Hey @rschirin and @Alufolie , I'm seeing the exact same behavior as you.
This might be unrelated, but I'm curious if you have issues opening/editing roles in kibana?
If I click a role I see the same 403 error for /api/spaces/space as I encounter in the spaces section.
hey @niklaskurvinen, can you try to do the same also with Management --> Roles --> click on Create Role ?
Yeah, same issue with create.
Also I just realized that @Alufolie already mentioned the roles in a previous reply in this thread, so sorry for not reading properly I guess. 
Disabling spaces restored the access to roles again. I created a couple of tmp roles with the Kibana privileges (all) set (as that was the only common denominator I could see on the old roles i.e. it was "none" before).
But after turning spaces on again I still have the same issue with my users that uses these new roles, so no luck there.
Hoping that @Brandon_Kobel might be able to share some news on this issue, until then I'll mess around with my environment and share here if I find anything of of value.
1 Like
If this issue is related to upgrade procedure, probably I will try to install from scretch every node 
I have the same ploblem.
There is no default space and I can't save space.
I hope that this problem will be solved.
same problem for user roles its the same problem !
Can't edit or add new user role !!
"error","error":{"message":"Unauthorized","name":"Error","stack":"Error: Unauthorized\n at validate (/usr/share/kibana/node_modules/hapi-auth-cookie/lib/index.js:145:49)\n at Object.authenticate (/usr/share/kibana/node_modules/hapi-auth-cookie/lib/index.js:210:13)\n at module.exports.internals.Auth.internals.Auth.test (/usr/share/kibana/node_modules/hapi/lib/auth.js:96:22)\n at Object.test (/usr/share/kibana/node_modules/hapi/lib/plugin.js:65:64)\n at resolve (/usr/share/kibana/node_modules/x-pack/plugins/security/server/lib/authentication/session.js:56:25)\n at new Promise (<anonymous>)\n at Session.get (/usr/share/kibana/node_modules/x-pack/plugins/security/server/lib/authentication/session.js:55:12)
Why it's use anonymous ??
Can you try to set this in your kibana.yml, and see if you get a different result?
xpack.security.authorization.legacyFallback.enabled: false
same error
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["debug","legacy","proxy"],"pid":20361,"message":"Event is being forwarded: connection"}
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["debug","legacy","proxy"],"pid":20361,"message":"Event is being forwarded: connection"}
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["trace","legacy","service"],"pid":20361,"message":"Request will be handled by proxy GET:/api/security/v1/me."}
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["debug","legacy","proxy"],"pid":20361,"message":"Event is being forwarded: connection"}
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["debug","security","basic"],"pid":20361,"message":"Trying to authenticate user request to /api/security/v1/me."}
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["debug","security","basic"],"pid":20361,"message":"Trying to authenticate via header."}
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["debug","security","basic"],"pid":20361,"message":"Authorization header is not presented."}
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["debug","security","basic"],"pid":20361,"message":"Trying to authenticate via state."}
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["trace","legacy","service"],"pid":20361,"message":"Request will be handled by proxy GET:/api/spaces/space."}
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["debug","security","basic"],"pid":20361,"message":"Trying to authenticate user request to /api/spaces/space."}
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["debug","security","basic"],"pid":20361,"message":"Trying to authenticate via header."}
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["debug","security","basic"],"pid":20361,"message":"Authorization header is not presented."}
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["debug","security","basic"],"pid":20361,"message":"Trying to authenticate via state."}
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["debug","security","basic"],"pid":20361,"message":"Request has been authenticated via state."}
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["trace","legacy","service"],"pid":20361,"message":"Request will be handled by proxy GET:/api/security/v1/users."}
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["debug","security","basic"],"pid":20361,"message":"Request has been authenticated via state."}
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["debug","security","basic"],"pid":20361,"message":"Trying to authenticate user request to /api/security/v1/users."}
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["debug","security","basic"],"pid":20361,"message":"Trying to authenticate via header."}
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["debug","security","basic"],"pid":20361,"message":"Authorization header is not presented."}
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["debug","security","basic"],"pid":20361,"message":"Trying to authenticate via state."}
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["debug","security","basic"],"pid":20361,"message":"Request has been authenticated via state."}
{"type":"log","@timestamp":"2018-11-26T14:54:17Z","tags":["debug","legacy","proxy"],"pid":20361,"message":"Event is being forwarded: connection"}
e
Sadly I still get the same response. Trying to create a space or accessing/creating roles fail, POST request to /api/spaces/space returns {"statusCode":403,"error":"Forbidden"}
{"type":"log","@timestamp":"2018-11-26T14:55:30Z","tags":["debug","legacy","proxy"],"pid":20361,"message":"Event is being forwarded: connection"}
{"type":"log","@timestamp":"2018-11-26T14:55:30Z","tags":["trace","legacy","service"],"pid":20361,"message":"Request will be handled by proxy POST:/api/spaces/space."}
{"type":"log","@timestamp":"2018-11-26T14:55:30Z","tags":["debug","security","basic"],"pid":20361,"message":"Trying to authenticate user request to /api/spaces/space."}
{"type":"log","@timestamp":"2018-11-26T14:55:30Z","tags":["debug","security","basic"],"pid":20361,"message":"Trying to authenticate via header."}
{"type":"log","@timestamp":"2018-11-26T14:55:30Z","tags":["debug","security","basic"],"pid":20361,"message":"Authorization header is not presented."}
{"type":"log","@timestamp":"2018-11-26T14:55:30Z","tags":["debug","security","basic"],"pid":20361,"message":"Trying to authenticate via state."}
{"type":"log","@timestamp":"2018-11-26T14:55:30Z","tags":["debug","security","basic"],"pid":20361,"message":"Request has been authenticated via state."}Thank you both for trying -- I'm trying to eliminate possibilities.
I have a couple questions, and I'm sorry if any of this is repetitive:
- What user do you have set in
kibana.ymlforelasticsearch.username? What roles are granted to this user? If there are custom roles granted, can you list provide the access that each role grants? Please redact any access to your specific data indices, but leave any system indices (such as .kibana) intact. - Which authentication realms are enabled in Elasticsearch (e.g., native, ldap, saml, etc)
- Are you using a custom
kibana.indexsetting? The default is.kibana.
thank you too,
i'm using Elastic super user with native auth to eliminate possibilities
the same problem with kibana user 
and i'm using the default index .kibana
Interesting, thanks for the info. In your tests, are you also logging into Kibana as the elastic superuser?
This is seemingly random, but is your connection from Kibana to Elasticsearch using a client certificate?
im using elastic super user to login
test with valid CA / cert because i use a loadbalancer
then i switch with local cert and local ca "generated by elastic-cert-util.."
and swith without LB
Kibana attached directely to Es coordinating nodes
i can add new user but not role no space .....
i've even tested the new hapi-lib
erase all kibana file .. and fresh install it but i still have the same problem in space / roles and i think in canvas ...
in canvas .... i can create a project but i can't acces to my index data i have the same problem
i think in all kibana Plugins
{"type":"log","@timestamp":"2018-11-26T16:58:43Z","tags":["debug","legacy","proxy"],"pid":20583,"message":"Event is being forwarded: connection"}
{"type":"log","@timestamp":"2018-11-26T16:58:43Z","tags":["trace","legacy","service"],"pid":20583,"message":"Request will be handled by proxy GET:/."}
{"type":"error","@timestamp":"2018-11-26T16:58:43Z","tags":["debug","security","auth","session"],"pid":20583,"level":"error","error":{"message":"Unauthorized","name":"Error","stack":"Error: Unauthorized\n at validate (/usr/share/kibana/node_modules/hapi-auth-cookie/lib/index.js:145:49)\n at Object.authenticate (/usr/share/kibana/node_modules/hapi-auth-cookie/lib/index.js:210:13)\n at module.exports.internals.Auth.internals.Auth.test (/usr/share/kibana/node_modules/hapi/lib/auth.js:96:22)\n at Object.test (/usr/share/kibana/node_modules/hapi/lib/plugin.js:65:64)\n at resolve (/usr/share/kibana/node_modules/x-pack/plugins/security/server/lib/authentication/session.js:56:25)\n at new Promise (<anonymous>)\n at Session.get (/usr/share/kibana/node_modules/x-pack/plugins/security/server/lib/authentication/session.js:55:12)\n at Authenticator.authenticate (/usr/share/kibana/node_modules/x-pack/plugins/security/server/lib/authentication/authenticator.js:139:49)\n at Object.server.expose.request [as authenticate] (/usr/share/kibana/node_modules/x-pack/plugins/security/server/lib/authentication/authenticator.js:281:60)\n at Object.authenticate (/usr/share/kibana/node_modules/x-pack/plugins/security/server/lib/auth_redirect.js:30:60)\n at request._protect.run (/usr/share/kibana/node_modules/hapi/lib/auth.js:324:34)\n at module.exports.internals.Protect.internals.Protect.run (/usr/share/kibana/node_modules/hapi/lib/protect.js:64:5)\n at internals.Authenticator.execute (/usr/share/kibana/node_modules/hapi/lib/auth.js:320:30)\n at internals.Authenticator.authenticate (/usr/share/kibana/node_modules/hapi/lib/auth.js:306:21)\n at module.exports.internals.Auth.internals.Auth._authenticate (/usr/share/kibana/node_modules/hapi/lib/auth.js:214:19)\n at internals.Auth.authenticate (/usr/share/kibana/node_modules/hapi/lib/auth.js:202:17)\n at each (/usr/share/kibana/node_modules/hapi/lib/request.js:384:16)\n at iterate (/usr/share/kibana/node_modules/items/lib/index.js:36:13)\n at done (/usr/share/kibana/node_modules/items/lib/index.js:28:25)\n at Hoek.once (/usr/share/kibana/node_modules/hapi/lib/protect.js:52:16)\n at wrapped (/usr/share/kibana/node_modules/hoek/lib/index.js:879:20)\n at done (/usr/share/kibana/node_modules/items/lib/index.js:31:25)\n at Function.wrapped [as _next] (/usr/share/kibana/node_modules/hoek/lib/index.js:879:20)\n at Function.internals.continue (/usr/share/kibana/node_modules/hapi/lib/reply.js:108:10)\n at server.ext (/usr/share/kibana/node_modules/hapi-auth-cookie/lib/index.js:133:30)\n at Items.serial (/usr/share/kibana/node_modules/hapi/lib/request.js:403:22)\n at iterate (/usr/share/kibana/node_modules/items/lib/index.js:36:13)\n at Object.exports.serial (/usr/share/kibana/node_modules/items/lib/index.js:39:9)"},"message":"Unauthorized"}still have the probem .. any idea please ? 
This problem may be solved with Kibana 6.5.2.
I am looking forward to it.
3 Likes
ok thank you
i just modify my
/usr/share/kibana/node_modules/x-pack/plugins/spaces/server/lib/check_license.js
and adding 'gold' in
const isAnyXpackLicense = xPackInfo.license.isOneOf(['basic', 'gold', 'platinum', 'trial']);
restart kibana and it's work !
6 Likes