Automatically configuring Kibana settings (indexes, visualizations, dashboards) on ECE

Elastic Orchestration Elastic Cloud Enterprise (ECE)
1

Hi team

I have used the elasticsearch superuser (elastic) credentials to automatically set up a bunch of elasticsearch indexes by sending the index-file.json contents to the Elastic API endpoint.

My struggle is that I would very much like to do the same with the Kibana settings because there are a lot more of them but I am having some challenges understanding whether this is even possible from the ECE documentation...

If I use the Kibana Endpoint and the elastic (superuser) username and password as credentials I only ever receive a 401 (unauthorized) response. If I use the Elastic endpoint base url this doesn't appear to work with any of the Kibana API endpoints... which is not entirely a suprise...

Is this process documented anywhere with some good examples? Do I need to create a new user in Kibana with some sort of other permissions? I really want to avoid having to upload all the kibana saved objects manually every time we make a change or acquire a new customer.

Really appreciate any help with this

2

Can you give an example of a (sanitized) API endpoint call that is returning 401?

Using elastic should allow you to do anything (on a recent cluster - older - 12+ months - ones had some additional restrictions)

Also 401 is normally "wrong password", 403 is what you get when you're not allowed to do something

3

Ah I just re-read .. I suspect the problem is that your Kibana isn't configured to support basic auth?

Do you have a config for xpack.security.authc.providers in your Kibana YAML? (It defaults to allowing basic)

https://www.elastic.co/guide/en/kibana/7.x/kibana-authentication.html

EDIT: see below

4

Oh in fact, some more digging ... looks like Kibana API only allows token based auth: https://www.elastic.co/guide/en/kibana/7.6/using-api.html

5

Thanks @Alex_Piggott

Actually it get's a bit more interesting than that :wink:

I'm using PowerShell with the ElasticAPI endpoints and if I create a PSCredential object for Invoke-RestMethod that works fine...

$secpasswd = ConvertTo-SecureString $Password -AsPlainText -Force
$ElasticCreds = New-Object System.Management.Automation.PSCredential ($Username, $secpasswd)

This approach doesn't work with the Kibana endpoints

HOWEVER if I go back to something like this which is (possibly) more like curl...

$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $username,$password)))
 $Headers = @{Authorization=("Basic {0}" -f $base64AuthInfo)}

Then this works with https://KibanaAPIendpoint/api/status

I have set xpack.security.authc.providers: [basic] in the Kibana.yml backend via the user setting over-rides.

Any ideas why one approach would work with Elasticsearch but doesn't with Kibana?

6

This maybe explains it: PowerShell's Invoke-RestMethod equivalent of curl -u (Basic Authentication) - Stack Overflow

As noted in the comments, this method will not send the Authorization header on the initial request. It waits for a challenge response then re-sends the request with the Authorization header. This will not work for services that require credentials on the initial request.

I guessing the Kibana API falls into that category and ES API doesn't? Probably worth posting over in the Kibana forum to discuss the gory details :slight_smile:

7

Aha! That's super useful to know Alex - thanks

Yes, I will put this in the Kibana forum tomorrow :wink:

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.