Enable Xpack on Docker single node, getting "You do not have permission to access the requested page"

I followed the example laid out here. https://github.com/elastic/stack-docs/blob/master/docs/en/getting-started/get-started-docker.asciidoc Had to make a couple of modifications due to only wanting a single node. I will post all of my files below. Something I found odd is the kibana user AND the kibana_system passwords are the same. That could be a bug.

.env

COMPOSE_PROJECT_NAME=es 
CERTS_DIR=/usr/share/elasticsearch/config/certificates 
VERSION=7.10.0

create-certs.yml

version: '2.2'

services:
  create_certs:
    image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}
    container_name: create_certs
    command: >
      bash -c '
        yum install -y -q -e 0 unzip;
        if [[ ! -f /certs/bundle.zip ]]; then
          bin/elasticsearch-certutil cert --silent --pem --in config/certificates/instances.yml -out /certs/bundle.zip;
          unzip /certs/bundle.zip -d /certs; 
        fi;
        chown -R 1000:0 /certs
      '
    working_dir: /usr/share/elasticsearch
    volumes: 
      - certs:/certs
      - .:/usr/share/elasticsearch/config/certificates
    networks:
      - elastic        

volumes: 
  certs:
    driver: local

networks:
  elastic:
    driver: bridge

docker-compose

version: '2.2'
services:
  es01:
    image: docker.elastic.co/elasticsearch/elasticsearch:{version}
    container_name: es01
    environment:
      - node.name=es01
      - discovery.type=single-node
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - data01:/usr/share/elasticsearch/data
    ports:
      - 9200:9200
      - 9300:9300
    networks:
      - elastic  
  kib01:
    image: docker.elastic.co/kibana/kibana:{version}
    container_name: kib01
    ports:
      - 5601:5601
    environment:
      ELASTICSEARCH_URL: http://es01:9200
      ELASTICSEARCH_HOSTS: http://es01:9200
    networks:
      - elastic

volumes:
  data01:
    driver: local
networks:
  elastic:
    driver: bridge

##elastic-docker-tls.yml

version: '2.2'

services:
  es01:
    image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}
    container_name: es01
    environment:
      - node.name=es01
      - discovery.type=single-node
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"      
      - xpack.license.self_generated.type=trial # <1>
      - xpack.security.enabled=true      
      - xpack.security.http.ssl.enabled=true # <2>
      - xpack.security.http.ssl.key=$CERTS_DIR/es01/es01.key
      - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.security.http.ssl.certificate=$CERTS_DIR/es01/es01.crt
      - xpack.security.transport.ssl.enabled=true # <3>
      - xpack.security.transport.ssl.verification_mode=certificate # <4>
      - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.security.transport.ssl.certificate=$CERTS_DIR/es01/es01.crt
      - xpack.security.transport.ssl.key=$CERTS_DIR/es01/es01.key
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes: 
      - data01:/usr/share/elasticsearch/data
      - certs:$CERTS_DIR
    ports:
      - 9200:9200
      - 9300:9300
    networks:
      - elastic
      
    healthcheck:
      test: curl --cacert $CERTS_DIR/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi
      interval: 30s
      timeout: 10s
      retries: 5

  kib01:
    image: docker.elastic.co/kibana/kibana:${VERSION}
    container_name: kib01
    depends_on: {"es01": {"condition": "service_healthy"}}
    ports:
      - 5601:5601    
    environment:
      SERVERNAME: localhost
      ELASTICSEARCH_URL: https://es01:9200
      ELASTICSEARCH_HOSTS: https://es01:9200
      ELASTICSEARCH_USERNAME: kibana_system
      ELASTICSEARCH_PASSWORD: y1uEDau6bwGzkZgqdKnK
      ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: $CERTS_DIR/ca/ca.crt
      SERVER_SSL_ENABLED: "true"
      SERVER_SSL_KEY: $CERTS_DIR/kib01/kib01.key
      SERVER_SSL_CERTIFICATE: $CERTS_DIR/kib01/kib01.crt
    volumes: 
      - certs:$CERTS_DIR
    networks:
      - elastic    
volumes:
  data01:
    driver: local
  certs:
    driver: local

networks: 
  elastic:
    driver: bridge    

instances.yml

instances:
  - name: es01
    dns:
      - es01 
      - localhost
    ip:
      - 127.0.0.1

  - name: 'kib01'
    dns: 
      - kib01
      - localhost

commands ran

docker-compose -f create-certs.yml run --rm create_certs
docker-compose -f elastic-docker-tls.yml up -d
docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords auto --batch --url https://es01:9200"
docker-compose -f elastic-docker-tls.yml down
copy the password to the       ELASTICSEARCH_PASSWORD: y1uEDau6bwGzkZgqdKnK
docker-compose -f elastic-docker-tls.yml up -d

I navigate to https://localhost:5601/ try to enter the user of kibana and password

Get "You do not have permission to access the requested page"
Thanks for your help :smiley:

Did you use the actual Kibana system user? (username "kibana_system" or "kibana" [deprecated])

It might sound counterintuitive, but this is the account that the Kibana server itself uses to authenticate with Elasticsearch. It intentionally has very limited permissions, you cannot log into Kibana with that account.


Edit: Further information can be found in the docs: https://www.elastic.co/guide/en/kibana/current/using-kibana-with-security.html

This must be a user who has been assigned Kibana privileges. Kibana server credentials should only be used internally by the Kibana server.


If that's the case, try logging in with the "elastic" superuser so you can make yourself a regular account to use in the future =)

Hey @cwobuzz,

In addition to what Joe said, I'll add the following:

Something I found odd is the kibana user AND the kibana_system passwords are the same. That could be a bug

This is actually expected. The kibana user has been deprecated in favor of the kibana_system user: they are interchangable for the remainder of 7.x, but the kibana user will be removed in 8.0.

I can't believe I wasted so much time on troubleshooting when it was just the user name. I am going to get some whiskey and rethink my life.

It happens sometimes! I'm glad that your issue had a simple solution =)