went well. the installation of the license went smooth as well.
in elasticsearch.yml i put the following lines;
xpack.security.enabled: false
xpack.graph.enabled: false
xpack.watcher.enabled: false

in kibana.yml i put the following:
xpack.security.enabled: false
xpack.graph.enabled: false
xpack.reporting.enabled: false

everything went well, i can search all my data and i even see the .monitoring indeces in elasticsearch.

nevertheless, when i go to kibana and open the monitoring app, the following appears:
Access Denied
You are not authorized to access Monitoring. To use Monitoring, you need the privileges granted by both the kibana_user and monitoring_user roles.

what am i missing? shouldn't the whole security thingy be disabled and not running at all?

thanks for your help

regards
phil

skearns · November 4, 2016, 5:00pm

Hi Phil,

It sounds like the Basic license may not have been applied. Can you share the output of:

curl -XGET "localhost:9200/_xpack/license" -u elastic

I included the -u elastic on the assumption that security is still enabled.

Thanks,
Steve

plusque · November 4, 2016, 5:22pm

hi steve

i did not use the -u because, in my opinion security is disabled, and it worked like a charm:

curl -XGET "localhost:9200/_xpack/license"
{
"license" : {
"status" : "active",
"uid" : "000c7ad7-7b38-4cbc-a827-090351450bde",
"type" : "basic",
"issue_date" : "2016-10-27T00:00:00.000Z",
"issue_date_in_millis" : 1477526400000,
"expiry_date" : "2017-11-01T23:59:59.999Z",
"expiry_date_in_millis" : 1509580799999,
"max_nodes" : 100,
"issued_to" : "Philipp Plüss (Bern University of Applied Sciences)",
"issuer" : "Web Form",
"start_date_in_millis" : -1
}
}

i have to mention, as a security measurment i've put the elasticsearch behind a apache with ldap-auth enabled. could this be a problem? shoulden't if the security is disabled or am i wrong?

regards
phil

tsullivan · November 4, 2016, 7:36pm

Hi Phil,

I take it in your config you have the settings for:

elasticsearch.url
elasticsearch.username
elasticsearch.password

And when you first go to Kibana you see a Basic Authentication dialog in the browser, that you use to give the credentials to Apache with ldap-auth?

If I understand your setup correctly, it seems to me there is a new bug for Monitoring in 5.0 that happens if authentication is required for accessing Elasticsearch via proxy, as opposed to having Security enabled.

plusque · November 9, 2016, 10:38am

Hi Tim

Sorry, for my delayed answer.

Yes, you are totally right. i've got elasticsearch.url and username/password in the kibana.yml

This should work, am i right?

regards
phil

tsullivan · November 9, 2016, 11:27am

Hi again plusque,

I would say your Elasticsearch and Kibana configuration seems correct. One solution/workaround that worked for me when I tried a setup to simulate yours is to add a proxy in front of Kibana as well, and have that proxy enforce the same authentication as the one you have in front of Elasticsearch - same realm and same username/password to allow access.

What this does is get the browser to pop up the Basic authentication dialog for the first full-page request of Kibana. The user will enters a username and password for this first request to get access, and after that, the browser will send the Authorization header for every request from there.

The situation that happens if you have the proxy and authentication wall in front of just Elasticsearch and not Kibana, is that the Basic authentication dialog only pops up for the AJAX requests made, and browsers will not send the Authorization header for every subsequent request when it's just AJAX requests that prompt the authentication popup. Getting the auth popup to happen for the first full-page load fixes it.

I'll share my config with you:

elasticsearch.yml:

xpack.security.enabled: false
xpack.graph.enabled: false
xpack.watcher.enabled: false

kibana.yml:

xpack.security.enabled: false
xpack.graph.enabled: false
xpack.reporting.enabled: false

elasticsearch.url: "http://localhost:9229" # connects to the proxy in front of elasticsearch
elasticsearch.username: "tim"
elasticsearch.password: "password-for-proxy-in-front-of-elasticsearch"

server.host: "tim-virtual-machine.local"

I didn't set up an Apache that uses ldap-auth to proxy the Elastic stack, but here is the important pieces of an nginx.conf that worked for me. It just uses Basic authentication and hopefully it's easy enough to follow:

http {

  # proxy elasticsearch
  server {
    listen 9229; # match elasticsearch.url port in kibana.yml

    auth_basic "Protected Elasticsearch";
    auth_basic_user_file passwords;

    access_log  logs/proxy.access-es.log  main;

    location / {
      proxy_pass http://localhost:9200;
    }
  }

  # proxy kibana
  server {
    listen 5665; # browser will connect to the kibana server via this port

    auth_basic "Protected Kibana";
    auth_basic_user_file passwords; # same passwords file needed as elasticsearch

    access_log  logs/proxy.access-kbn.log  main;

    location / {
      proxy_pass http://tim-virtual-machine.local:5601; # match server.host in kibana.yml
    }
  }

}

Now when I navigate to http://tim-virtual-machine.local:5665 (Note: you should probably have SSL enabled) I get the basic auth popup before able to see anything else in the UI. That is the key - the auth has to pop up on the first request for a full page, not after an AJAX call.

If you see the site navigation on the side, and other UI elements such as a welcome screen, then the auth popup triggered because of an AJAX call. That would mean only the proxy to Elasticsearch is asking for the password. If this happens, the browser won't send the authentication header with every request.

Bad:

You need the proxy in front of Kibana to ask for the password.

Good:

Then after logging in, you'll be able to access all the parts of the UI, including Monitoring.

plusque · November 9, 2016, 1:14pm

Hi Tim

great!

that worked and is, at the moment, totally ok as workaround.

thanks for taking the time to test this and provide a fix as fast!

regards
philipp

Fran_Fabrizio · November 19, 2016, 4:11am

Thank you, this post was extremely helpful in getting me up and running with monitoring under the basic license! It would be helpful if this process was documented within the official documentation - I did not find this thread until 90 minutes of fruitless troubleshooting had passed. From the instructions, you're lead to believe you need to configure users and such, but of course that's not valid under a basic license.

Thanks again, great post!