Broke login to kibana

ant2ne · December 15, 2022, 5:35pm

after doing the minimal security configuration (Built-in users | Elasticsearch Guide [8.5] | Elastic) I can no longer log into the kibana webui. the login of the webpage loads, but doesn't accept kibanaadmin and its password (set by "echo "kibanaadmin:openssl passwd -apr1" | sudo tee -a /etc/nginx/htpasswd.users" from How To Install Elasticsearch, Logstash, and Kibana (Elastic Stack) on Ubuntu 20.04 | DigitalOcean)

The webpage replies to my attempt with "Username or password is incorrect. Please try again." I assume the minimal security setup somehow broke kibanaaadmin. But I don't know how, or why, or how to fix it.

/var/log/kibana has the following at each login attempt....

{"type":"log","@timestamp":"2022-12-14T22:19:49+00:00","tags":["info","plugins","security","routes"],"pid":486,"message":"Logging in with provider \"basic\" (basic)"}
{"type":"response","@timestamp":"2022-12-14T22:19:49+00:00","tags":[],"pid":486,"method":"post","statusCode":401,"req":{"url":"/internal/security/login","method":"post","headers":{"connection":"upgrade","host":"x.x.x.x","content-length":"175","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate","referer":"http://3.133.215.55/login?next=%2F&msg=UNAUTHENTICATED","content-type":"application/json","kbn-version":"7.17.8","origin":"http://x.x.x.x"},"remoteAddress":"127.0.0.1","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0","referer":"http://3.133.215.55/login?next=%2F&msg=UNAUTHENTICATED"},"res":{"statusCode":401,"responseTime":33,"contentLength":277},"message":"POST /internal/security/login 401 33ms - 277.0B"}

If I comment out xpack.security.enabled: true then I can log in (with no security) and if I again uncomment it, no login.

Advise Please

ant2ne · December 15, 2022, 7:43pm

I thought maybe I need to create another user, but I can't create another user (as per Elasticsearch Create User) it says

"Start by launching Kibana, then log in. Use the passwords you used when setting up."

But this is the exact password that does not work with "xpack.security.enabled: true"

I have done a
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
And I do have the password which I interacted. These users don't log into the web gui either.

I have also, just now, tried
echo "kibanaadmin:openssl passwd -apr1" | sudo tee -a /etc/nginx/htpasswd.users to reset this password after all other work I have done. Notta.

warkolm · December 15, 2022, 9:53pm

Kibana does not use nginx to manage access control on any level, so your use of if here is really only complicating matters more than they need to be.

Can you try to curl Elasticsearch with one of these? What is the response?

ant2ne · December 15, 2022, 9:58pm

Thanks for the reply! I'm pulling out hair here.

I don't know what you mean but curl from these users. They don't log into the cli, do they? I think these are just 'service' accounts for communication between the idfferen elk apps in the stack.

sudo su - kibana_system
[sudo] password for cygne: 
su: user kibana_system does not exist or the user entry does not contain all the required fields

warkolm · December 15, 2022, 10:54pm

You want to do curl -u username:password https://ElasticsearchIPorHostname:9200.

ant2ne · December 16, 2022, 3:10pm

UN=kibana_system
PW=
HN=127.0.0.1

curl -u $UN:$PW http://:9200$HN
{"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [kibana_system] for REST request [/]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}}],"type":"security_exception","reason":"unable to authenticate user [kibana_system] for REST request [/]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}},"status":401}c

This sounds like a bad password. Although, I took good notes. How do I reset this password? It says " After you set a password for the elastic user, you cannot run the elasticsearch-setup-passwords command a second time." https://www.elastic.co/guide/en/elasticsearch/reference/7.17/security-minimal-setup.html I can't be the first potential fat finger. (actually, I did buy a new keyboard just before this project)

redsearch2022 · December 16, 2022, 3:37pm

You can try resetting the password

elasticsearch-reset-password --username user1 -i

ant2ne · December 16, 2022, 4:11pm

it does not appear --username is an option.

sudo /usr/share/elasticsearch/bin/elasticsearch-setup-passwords --help
warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME
Sets the passwords for reserved users

Commands
--------
auto - Uses randomly generated passwords
interactive - Uses passwords entered by a user

Non-option arguments:
command              

Option             Description        
------             -----------        
-E <KeyValuePair>  Configure a setting
-h, --help         Show help          
-s, --silent       Show minimal output
-v, --verbose      Show verbose output

I don't think it like that -i either. The command specified (in reference above) is elasticsearch-set-password interactive (no - / or --) and --help spits out the same as above.

Am I looking at a complete re-install? Or can I just reinstall elasticsearch, which seems to be the app that holds the credentials for the others?

redsearch2022 · December 16, 2022, 7:58pm

$ sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password --help
Resets the password of users in the native realm and built-in users.

Option (* = required)  Description
---------------------  -----------
-E <KeyValuePair>      Configure a setting
-a, --auto
-b, --batch
-f, --force            Use this option to force execution of the command
                         against a cluster that is currently unhealthy.
-h, --help             Show help
-i, --interactive
-s, --silent           Show minimal output
* -u, --username       The username of the user whose password will be reset
--url                  the URL where the elasticsearch node listens for
                         connections.
-v, --verbose          Show verbose output

ant2ne · December 16, 2022, 8:29pm

ahh tanks. I got it.

root@ip-172-31-19-233:/home# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
warning: usage of JAVA_HOME is deprecated, use ES_JAVA_HOME
Failed to authenticate user 'elastic' against http://127.0.0.1:9200/_security/_authenticate?pretty
Possible causes include:
 * **The password for the 'elastic' user has already been changed on this cluster**
** * Your elasticsearch node is running against a different keystore**
   This tool used the keystore at /etc/elasticsearch/elasticsearch.keystore
ERROR: Failed to verify bootstrap password

Is borked? proper borked.

ant2ne · December 18, 2022, 6:43pm

If

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive

is an option, then I wouldn't know the passwords for those usernames and I would not be able to login at the kibana web gui with one of those usernames. I don't use what was set with htpasswd (kibanaadmin) who/what then, do I use to log into the web interface?

ant2ne · December 19, 2022, 8:12pm

i've decided to change gears and drop digitaloceans tutorial and go with https://www.elastic.co/guide/en/elastic-stack/current/installing-elastic-stack.html With which, I did get farther, but got stuck again. I will open a new thread for that problem.

system · January 16, 2023, 8:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.