Kibana error [ FATAL Error: [config validation of [elasticsearch].username]: value of "elastic" is forbidden.]

Shreesh_Narayanan · February 22, 2022, 9:22pm

i had upgraded to verison 8.0 , my ELK stack is on POC (proof of concept) for now, so its on http and xpack features are disabled .

I found this in the error log line

Feb 22 21:13:37 dev-elk-app01 kibana[23561]:  FATAL  Error: [config validation of [elasticsearch].username]: value of "elastic" is forbidden. This is a superuser account that cannot write to system indices that Kibana needs to function. Use a service account token instead. Learn more: https://www.elastic.co/guide/en/elasticsearch/reference/8.0/service-accounts.html
Feb 22 21:13:37 dev-elk-app01 systemd[1]: kibana.service: Main process exited, code=exited, status=78/n/a
Feb 22 21:13:37 dev-elk-app01 systemd[1]: kibana.service: Failed with result 'exit-code'.

should i still run this below command on my Elasticsearch host ? or is there a workaround for http ones ?

 curl -X POST "172.26.207.179:9200/_security/service/elastic/kibana/credential/token/token1?pretty"

warkolm · February 22, 2022, 10:52pm

Did you check out Service accounts | Elasticsearch Guide [8.0] | Elastic as it mentions?

Shreesh_Narayanan · February 23, 2022, 5:48am

I did look at it . i read that Kibana now has authentication enabled by default. i wanted to know if i need to enable https/auth on my kibana since my stack on 7.17 was on http.

I will try it now and report back

franknord · February 23, 2022, 6:58am

I have a similar situation here. On startup Kibana says

FATAL Error: [config validation of [elasticsearch].username]: value of "elastic" is forbidden. This is a superuser account that cannot write to system indices that Kibana needs to function. Use a service account token instead. Learn more: https://www.elastic.co/guide/en/elasticsearch/reference/8.0/service-accounts.html

Strangely however, this value is not defined in kibana.yml:

$ grep username config/kibana.yml
# the username and password that the Kibana server uses to perform maintenance on the Kibana
#elasticsearch.username: ${elasticsearch.username}

Instead I'm using a service token:

#elasticsearch.username: ${elasticsearch.username}
#elasticsearch.password: ${elasticsearch.password}
elasticsearch.serviceAccountToken: "edited"

After creating the token I got this result

{
  "created" : true,
  "token" : {
    "name" : "token_E1iT534Bm30JRve8bsYA",
    "value" : "edited"
  }
}

I ran a test request

curl -H "Authorization: Bearer edited" https://hostname -f:9200/_security/_authenticate?pretty

and got

{
  "username" : "elastic/kibana",
  "roles" : [ ],
  "full_name" : "Service account - elastic/kibana",
  "email" : null,
  "token" : {
    "name" : "token_E1iT534Bm30JRve8bsYA",
    "type" : "_service_account_index"
  },
  "metadata" : {
    "_elastic_service_account" : true
  },
  "enabled" : true,
  "authentication_realm" : {
    "name" : "_service_account",
    "type" : "_service_account"
  },
  "lookup_realm" : {
    "name" : "_service_account",
    "type" : "_service_account"
  },
  "authentication_type" : "token"
}

Shreesh_Narayanan · February 23, 2022, 7:14am

i created the service token via the CLI tool

root@dev-elk-app03:/usr/share/elasticsearch/bin# /usr/share/elasticsearch/bin/elasticsearch-service-tokens create elastic/kibana devdashboard
SERVICE_TOKEN elastic/kibana/devdashboard = AAEAAWVsYXN0aWMva2liYW5hL25leHVzOnlTYzFwalloUUk2NVcxNHlnYmphdGc

and i still get the same error . Note: my setup is on http.

as per Service accounts | Elasticsearch Guide [8.0] | Elastic , it says "Service accounts currently do not support basic authentication."

does this require HTTPs ?

i tried to authenticate , that didnt work either

root@dev-elk-app01:/u0/sn# curl -H "Authorization: Bearer  AAEAAWVsYXN0aWMva2liYW5hL25leHVzOnlTYzFwalloUUk2NVcxNHlnYnghdGc" http://172.26.207.169:9200/_security/_authenticate?pretty
{
  "error" : "Incorrect HTTP method for uri [/_security/_authenticate?pretty] and method [GET], allowed: [POST]",
  "status" : 405
}
root@dev-elk-app01:/u0/sn#

Shreesh_Narayanan · February 23, 2022, 8:55am

i reinstalled Elasticsearch and this time it service account succeeded

< HTTP/1.1 200 OK
< X-elastic-product: Elasticsearch
< content-type: application/json
< content-length: 506
< 
{
  "username" : "elastic/kibana",
  "roles" : [ ],
  "full_name" : "Service account - elastic/kibana",
  "email" : null,
  "token" : {
    "type" : "_service_account_file",
    "name" : "devdashboard"
  },
  "metadata" : {
    "_elastic_service_account" : true
  },
  "enabled" : true,
  "authentication_realm" : {
    "name" : "_service_account",
    "type" : "_service_account"
  },
  "lookup_realm" : {
    "name" : "_service_account",
    "type" : "_service_account"
  },
  "authentication_type" : "token"
}

but still see the error on kibana logs

Feb 23 09:08:12 dev-elk-app01 kibana[1145]:     at bootstrap (/usr/share/kibana/src/core/server/bootstrap.js:99:9)
Feb 23 09:08:12 dev-elk-app01 kibana[1145]:     at Command.<anonymous> (/usr/share/kibana/src/cli/serve/serve.js:216:5)
Feb 23 09:08:12 dev-elk-app01 kibana[1145]:  FATAL  Error: [config validation of [elasticsearch].username]: value of "elastic" is forbidden. This is a superuser account that cannot write to system indices that Kibana needs to function. Use a service account token instead. Learn more: https://www.elastic.co/guide/en/elasticsearch/reference/8.0/service-accounts.html
Feb 23 09:08:12 dev-elk-app01 systemd[1]: kibana.service: Main process exited, code=exited, status=78/n/a
Feb 23 09:08:12 dev-elk-app01 systemd[1]: kibana.service: Failed with result 'exit-code'.

Shreesh_Narayanan · February 23, 2022, 10:11am

okay so after hours of service restarts . i decided to re-install kibana 8.0

so, with plain config

root@dev-elk-app01:~#  service kibana status
● kibana.service - Kibana
   Loaded: loaded (/usr/lib/systemd/system/kibana.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2022-02-23 09:59:41 UTC; 43s ago
     Docs: https://www.elastic.co
 Main PID: 4419 (node)
    Tasks: 11 (limit: 4915)
   CGroup: /system.slice/kibana.service
           └─4419 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli/dist

Feb 23 09:59:41 dev-elk-app01 systemd[1]: Started Kibana.
Feb 23 09:59:50 dev-elk-app01 kibana[4419]: [2022-02-23T09:59:50.258+00:00][INFO ][plugins-service] Plugin "metricsEntities" is disabled.
Feb 23 09:59:50 dev-elk-app01 kibana[4419]: [2022-02-23T09:59:50.326+00:00][INFO ][http.server.Preboot] http server running at http://localhost:5601
Feb 23 09:59:50 dev-elk-app01 kibana[4419]: [2022-02-23T09:59:50.361+00:00][INFO ][plugins-system.preboot] Setting up [1] plugins: [interactiveSetup]
Feb 23 09:59:50 dev-elk-app01 kibana[4419]: [2022-02-23T09:59:50.363+00:00][INFO ][preboot] "interactiveSetup" plugin is holding setup: Validating Elasticsearch connection 
Feb 23 09:59:50 dev-elk-app01 kibana[4419]: [2022-02-23T09:59:50.396+00:00][INFO ][root] Holding setup until preboot stage is completed.
Feb 23 09:59:50 dev-elk-app01 kibana[4419]: i Kibana has not been configured.
Feb 23 09:59:50 dev-elk-app01 kibana[4419]: Go to http://localhost:5601/?code=697593 to get started.

it seems to direct the user to localhost :5601 to input the enrollment token in the machine that runs Elasticsearch

 /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

The above command creates the token that can be used as an input when we navigate to

http://localhost:5601/?code=697593

After which the Elasticsearch autoconfigures itself and we can login to kibana

system · March 23, 2022, 10:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.