Elastic search(8.2) and Kibana Authentication Error

Hello All
hope you are doing well I am trying to get Kibana working with Elasticsearch Version 8.2 Here is an issue I am running into and looking fwd to seeking help and advice from a community

Elasticsearch VErsion 8.2 Installed and working fine with Username and Password I have setup
here is my Elasticsearch YML FIle

---------Elasticsearch YML FIle-------------

# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
#cluster.name: my-application
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:

# node.name: node-1

# Add custom attributes to the node:

# node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#

path:
  data:
  - "E:\\Software\\ElasticSearch\\ElasticSearchData"
  
# Path to log files:
#
#path.logs: /path/to/logs
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
#network.host: 192.168.0.1
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
#http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.seed_hosts: ["host1", "host2"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
#cluster.initial_master_nodes: ["node-1", "node-2"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# --------------------------------- Readiness ----------------------------------
#
# Enable an unauthenticated TCP readiness endpoint on localhost
#
#readiness.port: 9399
#
# ---------------------------------- Various -----------------------------------
#
# Allow wildcard deletion of indices:
#
#action.destructive_requires_name: false

#----------------------- BEGIN SECURITY AUTO CONFIGURATION -----------------------
#
# The following settings, TLS certificates, and keys have been automatically      
# generated to configure Elasticsearch security features on 24-06-2022 22:23:05
#
# --------------------------------------------------------------------------------

# Enable security features
xpack.security.enabled: true

xpack.security.enrollment.enabled: true
xpack.security.authc.api_key.enabled: true

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: false
  keystore.path: certs/http.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: false
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12

  
# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
cluster.initial_master_nodes: ["JTSTDSSHAH2"]

# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
http.host: 0.0.0.0

# Allow other nodes to join the cluster from anywhere
# Connections are encrypted and mutually authenticated
#transport.host: 0.0.0.0

#----------------------- END SECURITY AUTO CONFIGURATION -------------------------

---------ROLES YML ---------------

admins:
  cluster:
    - all
  indices:
    - all

-----------USER ROLES --------------

admins:soumil,jacknich,admin


Problem

Kibana is not opening-up

message on browser Kibana server is not ready yet.

Logs ----------

2.3_001], this action is granted by the index privileges [create_index,manage,all]'. Retrying attempt 2 in 4 seconds.
[2022-06-25T18:34:55.037-04:00][INFO ][savedobjects-service] [.kibana_task_manager] CREATE_NEW_TARGET -> CREATE_NEW_TARGET. took: 2012ms.
[2022-06-25T18:34:59.042-04:00][ERROR][savedobjects-service] [.kibana_task_manager] Action failed with 'security_exception: [security_exception] Reason: action [indices:admin/create] is unauthorized for user [admin] with roles [admins] on restricted indices [.kibana_task_manager_8.2.3_001], this action is granted by the index privileges [create_index,manage,all]'. Retrying attempt 3 in 8 seconds.
[2022-06-25T18:34:59.042-04:00][INFO ][savedobjects-service] [.kibana_task_manager] CREATE_NEW_TARGET -> CREATE_NEW_TARGET. took: 4006ms.
[2022-06-25T18:34:59.044-04:00][ERROR][savedobjects-service] [.kibana] Action failed with 'security_exception: [security_exception] Reason: action [indices:admin/create] is unauthorized for user [admin] with roles [admins] on restricted indices [.kibana_8.2.3_001], this action is granted by the index privileges [create_index,manage,all]'. Retrying attempt 3 in 8 seconds.
[2022-06-25T18:34:59.045-04:00][INFO ][savedobjects-service] [.kibana] CREATE_NEW_TARGET -> CREATE_NEW_TARGET. took: 4013ms.
[2022-06-25T18:35:07.054-04:00][ERROR][savedobjects-service] [.kibana_task_manager] Action failed with 'security_exception: [security_exception] Reason: action [indices:admin/create] is unauthorized for user [admin] with roles [admins] on restricted indices [.kibana_task_manager_8.2.3_001], this action is granted by the index privileges [create_index,manage,all]'. Retrying attempt 4 in 16 seconds.
[2022-06-25T18:35:07.054-04:00][INFO ][savedobjects-service] [.kibana_task_manager] CREATE_NEW_TARGET -> CREATE_NEW_TARGET. took: 8011ms.
[2022-06-25T18:35:07.057-04:00][ERROR][savedobjects-service] [.kibana] Action failed with 'security_exception: [security_exception] Reason: action [indices:admin/create] is unauthorized for user [admin] with roles [admins] on restricted indices [.kibana_8.2.3_001], this action is granted by the index privileges [create_index,manage,all]'. Retrying attempt 4 in 16 seconds.
[2022-06-25T18:35:07.057-04:00][INFO ][savedobjects-service] [.kibana] CREATE_NEW_TARGET -> CREATE_NEW_TARGET. took: 8013ms.
[2022-06-25T18:35:23.068-04:00][ERROR][savedobjects-service] [.kibana_task_manager] Action failed with 'security_exception: [security_exception] Reason: action [indices:admin/create] is unauthorized for user [admin] with roles [admins] on restricted indices [.kibana_task_manager_8.2.3_001], this action is granted by the index privileges [create_index,manage,all]'. Retrying attempt 5 in 32 seconds.
[2022-06-25T18:35:23.069-04:00][INFO ][savedobjects-service] [.kibana_task_manager] CREATE_NEW_TARGET -> CREATE_NEW_TARGET. took: 16015ms.
[2022-06-25T18:35:23.070-04:00][ERROR][savedobjects-service] [.kibana] Action failed with 'security_exception: [security_exception] Reason: action [indices:admin/create] is unauthorized for user [admin] with roles [admins] on restricted indices [.kibana_8.2.3_001], this action is granted by the index privileges [create_index,manage,all]'. Retrying attempt 5 in 32 seconds.
[2022-06-25T18:35:23.070-04:00][INFO ][savedobjects-service] [.kibana] CREATE_NEW_TARGET -> CREATE_NEW_TARGET. took: 16013ms.

I have tried almost everything and I didn't get to get this working for some reason here is YML FILE

Kibana YML FIle

# For more configuration options see the configuration guide for Kibana in
# https://www.elastic.co/guide/index.html

# =================== System: Kibana Server ===================
# Kibana is served by a back end server. This setting specifies the port to use.
server.port: 5601

# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
server.host: "localhost"

# Enables you to specify a path to mount Kibana at if you are running behind a proxy.
# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath
# from requests it receives, and to prevent a deprecation warning at startup.
# This setting cannot end in a slash.
#server.basePath: ""

# Specifies whether Kibana should rewrite requests that are prefixed with
# `server.basePath` or require that they are rewritten by your reverse proxy.
# Defaults to `false`.
#server.rewriteBasePath: false

# Specifies the public URL at which Kibana is available for end users. If
# `server.basePath` is configured this URL should end with the same basePath.
#server.publicBaseUrl: ""

# The maximum payload size in bytes for incoming server requests.
#server.maxPayload: 1048576

# The Kibana server's name. This is used for display purposes.
#server.name: "your-hostname"

# =================== System: Kibana Server (Optional) ===================
# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
server.ssl.enabled: false
#server.ssl.certificate: /path/to/your/server.crt
#server.ssl.key: /path/to/your/server.key

# =================== System: Elasticsearch ===================
#The URLs of the Elasticsearch instances to use for all your queries.
elasticsearch.hosts: ["http://localhost:9200"]

# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
elasticsearch.username: "admin"
elasticsearch.password: "Admin1@345"

# Kibana can also authenticate to Elasticsearch via "service account tokens".
# Service account tokens are Bearer style tokens that replace the traditional username/password based configuration.
# Use this token instead of a username/password.
# elasticsearch.serviceAccountToken: "my_token"

# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
# the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500

# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
# must be a positive integer.
#elasticsearch.requestTimeout: 30000

# The maximum number of sockets that can be used for communications with elasticsearch.
# Defaults to `Infinity`.
#elasticsearch.maxSockets: 1024

# Specifies whether Kibana should use compression for communications with elasticsearch
# Defaults to `false`.
#elasticsearch.compression: false

# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
# headers, set this value to [] (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]

# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
#elasticsearch.customHeaders: {}

# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
#elasticsearch.shardTimeout: 30000

# =================== System: Elasticsearch (Optional) ===================
# These files are used to verify the identity of Kibana to Elasticsearch and are required when
# xpack.security.http.ssl.client_authentication in Elasticsearch is set to required.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key


# Enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
#elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]

# To disregard the validity of SSL certificates, change this setting's value to 'none'.
#elasticsearch.ssl.verificationMode: full

# =================== System: Logging ===================
# Set the value of this setting to off to suppress all logging output, or to debug to log everything. Defaults to 'info'
#logging.root.level: debug

# Enables you to specify a file where Kibana stores log output.
#logging.appenders.default:
#  type: file
#  fileName: /var/logs/kibana.log
#  layout:
#    type: json

# Logs queries sent to Elasticsearch.
#logging.loggers:
#  - name: elasticsearch.query
#    level: debug

# Logs http responses.
#logging.loggers:
#  - name: http.server.response
#    level: debug

# Logs system usage information.
#logging.loggers:
#  - name: metrics.ops
#    level: debug
# =================== System: Other ===================
# The path where Kibana stores persistent data not saved in Elasticsearch. Defaults to data
#path.data: data

# Specifies the path where Kibana creates the process ID file.
#pid.file: /run/kibana/kibana.pid

# Set the interval in milliseconds to sample system and process performance
# metrics. Minimum is 100ms. Defaults to 5000ms.
#ops.interval: 5000

# Specifies locale to be used for all localizable strings, dates and number formats.
# Supported languages are the following: English (default) "en", Chinese "zh-CN", Japanese "ja-JP", French "fr-FR".
#i18n.locale: "en"

# =================== Frequently used (Optional)===================

# =================== Saved Objects: Migrations ===================
# Saved object migrations run at startup. If you run into migration-related issues, you might need to adjust these settings.

# The number of documents migrated at a time.
# If Kibana can't start up or upgrade due to an Elasticsearch `circuit_breaking_exception`,
# use a smaller batchSize value to reduce the memory pressure. Defaults to 1000 objects per batch.
#migrations.batchSize: 1000

# The maximum payload size for indexing batches of upgraded saved objects.
# To avoid migrations failing due to a 413 Request Entity Too Large response from Elasticsearch.
# This value should be lower than or equal to your Elasticsearch cluster’s `http.max_content_length`
# configuration option. Default: 100mb
#migrations.maxBatchSizeBytes: 100mb

# The number of times to retry temporary migration failures. Increase the setting
# if migrations fail frequently with a message such as `Unable to complete the [...] step after
# 15 attempts, terminating`. Defaults to 15
#migrations.retryAttempts: 15

# =================== Search Autocomplete ===================
# Time in milliseconds to wait for autocomplete suggestions from Elasticsearch.
# This value must be a whole number greater than zero. Defaults to 1000ms
#data.autocomplete.valueSuggestions.timeout: 1000

# Maximum number of documents loaded by each shard to generate autocomplete suggestions.
# This value must be a whole number greater than zero. Defaults to 100_000
#data.autocomplete.valueSuggestions.terminateAfter: 100000


Looking forweward for a Help

Regards
Shah

I think that in version 8 you need to explictily allow access to system indices with the setting allow_restricted_indices: true in your role.

But, besides that, in version 8 you should user a service account token instead of a username and password to connect Kibana in Elasticsearch.

Check this page of the documentation. on how to set a service account for Kibana.

roles.YML

admins:
  cluster:
    - all
  indices:
    - all
  cluster_permissions:
    - "cluster:monitor/nodes/info"
    - "cluster:monitor/health"
    - "indices:admin/template/get"
    - "indices:admin/exists"
   

#user roles yml

admins:admin

Tried Built-in Roles

kibana_admin:admin
[2022-06-25T19:19:28.968-04:00][WARN ][plugins.actions] APIs are disabled because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-06-25T19:19:28.981-04:00][WARN ][plugins.alerting] APIs are disabled because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-06-25T19:19:28.999-04:00][INFO ][plugins.ruleRegistry] Installing common resources shared between all indices
[2022-06-25T19:19:29.764-04:00][INFO ][plugins.screenshotting.config] Chromium sandbox provides an additional layer of protection, and is supported for Win32 OS. Automatically enabling Chromium sandbox.
[2022-06-25T19:19:29.812-04:00][INFO ][plugins.screenshotting.chromium] Browser executable: E:\Software\Kibana\kibana-8.2.3\x-pack\plugins\screenshotting\chromium\chrome-win\chrome.exe
[2022-06-25T19:19:29.983-04:00][ERROR][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. security_exception: [security_exception] Reason: action [cluster:monitor/nodes/info] is unauthorized for user [admin] with roles [kibana_admin], this action is granted by the cluster privileges [monitor,manage,all]
``


@leandrojmp could you explain which file I need to add this I still have an issue

You need to use allow_restricted_indices: true in your role.

I do not use roles with file based, but according to the documentation you need something like this:

admins:
  cluster:
    - all
  indices:
    - all
      allow_restricted_indices: true
  cluster_permissions:
    - "cluster:monitor/nodes/info"
    - "cluster:monitor/health"
    - "indices:admin/template/get"
    - "indices:admin/exists"

But again, you should not use username and password, the recommendation is to use a service account for kibana, check the linked documentation in the previous post.

I will do the service account later once at least I get username and password stuff working

Here is users_roles

admins:admin,soumil,jacknich

Roles.YML


admins:
  cluster:
    - all
  indices:
    allow_restricted_indices: true
    - names:
        - "*"
      privileges:
        - all

Sample CURL

curl --location --request GET 'http://127.0.0.1:9200/_cat/indices' \
--header 'Authorization: Basic YWRtaW46QWRtaW4xQDM0NQ==' \
--data-raw ''
{
    "error": {
        "root_cause": [
            {
                "type": "security_exception",
                "reason": "action [indices:monitor/settings/get] is unauthorized for user [admin] with roles [admins], this action is granted by the index privileges [monitor,view_index_metadata,manage,all]"
            }
        ],
        "type": "security_exception",
        "reason": "action [indices:monitor/settings/get] is unauthorized for user [admin] with roles [admins], this action is granted by the index privileges [monitor,view_index_metadata,manage,all]"
    },
    "status": 403
}

This Works for ELK not Kibana

# The default roles file is empty as the preferred method of defining roles is
# through the API/UI. File based roles are useful in error scenarios when the
# API based roles may not be available.
admins:
  cluster:
    - all
  indices:
    - names:
        - "*"
      privileges:
        - all
devs:
  cluster:
    - manage
  indices:
    - names:
        - "*"
      privileges:
        - write
        - delete
        - create_index
{
  "name" : "JTSTDSSHAH2",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "Eb-1NN1kTMWDhevpqdP58Q",
  "version" : {
    "number" : "8.2.3",
    "build_flavor" : "default",
    "build_type" : "zip",
    "build_hash" : "9905bfb62a3f0b044948376b4f607f70a8a151b4",
    "build_date" : "2022-06-08T22:21:36.455508792Z",
    "build_snapshot" : false,
    "lucene_version" : "9.1.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

Kibana

[2022-06-25T19:19:28.968-04:00][WARN ][plugins.actions] APIs are disabled because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-06-25T19:19:28.981-04:00][WARN ][plugins.alerting] APIs are disabled because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
[2022-06-25T19:19:28.999-04:00][INFO ][plugins.ruleRegistry] Installing common resources shared between all indices
[2022-06-25T19:19:29.764-04:00][INFO ][plugins.screenshotting.config] Chromium sandbox provides an additional layer of protection, and is supported for Win32 OS. Automatically enabling Chromium sandbox.
[2022-06-25T19:19:29.812-04:00][INFO ][plugins.screenshotting.chromium] Browser executable: E:\Software\Kibana\kibana-8.2.3\x-pack\plugins\screenshotting\chromium\chrome-win\chrome.exe
[2022-06-25T19:19:29.983-04:00][ERROR][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. security_exception: [security_exception] Reason: action [cluster:monitor/nodes/info] is unauthorized for user [admin] with roles [kibana_admin], this action is granted by the cluster privileges [monitor,manage,all]
``

@leandrojmp please advice
People are having issues 403 when user enables Monitoring with sufficient roles · Issue #38636 · elastic/kibana · GitHub
Please Note I am using latest version of kibana

You should be using either service token or kibana_system user for Kibana to authenticate with Elasticsearch, instead of using custom user with custom user role.

Well Yes i would do that my point here is its didnt work with username and password and hence i am seeking for advice why this is not working @Hendrik_Muhs @hendry.lim

Use the kibana_system user and set a password for that user and then you can use username and password.

i am trying the token approach following steps mentioned here I shall let you know how this goes

its just that I have a personality I cant give up on things if I don't get something I will ask and learn but will get there hehe

Following this article, I have installed elk and got a service token generated for elk now installing kiubana and let's see how this goes

I will loop you in if I get stuck if I do get success I will make a youtube video for the community so others can learn

Here is my channel https://www.youtube.com/channel/UC_eOodxvwS_H7x2uLQa-svw

Following this article, I have installed elk and got a service token generated for elk now installing kiubana and let's see how this goes

When you mentioned elk I believe you were referring to Elasticsearch. It's confusing to say elk when you are referring to Elasticsearch, because elk is Elasticsearch, Logstash, Kibana.

I agree man

hey, guess what?
i got it working man

please check out my channel I have made lot of interesting content for new people who wants to learn Elasticsearch

Here are some links in case if you want to check some amazing content on elk

Thanks @hendry.lim have a nice day man

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.