Kibana enable cors

I have kibana 5.6 and I am unable to enable cors. I've read next thread and found that I needserver.cors : true or server.cors.origin: ['*'] setting in kibana .yml config. If I use server.cors : true option, I have response allow origin header equal to kibana host. If I try other option kibana fails. In logs I see that it expects server.cors : true option in config. I know that kibana can be started in prod or dev mode. It looks like it starts by default in dev mode and expects true config value, but not use it correctly if I specify it. How can I specify prod mode for kibana ? NODE_ENV="production" not works for me. Are there any mistakes from my side? Thanks

The Joi schema seems to only define the defaults, and doesn't insist on data type, so the value shouldn't need to be boolean. Even so, it's only setting the default, so if you configure any value, it will use the value you provide.

The configuration is passed directly into Hapi, and the docs say:

CORS headers are disabled by default (false). To enable, set cors to true, or to an object with the following options: [OBJECT DEFINITION]

As you can see in the source, In "dev mode", this is set to an object, with the origin value of *://localhost:9876. This isn't really what you want though, it's simply used for our test runner.

You say that "In logs I see that it expects server.cors : true option in config."... what logs are you talking about? Error logs when you try to start up Kibana? Can you share those logs? It might be helpful to help figure this out.

I was able to start kibana locally from source code (this time on windows). With setting server.cors.origin I get same error (last time I got same error on unix)

$ sh ./bin/kibana
FATAL { ValidationError: child "server" fails because [child "cors" fails because ["cors" must be a boolean]]
    at Object.exports.process (C:\projects\kibana\node_modules\joi\lib\errors.js:181:19)
    at _validateWithOptions (C:\projects\kibana\node_modules\joi\lib\any.js:651:31)
    at root.validate (C:\projects\kibana\node_modules\joi\lib\index.js:121:23)
    at Config._commit (C:/projects/kibana/src/server/config/config.js:101:25)
    at Config.set (C:/projects/kibana/src/server/config/config.js:69:10)
    at Config.extendSchema (C:/projects/kibana/src/server/config/config.js:42:10)
    at _lodash2.default.each.child (C:/projects/kibana/src/server/config/config.js:31:14)
    at arrayEach (C:\projects\kibana\node_modules\lodash\index.js:1289:13)
    at Function.<anonymous> (C:\projects\kibana\node_modules\lodash\index.js:3345:13)
    at Config.extendSchema (C:/projects/kibana/src/server/config/config.js:30:16)
    at new Config (C:/projects/kibana/src/server/config/config.js:21:10)
    at Function.withDefaultSchema (C:/projects/kibana/src/server/config/config.js:14:12)
    at KbnServer.module.exports (C:/projects/kibana/src/server/config/setup.js:6:29)
    at C:/projects/kibana/src/server/kbn_server.js:94:16
    at (native)
    at step (C:/projects/kibana/src/server/kbn_server.js:22:1)
  isJoi: true,
  name: 'ValidationError',
   [ { message: '"cors" must be a boolean',
       path: 'server.cors',
       type: 'boolean.base',
       context: [Object] } ],
   { pkg:
      { version: '5.6.8',
        branch: '5.6',
        buildNum: 8467,
        buildSha: '6cb7fec4e154faa0a4a3fee4b33dfef91b9870d9' },
     dev: { basePathProxyTarget: 5603 },
     pid: { exclusive: false },
     cpu: undefined,
     cpuacct: undefined,
     server: { cors: [Object] } },
  annotate: [Function] }

I think if I start kibana like this $ sh ./bin/kibana it starts in prod mode

Alright, I apologize for misreading the Joi schema earlier. When in prod mode, the setting must be a boolean, meaning you either get no CORS support, or the origin becomes *. Neither is ideal.

There's a new issue about being able to configure CORS in Kibana, which is what you'll want to watch. We're also undergoing a huge refactor of the Kibana API, and it's possible this configuration won't be available until that is completed. It might be though, and either way, discussion about it will happen in that issue, or at least be linked to it.

Changing the configuration is simple enough, but it's completely untested, so it's not something we can do without making sure it actually works the way we expect it to.

At this point, the only option, aside from running in dev mode (which you probably shouldn't do on a production server) is to create your own build, basically changing the line in to otherwise: Joi.any().default(false), so that it doesn't enforce a boolean value, but still defaults to false when not set. You could also remove that line entirely and it should do the same thing. There's probably a way to make it only accept boolean or an object, but I don't know Joi well enough to figure out how to make it take multiple types with a default value.

I can confirm this not works

 cors: Joi.when('$dev', {
      is: true,
      then: Joi.boolean().default(true),
      otherwise: Joi.boolean().default(true)

I will watch the issue, or, may be I will use nginx to add header

The problem is the Joi.boolean() line. That enforces a boolean value, but you want an object in there so that you can set a custom origin.

Joi.object() or Joi.any() would work.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.