Cannot authenticate user through nginx authorization header


I want to configure auto login when users hit kibana url. So i created a anonymous user with basic read privileges through API. I checked if the user got created by logging in. it works. but when i add authorization header through nginx i get 401 in browser:

{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [kibana_anonymous] for REST request [/_security/_authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"}

Part of my nginx conf where header is added:

 proxy_set_header  Host $host;
 proxy_set_header  X-Real-IP $remote_addr;
 proxy_set_header  X-Forwarded-For $remote_addr;

 location / {
        proxy_set_header  Authorization "Basic a2liYW5hX2Fub255bW91czphbm9ueW1vdXM=";
        proxy_pass https://<KIBANA_URL>:5601;

This is what i get in elasticsearch log:

[id: 0x63c1aefd, L:/ - R:/] HANDSHAKEN: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Authentication to realm default_native failed - Password authentication failed for kibana_anonymous
path: /_security/_authenticate, params: {}
org.elasticsearch.ElasticsearchSecurityException: unable to authenticate user [kibana_anonymous] for REST request [/_security/_authenticate]
        at ~[x-pack-core-7.3.1.jar:7.3.1]
        at ~[x-pack-core-7.3.1.jar:7.3.1]
        at ~[x-pack-core-7.3.1.jar:7.3.1]
        at$AuditableRestRequest.authenticationFailed( ~[x-pack-security-7.3.1.jar:7.3.1]
        at$Authenticator.consumeUser( [x-pack-security-7.3.1.jar:7.3.1]
        at$Authenticator.lambda$consumeToken$16( [x-pack-security-7.3.1.jar:7.3.1]
        at org.elasticsearch.action.ActionListener$1.onResponse( [elasticsearch-7.3.1.jar:7.3.1]
        at org.elasticsearch.xpack.core.common.IteratingActionListener.onResponse( [x-pack-core-7.3.1.jar:7.3.1]
        at$Authenticator.lambda$consumeToken$13( [x-pack-security-7.3.1.jar:7.3.1]
        at org.elasticsearch.action.ActionListener$1.onResponse( [elasticsearch-7.3.1.jar:7.3.1]
        at$authenticateWithCache$3( [x-pack-security-7.3.1.jar:7.3.1]
        at org.elasticsearch.action.ActionListener$1.onResponse( [elasticsearch-7.3.1.jar:7.3.1]
        at$verifyPassword$16( [x-pack-security-7.3.1.jar:7.3.1]
        at org.elasticsearch.action.ActionListener$1.onResponse( [elasticsearch-7.3.1.jar:7.3.1]
        at$2.onResponse( [x-pack-security-7.3.1.jar:7.3.1]
        at [elasticsearch-7.3.1.jar:7.3.1]
        at$1.onResponse( [elasticsearch-7.3.1.jar:7.3.1]
        at$1.onResponse( [elasticsearch-7.3.1.jar:7.3.1]
        at [elasticsearch-7.3.1.jar:7.3.1]
        at$AsyncSingleAction$2.handleResponse( [elasticsearch-7.3.1.jar:7.3.1]
        at$AsyncSingleAction$2.handleResponse( [elasticsearch-7.3.1.jar:7.3.1]
        at org.elasticsearch.transport.TransportService$ContextRestoreResponseHandler.handleResponse( [elasticsearch-7.3.1.jar:7.3.1]
        at org.elasticsearch.transport.TransportService$DirectResponseChannel.processResponse( [elasticsearch-7.3.1.jar:7.3.1]
        at org.elasticsearch.transport.TransportService$DirectResponseChannel.sendResponse( [elasticsearch-7.3.1.jar:7.3.1]
        at org.elasticsearch.transport.TaskTransportChannel.sendResponse( [elasticsearch-7.3.1.jar:7.3.1]
        at [elasticsearch-7.3.1.jar:7.3.1]
        at [elasticsearch-7.3.1.jar:7.3.1]
        at$1.doRun( [elasticsearch-7.3.1.jar:7.3.1]
        at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun( [elasticsearch-7.3.1.jar:7.3.1]
        at [elasticsearch-7.3.1.jar:7.3.1]
        at java.util.concurrent.ThreadPoolExecutor.runWorker( [?:?]
        at java.util.concurrent.ThreadPoolExecutor$ [?:?]
        at [?:?]

In logs it says 'Authentication to realm default_native failed - Password authentication failed for kibana_anonymous' I rechecked multiple times to make sure password is correct but still i'm getting this error. (Manual login through same credentials work)

I generated that base64 with following command:

echo -n username:password | base64

Am using successfully these settings in our nginx proxy:

auth_basic "Only for authorized personal";
auth_basic_user_file <pwd file>;

# all proxy keys goes in our location section
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_no_cache "0";
proxy_cache_bypass $http_authorization;

Dunno if this help U

Thanks for sharing. But what's weird is when i create a user through UI, adding authorization header through nginx works amazingly. The problem is when i create a user though API.

I created user using the following curl command:

curl --insecure -X POST -u elastic "https://localhost:9200/_security/user/kibana_anonymous?pretty" -H 'Content-Type: application/json' -d'
  "password" : "anonymous",
  "roles" : [ "kibana_anonymous" ]

Does that mean users created using elasticsearch endpoint cannot login through headers? (I can login through UI though) If that's the case is there a Kibana API to create users? (I haven't found any)

Doesn’t seem so from the Kibana REST API doc, I’m not sure a Kibana User is the same as an Elastic User like the Kibana yaml is configured with to access the Elastic cluster it self.

Also note The Note under roles here

I think the problem was i had assigned elasticsearch anonymous role to the user in addition to a kibana role. I modified kibana role itself and added 'run_as' to have a value of elasticsearch anonymous user. (It worked for me but not sure if it is the actual cause)

When i created user with above changes to same endpoint as described above, i could login through nginx without any problem.

Ok so elastic users are also what kibana authenticates against. Then there's the management of assigned Kibana Spaces, Index Patterns etc. but assume this could all be managed through the kibana API with kibana roles. Wouldn't it also be possible to authenticate users against a ldap/Microsoft DS...

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.