Cannot log in to Kibana with "elastic" user, after enabling minimal security


I have an Elasticsearch cluster that has been running with security disabled. I tried to enable security by following the instructions at:

I completed all the instructions, but I also overwrote the Kibana keystore when I was prompted, as I didn't care about the current users. I then tried to log in to Kibana with the "elastic" user, but I got a 401 error. The Kibana log shows the following, where the user "admin" was the user I used to log in with originally:

"message":"Authentication attempt failed: {\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"**unable to authenticate user [admin] for REST request [/_security/_authenticate]**\",\"header\":{\"WWW-Authenticate\":\"Basic realm=\\\"security\\\"

It seems that Kibana is trying to communicate with elasticsearch using an "old" username, that I expected to have been overwritten.

Doing a curl from the command line and passing the "elastic" user and password works successfully however. Any ideas how I can troubleshoot this issue?

Btw, if I set the option "" to false, I am again able to log in with "admin".

Can you provide a little more context? How you used to login with the admin user if you didn't have security enabled?

Kibana keystore is where kibana stores some sensitive information about how it logs in Elasticsearch, normally you store the password or service account that Kibana will use to login in Elasticsearch.

Did you recreate it following the documentation?

What does your kibana.yml looks like, please share it.

The security wasn't enabled for elasticsearch, as the option was set to false (or commented out) in the elasticsearch.yml file. Also, there was a warning that appeared after logging in to Kibana about not enabling security. But there was a default browser log in prompt, that popped up when visiting the Kibana home page.

Yes, and I saved the generated passwords.

# Kibana is served by a back end server. This setting specifies the port to use.
#server.port: 5601

# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address. "localhost"

# Enables you to specify a path to mount Kibana at if you are running behind a proxy.
# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath
# from requests it receives, and to prevent a deprecation warning at startup.
# This setting cannot end in a slash.
server.basePath: "/kibana"

# Specifies whether Kibana should rewrite requests that are prefixed with
# `server.basePath` or require that they are rewritten by your reverse proxy.
# This setting was effectively always `false` before Kibana 6.3 and will
# default to `true` starting in Kibana 7.0.
server.rewriteBasePath: True

# Specifies the public URL at which Kibana is available for end users. If
# `server.basePath` is configured this URL should end with the same basePath.
#server.publicBaseUrl: ""

# The maximum payload size in bytes for incoming server requests.
#server.maxPayload: 1048576

# The Kibana server's name.  This is used for display purposes. "your-hostname"

# The URLs of the Elasticsearch instances to use for all your queries.
elasticsearch.hosts: ["http://localhost:9200"]

# Kibana uses an index in Elasticsearch to store saved searches, visualizations and
# dashboards. Kibana creates a new index if the index doesn't already exist.
kibana.index: ".kibana"

# The default application to load.
#kibana.defaultAppId: "home"

# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
elasticsearch.username: "kibana_system"
elasticsearch.password: "-------------------------------------"

# Kibana can also authenticate to Elasticsearch via "service account tokens".
# If may use this token instead of a username/password.
# elasticsearch.serviceAccountToken: "my_token"

# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
#server.ssl.enabled: false
#server.ssl.certificate: /path/to/your/server.crt
#server.ssl.key: /path/to/your/server.key

# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files are used to verify the identity of Kibana to Elasticsearch and are required when
# in Elasticsearch is set to required.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key

# Optional setting that enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
#elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]

# To disregard the validity of SSL certificates, change this setting's value to 'none'.
#elasticsearch.ssl.verificationMode: full

# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
# the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500

# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
# must be a positive integer.
#elasticsearch.requestTimeout: 30000

# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
# headers, set this value to [] (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]

# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
#elasticsearch.customHeaders: {}

# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
#elasticsearch.shardTimeout: 30000

# Logs queries sent to Elasticsearch. Requires logging.verbose set to true.
#elasticsearch.logQueries: false

# Specifies the path where Kibana creates the process ID file.
#pid.file: /run/kibana/

# Enables you to specify a file where Kibana stores log output.
#logging.dest: stdout

# Set the value of this setting to true to suppress all logging output.
#logging.silent: false

# Set the value of this setting to true to suppress all logging output other than error messages.
#logging.quiet: false

# Set the value of this setting to true to log all events, including system usage information
# and all requests.
#logging.verbose: false

# Set the interval in milliseconds to sample system and process performance
# metrics. Minimum is 100ms. Defaults to 5000.
#ops.interval: 5000

# Specifies locale to be used for all localizable strings, dates and number formats.
# Supported languages are the following: English - en , by default , Chinese - zh-CN .
#i18n.locale: "en"

Here it is, thanks for taking a look...

This does not make any sense, If you had security disabled, Kibana would not ask you for any login, since you said you had a default browser pop-up asking for credentials, this means that you had a reverse proxy in front of Kibana, something like NGINX or Apache, to configure basic authentication.

Do you still have this pop-up? You may need to disable this proxy.

Well, if I cancel the pop up, I get a message from nginx...

So, I should just run Kibana without nginx? Yes, I still have the pop-up.

This depends on your infrastructure, only you can tell if you need NGINX or not.

Kibana does not need NGINX, some people used it before to enable authentication when the Security features where not free, but now the security features are part of the basic license and there is no need to use NGINX just for that.

But there are maybe other uses for NGINX.

From your kibana.yml for example, your kibana is listening only on localhost, so you probaby have NGINX listening in the private IP of your server and redirecting the requests to Kibana.

If you remove NGINX you will need to configure your Kibana to listen in the private ip of your server so you can access it from outside the server.

Thanks... I'll try disabling nginx authentication first...

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.