Cannot login to Kibana with elastic login

jstewart_lsa · July 15, 2019, 2:42pm

I'm trying to setup Elasticsearch and Kibana v7.2 in GKE using the elastic helm-charts. I've followed the instructions to enable security on these pages:

https://github.com/elastic/helm-charts/blob/master/elasticsearch/README.md#security
https://github.com/elastic/helm-charts/blob/master/kibana/README.md#security

I've setup the CA and generated the needed certificates to enable transport security; and my es cluster and kibana pods come up fine. But when I navigate to kibana from the browser, I get invalid username/password when I attempt to login with the 'elastic' user and password. However if I exec into the kibana pod, I can successfully curl the elasticsearch endpoint using the same username and password.

I have even tried disabling https setup to just test with transport ssl (although Kibana was successfully starting with https as well).

Note: The below setup is with https turned off

Elasticsearch setup

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/instance.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/instance.p12

elastic username and password are set using k8s secrets through the ELASTIC_USERNAME and ELASTIC_PASSWORD environment variables
The p12 cert mentioned above is also mounted through k8s secrets

Kibana Setup

xpack.security.encryptionKey: <redacted>

elastic username and password are set using k8s secrets through the ELASTICSEARCH_USERNAME and ELASTICSEARCH_PASSWORD environment variables

Info

Here is the curl performed from on the kibana Pod

bash-4.2$ curl -k -v http://elasticsearch-master:9200 -k -u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD
* About to connect() to elasticsearch-master port 9200 (#0)
*   Trying 10.0.17.113...
* Connected to elasticsearch-master (10.0.17.113) port 9200 (#0)
* Server auth using Basic with user 'elastic'
> GET / HTTP/1.1
> Authorization: Basic ZWxhc3RpYzojMjFqTGhQSUde
> User-Agent: curl/7.29.0
> Host: elasticsearch-master:9200
> Accept: */*
>
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 517
<
{
  "name" : "elasticsearch-master-1",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "B-tG7xTSR6-t-XmzL18s8w",
  "version" : {
    "number" : "7.2.0",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "508c38a",
    "build_date" : "2019-06-20T15:54:18.811730Z",
    "build_snapshot" : false,
    "lucene_version" : "8.0.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

Error from elasticsearch log when failed UI login

{"type": "server", "timestamp": "2019-07-15T14:01:06,758+0000", "level": "INFO", "component": "o.e.x.s.a.AuthenticationService", "cluster.name": "elasticsearch", "node.name": "elasticsearch-master-0", "cluster.uuid": "B-tG7xTSR6-t-XmzL18s8w", "node.id": "8zbrBdHoT0mxyGrkUqp45g",  "message": "Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]"  }

tiagocosta · July 15, 2019, 2:54pm

@jstewart_lsa could you please verify if your provided configuration is somehow similar to that example one we provide here https://github.com/elastic/helm-charts/blob/master/kibana/examples/security/security.yml#L5 ?

jstewart_lsa · July 15, 2019, 3:05pm

@tiagocosta yes, here is my full security yaml for kibana file (you'll notice I'm not using the server.ssl settings, it seemed from kibana docs that was separate and not necessary to get the rest of this working).

These settings are when I had https turned on.

---
elasticsearchHosts: "https://elasticsearch-master:9200"

extraEnvs:
  - name: 'ELASTICSEARCH_USERNAME'
    valueFrom:
      secretKeyRef:
        name: elastic-credentials
        key: username
  - name: 'ELASTICSEARCH_PASSWORD'
    valueFrom:
      secretKeyRef:
        name: elastic-credentials
        key: password

kibanaConfig:
  kibana.yml: |
    # server.ssl:
    #   enabled: true
    #   key: /usr/share/kibana/config/certs/kibana/kibana.key
    #   certificate: /usr/share/kibana/config/certs/kibana/kibana.crt
    xpack.security.encryptionKey: something_at_least_32_characters
    elasticsearch.ssl:
      certificateAuthorities: /usr/share/kibana/config/certs/ca.pem
      verificationMode: certificate
protocol: https

secretMounts:
  - name: elastic-ca
    secretName: elastic-ca
    path: /usr/share/kibana/config/certs
  # - name: kibana-certificates
  #   secretName: kibana-certificates
  #   path: /usr/share/kibana/config/certs/kibana

And here is the security yaml for elasticsearch

---
protocol: https

esConfig:
  elasticsearch.yml: |
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/instance.p12
    xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/instance.p12
    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.verification_mode: certificate
    xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/instance.p12
    xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/instance.p12
extraEnvs:
  - name: ELASTIC_PASSWORD
    valueFrom:
      secretKeyRef:
        name: elastic-credentials
        key: password
  - name: ELASTIC_USERNAME
    valueFrom:
      secretKeyRef:
        name: elastic-credentials
        key: username

secretMounts:
  - name: elastic-certificates
    secretName: elastic-certificates
    path: /usr/share/elasticsearch/config/certs

tiagocosta · July 15, 2019, 9:14pm

@jstewart_lsa I think the problem here is that you don't have the ssl correctly configured in the kibana side. I think you have to turn on and configure all the commented out fields you have in the kibana security yml file.

I think it could be also useful to understand wether you can or not connect to the elasticsearch from the kibana container or not:

curl -k -u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD https://elasticsearch-master:9200

jstewart_lsa · July 16, 2019, 12:45pm

@tiagocosta From what I I read in this documentation those settings are just for SSL between browser and Kibana, which I didn't really want to setup since I'm terminating TLS for incoming traffic at my ingress controller.

And to answer your 2nd question, yes I can curl it from the kibana container using that command (including the env variables). Below is the response from that.

Is there some debug logging I can turn on in Kibana that may help? Some old guides talk about setting up realms and/or using the "elasticsearch-setup-password" tool; but the helm guides don't mention those.

in this example I had turned of https on elasticsearch and just had kibana hitting http; but I got the same results both ways

bash-4.2$ curl -k -v http://elasticsearch-master:9200 -k -u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD
* About to connect() to elasticsearch-master port 9200 (#0)
*   Trying 10.0.17.113...
* Connected to elasticsearch-master (10.0.17.113) port 9200 (#0)
* Server auth using Basic with user 'elastic'
> GET / HTTP/1.1
> Authorization: Basic ZWxhc3RpYzojMjFqTGhQSUde
> User-Agent: curl/7.29.0
> Host: elasticsearch-master:9200
> Accept: */*
>
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 517
<
{
  "name" : "elasticsearch-master-1",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "B-tG7xTSR6-t-XmzL18s8w",
  "version" : {
    "number" : "7.2.0",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "508c38a",
    "build_date" : "2019-06-20T15:54:18.811730Z",
    "build_snapshot" : false,
    "lucene_version" : "8.0.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

tiagocosta · July 16, 2019, 2:56pm

@jstewart_lsa for a matter of testing it, can you please change in your kibana security config yml the protocol to http and just comment the configurations for the elasticsearch ssl settings?

tiagocosta · July 16, 2019, 3:04pm

One thing I forgot, in your experiment also set logging.verbose: true in the kibana configuration and try to login in an anonymous tab.

jstewart_lsa · July 16, 2019, 6:48pm

@tiagocosta Okay, here are my current settings:

elasticsearch

protocol: http

esConfig:
  elasticsearch.yml: |
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/instance.p12
    xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/instance.p12

extraEnvs:
  - name: ELASTIC_PASSWORD
    valueFrom:
      secretKeyRef:
        name: elastic-credentials
        key: password
  - name: ELASTIC_USERNAME
    valueFrom:
      secretKeyRef:
        name: elastic-credentials
        key: username

secretMounts:
  - name: elastic-certificates
    secretName: elastic-certificates
    path: /usr/share/elasticsearch/config/certs

kibana

kibanaConfig:
  kibana.yml: |
    logging.verbose: true
    xpack.security.encryptionKey: <redacted>

extraEnvs:
  - name: 'ELASTICSEARCH_USERNAME'
    valueFrom:
      secretKeyRef:
        name: elastic-credentials
        key: username
  - name: 'ELASTICSEARCH_PASSWORD'
    valueFrom:
      secretKeyRef:
        name: elastic-credentials
        key: password

I can curl from the kibana container:

curl -u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD http://elasticsearch-master:9200

curl results

{
  "name" : "elasticsearch-master-0",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "FyOzxi8sScyQyLxR0n0GQA",
  "version" : {
    "number" : "7.2.0",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "508c38a",
    "build_date" : "2019-06-20T15:54:18.811730Z",
    "build_snapshot" : false,
    "lucene_version" : "8.0.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

I am now seeing an error in Kibana log:

see next message, was too big to include in this one

jstewart_lsa · July 16, 2019, 6:49pm

@tiagocosta

But now with verbose logging on I am seeing these errors constantly in kibana log:

kibana log

{"type":"log","@timestamp":"2019-07-16T18:40:35Z","tags":["debug","security","basic"],"pid":1,"message":"Trying to authenticate user request to /app/kibana."}
{"type":"log","@timestamp":"2019-07-16T18:40:35Z","tags":["debug","security","basic"],"pid":1,"message":"Trying to authenticate via login attempt."}
{"type":"log","@timestamp":"2019-07-16T18:40:35Z","tags":["debug","security","basic"],"pid":1,"message":"Username and password not found in payload."}
{"type":"log","@timestamp":"2019-07-16T18:40:35Z","tags":["debug","security","basic"],"pid":1,"message":"Trying to authenticate via header."}
{"type":"log","@timestamp":"2019-07-16T18:40:35Z","tags":["debug","security","basic"],"pid":1,"message":"Authorization header is not presented."}
{"type":"response","@timestamp":"2019-07-16T18:40:35Z","tags":[],"pid":1,"method":"get","statusCode":302,"req":{"url":"/app/kibana","method":"get","headers":{"user-agent":"curl/7.29.0","host":"localhost:5601","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"127.0.0.1"},"res":{"statusCode":302,"responseTime":8,"contentLength":9},"message":"GET /app/kibana 302 8ms - 9.0B"}
{"type":"log","@timestamp":"2019-07-16T18:40:36Z","tags":["plugin","debug"],"pid":1,"message":"Checking Elasticsearch version"}
{"type":"log","@timestamp":"2019-07-16T18:40:37Z","tags":["debug","monitoring","kibana-monitoring"],"pid":1,"message":"Received Kibana Ops event data"}
{"type":"log","@timestamp":"2019-07-16T18:40:37Z","tags":["debug","monitoring","kibana-monitoring"],"pid":1,"message":"Received Kibana Ops event data"}
{"type":"log","@timestamp":"2019-07-16T18:40:38Z","tags":["plugin","debug"],"pid":1,"message":"Checking Elasticsearch version"}
{"type":"log","@timestamp":"2019-07-16T18:40:39Z","tags":["debug","monitoring","kibana-monitoring"],"pid":1,"message":"Received Kibana Ops event data"}
{"type":"log","@timestamp":"2019-07-16T18:40:39Z","tags":["debug","monitoring","kibana-monitoring"],"pid":1,"message":"Received Kibana Ops event data"}
{"type":"log","@timestamp":"2019-07-16T18:40:41Z","tags":["plugin","debug"],"pid":1,"message":"Checking Elasticsearch version"}
{"type":"log","@timestamp":"2019-07-16T18:40:42Z","tags":["debug","monitoring","kibana-monitoring"],"pid":1,"message":"Received Kibana Ops event data"}
{"type":"log","@timestamp":"2019-07-16T18:40:42Z","tags":["debug","monitoring","kibana-monitoring"],"pid":1,"message":"Received Kibana Ops event data"}
{"type":"log","@timestamp":"2019-07-16T18:40:43Z","tags":["plugin","debug"],"pid":1,"message":"Checking Elasticsearch version"}
{"type":"log","@timestamp":"2019-07-16T18:40:44Z","tags":["debug","monitoring","kibana-monitoring"],"pid":1,"message":"Received Kibana Ops event data"}
{"type":"log","@timestamp":"2019-07-16T18:40:44Z","tags":["debug","monitoring","kibana-monitoring"],"pid":1,"message":"Received Kibana Ops event data"}
{"type":"log","@timestamp":"2019-07-16T18:40:44Z","tags":["debug","stats-collection"],"pid":1,"message":"Fetching data from kibana_stats collector"}
{"type":"log","@timestamp":"2019-07-16T18:40:44Z","tags":["debug","stats-collection"],"pid":1,"message":"Fetching data from kibana_settings collector"}
{"type":"log","@timestamp":"2019-07-16T18:40:44Z","tags":["debug","stats-collection"],"pid":1,"message":"not sending [kibana_settings] monitoring document because [undefined] is null or invalid."}
{"type":"log","@timestamp":"2019-07-16T18:40:44Z","tags":["debug","monitoring","kibana-monitoring"],"pid":1,"message":"Uploading bulk stats payload to the local cluster"}
{"type":"log","@timestamp":"2019-07-16T18:40:44Z","tags":["debug","monitoring","kibana-monitoring"],"pid":1,"message":"Uploaded bulk stats payload to the local cluster"}
{"type":"log","@timestamp":"2019-07-16T18:40:45Z","tags":["license","debug","xpack"],"pid":1,"message":"Calling [data] Elasticsearch _xpack API. Polling frequency: 30001"}
{"type":"log","@timestamp":"2019-07-16T18:40:45Z","tags":["debug","legacy-proxy"],"pid":1,"message":"Event is being forwarded: connection"}
{"type":"log","@timestamp":"2019-07-16T18:40:45Z","tags":["debug","legacy-service"],"pid":1,"message":"Request will be handled by proxy GET:/app/kibana."}
{"type":"error","@timestamp":"2019-07-16T18:40:45Z","tags":["debug","security","auth","session"],"pid":1,"level":"error","error":{"message":"Unauthorized","name":"Error","stack":"Error: Unauthorized\n    at validate (/usr/share/kibana/node_modules/hapi-auth-cookie/lib/index.js:153:49)\n    at Object.authenticate (/usr/share/kibana/node_modules/hapi-auth-cookie/lib/index.js:226:26)\n    at module.exports.internals.Manager.execute (/usr/share/kibana/node_modules/hapi/lib/toolkit.js:35:106)\n    at module.exports.internals.Auth.test (/usr/share/kibana/node_modules/hapi/lib/auth.js:92:54)\n    at Session.test [as get] (/usr/share/kibana/x-pack/plugins/security/server/lib/authentication/session.js:42:52)\n    at Authenticator.get [as getSessionValue] (/usr/share/kibana/x-pack/plugins/security/server/lib/authentication/authenticator.js:206:47)\n    at Authenticator.getSessionValue [as authenticate] (/usr/share/kibana/x-pack/plugins/security/server/lib/authentication/authenticator.js:117:44)\n    at Object.authenticate (/usr/share/kibana/x-pack/plugins/security/server/lib/authentication/authenticator.js:229:62)\n    at Object.authenticate (/usr/share/kibana/x-pack/plugins/security/server/lib/auth_redirect.js:28:60)\n    at module.exports.internals.Manager.execute (/usr/share/kibana/node_modules/hapi/lib/toolkit.js:35:106)\n    at module.exports.internals.Auth._authenticate (/usr/share/kibana/node_modules/hapi/lib/auth.js:238:58)\n    at authenticate (/usr/share/kibana/node_modules/hapi/lib/auth.js:214:21)\n    at Request._lifecycle (/usr/share/kibana/node_modules/hapi/lib/request.js:263:62)\n    at process._tickCallback (internal/process/next_tick.js:68:7)"},"message":"Unauthorized"}

michael.russell · July 17, 2019, 8:57am

I just tested out your latest configs (on GKE) and they are working for me with curl and in my browser. Could you give me the output from (replace with the correct helm release names):

helm get elasticsearch
helm get kibana

Did you also try running a curl directly against Kibana? Can you try running this command from inside the Kibana pod:

curl -I -u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD localhost:5601/app/kibana

jstewart_lsa · July 17, 2019, 1:34pm

Well I feel stupid, I figured it out and it's now working.

I used lastpass to auto-gen the elastic password, and apparently you can't have certain characters when creating a k8s secret and using "from-literal". It stripped characters out without me knowing and I was using the password in lastpass when logging in from the browser. Lesson learned!

Sorry for wasting you guys time @michael.russell, @tiagocosta. Your help was really appreciated.

Thanks!

system · August 14, 2019, 1:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.