Canvas doesn't works with SearchGuard

Hello,

I have installed ELK stack with version 6.3.0 and I also install Canvas plugin in Kibana. But it seems does not works because there is authentication issues when Canvas create request to Elasticsearch. I am uses SearchGuard for authentication instead of X-Pack security.

Below is my installation details:

1. Elasticsearch
    Version: 6.3.0
    Plugins: - search-guard-6

2. Kibana
    Version: 6.3.0
    Plugins: - canvas@0.1.2015
             - searchguard@6.3.0-13

And here is kibana log output:

common/interpret esdocs: invokeChain rejected { Authentication Exception :: {"path":"/memberbebe/_search","query":{},"body":"{"_source":,"query":{"bool":{"must":[{"query_string":{"query":"-_index:.kibana"}}]}},"size":100}","statusCode":401,"response":"Unauthorized","wwwAuthenticateDirective":"Basic realm="Search Guard""}
at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)
at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)
at HttpConnector. (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)
at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)
at emitNone (events.js:111:20)
at IncomingMessage.emit (events.js:208:7)
at endReadableNT (_stream_readable.js:1064:12)
at _combinedTickCallback (internal/process/next_tick.js:138:11)
at process._tickDomainCallback (internal/process/next_tick.js:218:9)
status: 401,
displayName: 'AuthenticationException',
message: 'Authentication Exception',
path: '/xxx/_search',
query: {},
body: 'Unauthorized',
statusCode: 401,
response: 'Unauthorized',
wwwAuthenticateDirective: 'Basic realm="Search Guard"',
toString: [Function],
toJSON: [Function],
isBoom: true,
isServer: false,
data: null,
output:
{ statusCode: 401,
payload:
{ statusCode: 401,
error: 'Unauthorized',
message: 'Authentication Exception' },
headers: { 'WWW-Authenticate': 'Basic realm="Authorization Required"' } },
reformat: [Function] }
common/interpret esdocs: invokeChain rejected { Authentication Exception :: {"path":"/xxx/_search","query":{},"body":"{"_source":,"query":{"bool":{"must":[{"query_string":{"query":"-_index:.kibana"}}]}},"size":100}","statusCode":401,"response":"Unauthorized","wwwAuthenticateDirective":"Basic realm="Search Guard""}
at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)
at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)
at HttpConnector. (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)
at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)
at emitNone (events.js:111:20)
at IncomingMessage.emit (events.js:208:7)
at endReadableNT (_stream_readable.js:1064:12)
at _combinedTickCallback (internal/process/next_tick.js:138:11)
at process._tickDomainCallback (internal/process/next_tick.js:218:9)
status: 401,
displayName: 'AuthenticationException',
message: 'Authentication Exception',
path: '/xxx/_search',
query: {},
body: 'Unauthorized',
statusCode: 401,
response: 'Unauthorized',
wwwAuthenticateDirective: 'Basic realm="Search Guard"',
toString: [Function],
toJSON: [Function],
isBoom: true,
isServer: false,
data: null,
output:
{ statusCode: 401,
payload:
{ statusCode: 401,
error: 'Unauthorized',
message: 'Authentication Exception' },
headers: { 'WWW-Authenticate': 'Basic realm="Authorization Required"' } },
reformat: [Function] }
common/interpret esdocs: invokeChain rejected { Authentication Exception :: {"path":"/xxx/_search","query":{},"body":"{"_source":,"query":{"bool":{"must":[{"query_string":{"query":"-_index:.kibana"}}]}},"size":100}","statusCode":401,"response":"Unauthorized","wwwAuthenticateDirective":"Basic realm="Search Guard""}
at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)
at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)
at HttpConnector. (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)
at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)
at emitNone (events.js:111:20)
at IncomingMessage.emit (events.js:208:7)
at endReadableNT (_stream_readable.js:1064:12)
at _combinedTickCallback (internal/process/next_tick.js:138:11)
at process._tickDomainCallback (internal/process/next_tick.js:218:9)
status: 401,
displayName: 'AuthenticationException',
message: 'Authentication Exception',
path: '/xxx/_search',
query: {},
body: 'Unauthorized',
statusCode: 401,
response: 'Unauthorized',
wwwAuthenticateDirective: 'Basic realm="Search Guard"',
toString: [Function],
toJSON: [Function],
isBoom: true,
isServer: false,
data: null,
output:
{ statusCode: 401,
payload:
{ statusCode: 401,
error: 'Unauthorized',
message: 'Authentication Exception' },
headers: { 'WWW-Authenticate': 'Basic realm="Authorization Required"' } },
reformat: [Function] }

How I can solve this issue? Any suggestions?

Thank you

Finally, I found temporary solution for this issue by myself.

I am editing file /plugins/canvas/server/routes/socket.js in line 37:
if (server.plugins.security) request.headers.authorization = authHeader;
to:
request.headers.authorization = "Basic <HASHED_USER_PASS>";

The <HASHED_USER_PASS> is SearchGuard Username:SearchGuard Password encoded with Base64.

I know that my solution maybe not the best solution and need to be improved but I hope it can help other users with the same issue.

Thanks.

Glad you worked out your issue and thanks so much for posting your solution. As you say, it might help someone else with the same problem.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.