Canvas doesn't works with SearchGuard


(Hendro Wibowo) #1

Hello,

I have installed ELK stack with version 6.3.0 and I also install Canvas plugin in Kibana. But it seems does not works because there is authentication issues when Canvas create request to Elasticsearch. I am uses SearchGuard for authentication instead of X-Pack security.

Below is my installation details:

1. Elasticsearch
    Version: 6.3.0
    Plugins: - search-guard-6

2. Kibana
    Version: 6.3.0
    Plugins: - canvas@0.1.2015
             - searchguard@6.3.0-13

And here is kibana log output:

common/interpret esdocs: invokeChain rejected { Authentication Exception :: {"path":"/memberbebe/_search","query":{},"body":"{"_source":[],"query":{"bool":{"must":[{"query_string":{"query":"-_index:.kibana"}}]}},"size":100}","statusCode":401,"response":"Unauthorized","wwwAuthenticateDirective":"Basic realm="Search Guard""}
at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)
at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)
at HttpConnector. (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)
at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)
at emitNone (events.js:111:20)
at IncomingMessage.emit (events.js:208:7)
at endReadableNT (_stream_readable.js:1064:12)
at _combinedTickCallback (internal/process/next_tick.js:138:11)
at process._tickDomainCallback (internal/process/next_tick.js:218:9)
status: 401,
displayName: 'AuthenticationException',
message: 'Authentication Exception',
path: '/xxx/_search',
query: {},
body: 'Unauthorized',
statusCode: 401,
response: 'Unauthorized',
wwwAuthenticateDirective: 'Basic realm="Search Guard"',
toString: [Function],
toJSON: [Function],
isBoom: true,
isServer: false,
data: null,
output:
{ statusCode: 401,
payload:
{ statusCode: 401,
error: 'Unauthorized',
message: 'Authentication Exception' },
headers: { 'WWW-Authenticate': 'Basic realm="Authorization Required"' } },
reformat: [Function] }
common/interpret esdocs: invokeChain rejected { Authentication Exception :: {"path":"/xxx/_search","query":{},"body":"{"_source":[],"query":{"bool":{"must":[{"query_string":{"query":"-_index:.kibana"}}]}},"size":100}","statusCode":401,"response":"Unauthorized","wwwAuthenticateDirective":"Basic realm="Search Guard""}
at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)
at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)
at HttpConnector. (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)
at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)
at emitNone (events.js:111:20)
at IncomingMessage.emit (events.js:208:7)
at endReadableNT (_stream_readable.js:1064:12)
at _combinedTickCallback (internal/process/next_tick.js:138:11)
at process._tickDomainCallback (internal/process/next_tick.js:218:9)
status: 401,
displayName: 'AuthenticationException',
message: 'Authentication Exception',
path: '/xxx/_search',
query: {},
body: 'Unauthorized',
statusCode: 401,
response: 'Unauthorized',
wwwAuthenticateDirective: 'Basic realm="Search Guard"',
toString: [Function],
toJSON: [Function],
isBoom: true,
isServer: false,
data: null,
output:
{ statusCode: 401,
payload:
{ statusCode: 401,
error: 'Unauthorized',
message: 'Authentication Exception' },
headers: { 'WWW-Authenticate': 'Basic realm="Authorization Required"' } },
reformat: [Function] }
common/interpret esdocs: invokeChain rejected { Authentication Exception :: {"path":"/xxx/_search","query":{},"body":"{"_source":[],"query":{"bool":{"must":[{"query_string":{"query":"-_index:.kibana"}}]}},"size":100}","statusCode":401,"response":"Unauthorized","wwwAuthenticateDirective":"Basic realm="Search Guard""}
at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)
at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)
at HttpConnector. (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)
at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)
at emitNone (events.js:111:20)
at IncomingMessage.emit (events.js:208:7)
at endReadableNT (_stream_readable.js:1064:12)
at _combinedTickCallback (internal/process/next_tick.js:138:11)
at process._tickDomainCallback (internal/process/next_tick.js:218:9)
status: 401,
displayName: 'AuthenticationException',
message: 'Authentication Exception',
path: '/xxx/_search',
query: {},
body: 'Unauthorized',
statusCode: 401,
response: 'Unauthorized',
wwwAuthenticateDirective: 'Basic realm="Search Guard"',
toString: [Function],
toJSON: [Function],
isBoom: true,
isServer: false,
data: null,
output:
{ statusCode: 401,
payload:
{ statusCode: 401,
error: 'Unauthorized',
message: 'Authentication Exception' },
headers: { 'WWW-Authenticate': 'Basic realm="Authorization Required"' } },
reformat: [Function] }

How I can solve this issue? Any suggestions?

Thank you


(Hendro Wibowo) #2

Finally, I found temporary solution for this issue by myself.

I am editing file /plugins/canvas/server/routes/socket.js in line 37:
if (server.plugins.security) request.headers.authorization = authHeader;
to:
request.headers.authorization = "Basic <HASHED_USER_PASS>";

The <HASHED_USER_PASS> is SearchGuard Username:SearchGuard Password encoded with Base64.

I know that my solution maybe not the best solution and need to be improved but I hope it can help other users with the same issue.

Thanks.


(Bill McConaghy) #3

Glad you worked out your issue and thanks so much for posting your solution. As you say, it might help someone else with the same problem.


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.