Kibana not starting for enabling AD security

Dear All,
Recently enabled elasticsearch with AD with xpack and able to authenticate successfully via curl command. Kibana is not properly starting up, any help will be appreciated. My intention is to have Kibana secured with AD

{"type":"log","@timestamp":"2019-09-12T18:35:13Z","tags":["debug","root"],"pid":10664,"message":"setting up root"}
{"type":"log","@timestamp":"2019-09-12T18:35:13Z","tags":["debug","server"],"pid":10664,"message":"setting up server"}
{"type":"log","@timestamp":"2019-09-12T18:35:13Z","tags":["debug","http"],"pid":10664,"message":"starting NotReady server"}
{"type":"log","@timestamp":"2019-09-12T18:35:13Z","tags":["debug","http","server","Kibana"],"pid":10664,"message":"registering route handler for [/core]"}
{"type":"log","@timestamp":"2019-09-12T18:35:13Z","tags":["debug","elasticsearch-service"],"pid":10664,"message":"Setting up elasticsearch service"}
{"type":"log","@timestamp":"2019-09-12T18:35:13Z","tags":["debug","elasticsearch-service"],"pid":10664,"message":"Creating elasticsearch clients"}
{"type":"log","@timestamp":"2019-09-12T18:35:13Z","tags":["debug","plugins-service"],"pid":10664,"message":"Setting up plugins service"}
{"type":"log","@timestamp":"2019-09-12T18:35:13Z","tags":["debug","plugins-discovery"],"pid":10664,"message":"Discovering plugins..."}
{"type":"log","@timestamp":"2019-09-12T18:35:13Z","tags":["debug","plugins-discovery"],"pid":10664,"message":"Scanning \"/usr/share/kibana/src/plugins\" for plugin sub-directories..."}
{"type":"log","@timestamp":"2019-09-12T18:35:13Z","tags":["debug","plugins-discovery"],"pid":10664,"message":"Scanning \"/usr/share/kibana/x-pack/plugins\" for plugin sub-directories..."}
{"type":"log","@timestamp":"2019-09-12T18:35:13Z","tags":["debug","plugins-discovery"],"pid":10664,"message":"Scanning \"/usr/share/kibana/plugins\" for plugin sub-directories..."}
{"type":"log","@timestamp":"2019-09-12T18:35:13Z","tags":["debug","plugins-discovery"],"pid":10664,"message":"Scanning \"/usr/share/kibana-extra\" for plugin sub-directories..."}
{"type":"log","@timestamp":"2019-09-12T18:35:13Z","tags":["debug","plugins-discovery"],"pid":10664,"message":"Successfully discovered plugin \"translations\" at \"/usr/share/kibana/x-pack/plugins/translations\""}
{"type":"log","@timestamp":"2019-09-12T18:35:14Z","tags":["debug","plugins","translations"],"pid":10664,"message":"\"/usr/share/kibana/x-pack/plugins/translations/server\" does not export \"config\"."}
{"type":"log","@timestamp":"2019-09-12T18:35:14Z","tags":["debug","plugins-service"],"pid":10664,"message":"Discovered 1 plugins."}
{"type":"log","@timestamp":"2019-09-12T18:35:14Z","tags":["info","plugins-system"],"pid":10664,"message":"Setting up [1] plugins: [translations]"}
{"type":"log","@timestamp":"2019-09-12T18:35:14Z","tags":["debug","plugins-system"],"pid":10664,"message":"Setting up plugin \"translations\"..."}
{"type":"log","@timestamp":"2019-09-12T18:35:14Z","tags":["debug","plugins","translations"],"pid":10664,"message":"Initializing plugin"}
{"type":"log","@timestamp":"2019-09-12T18:35:14Z","tags":["info","plugins","translations"],"pid":10664,"message":"Setting up plugin"}
{"type":"log","@timestamp":"2019-09-12T18:35:14Z","tags":["debug","root"],"pid":10664,"message":"starting root"}
{"type":"log","@timestamp":"2019-09-12T18:35:14Z","tags":["debug","plugins-service"],"pid":10664,"message":"Plugins service starts plugins"}
{"type":"log","@timestamp":"2019-09-12T18:35:14Z","tags":["info","plugins-system"],"pid":10664,"message":"Starting [1] plugins: [translations]"}
{"type":"log","@timestamp":"2019-09-12T18:35:14Z","tags":["debug","plugins-system"],"pid":10664,"message":"Starting plugin \"translations\"..."}
{"type":"log","@timestamp":"2019-09-12T18:35:14Z","tags":["debug","legacy-service"],"pid":10664,"message":"starting legacy service"}
{"type":"log","@timestamp":"2019-09-12T18:35:17Z","tags":["plugin","debug"],"pid":10664,"path":"/usr/share/kibana/x-pack","message":"Found plugin at /usr/share/kibana/x-pack"}
{"type":"log","@timestamp":"2019-09-12T18:35:17Z","tags":["plugin","debug"],"pid":10664,"path":"/usr/share/kibana/src/legacy/core_plugins/apm_oss","message":"Found plugin at /usr/share/kibana/src/legacy/core_plugins/apm_oss"}
{"type":"log","@timestamp":"2019-09-12T18:35:17Z","tags":["debug","root"],"pid":10664,"message":"shutting root down"}

Another thing noticed that '.security' index is also not present/available not sure whether it had been created initially when ES was enabled for security

[2019-09-13T04:21:22,099][INFO ][o.e.x.s.a.s.m.NativeRoleMappingStore] [eshost] The security index is not yet available - no role mappings can be loaded
[2019-09-13T04:21:22,100][DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [eshost] Security Index [.security] [exists: false] [available: false] [mapping up to date: true]

I doubt this has anything to do with Active Directory in Elasticsearch, but please share your kibana.yml configuration with us. Is the above all you can see in the kibana logs?

Yes these are the logs getting repeated

server.port: 8882
server.host: "eshost"
server.name: "eshost"
elasticsearch.hosts: ["http://eshost:9200"]
kibana.index: ".kibana"
kibana.defaultAppId: "discover"
logging.dest: /var/log/kibana.log
logging.verbose: true
xpack.security.enabled: true
xpack.security.audit.enabled: true

Kibana doesn't have support for AD authentication yet, so you still need to have native realm users specified in your kibana.yml as your ES username and password. Is that the case for you?

ok I do not know about its limitations yet. Yes I have my elasticsearch integrated with AD.
So what changes required to get the kibana also follow similar pattern so that only ELKadmins can have admin access to entire cluster, and different groups & users to have access to their respective indices where some users/groups have full control of their index and some users have only read only mode.

Do you mean the user using which the ES was integrated that user name should be mentioned in kibana.yml as well as kibana keystore? secondly I am using keystore in ES so in that case how to mention keystore in kibana.yml?

Please note - since my kibana is not up I need to make changes in config files only

The first answer here is still valid for 7.x regarding AD and Kibana: Kibana 5.3.0 Active Directory authentication

You need to setup the passwords of the built in users **, kibana user is one of them.

Once you have set the password for it, then you would add

elasticsearch.username: kibana 
elasticsearch.password: thepasswordyousethere

in kibana.yml and start it again.

** doing so will also automatically create the .security index as we discussed in the other post .

But these steps are for local user authentication only right? If i want to use custom user accounts and we have those in AD then how do I give every individual access to kibana dashboards? Consider I have 50 users

One more question clicked here, are all these account names mentioned in link that you posted are service accounts? and they should also be created in AD as is?

  1. If I want to use keystore then how do I mention here?
  2. In previous response by 'marius_dragomir'

When he refers 'native realm' does it mean service account name such as 'elastic' , 'kibana' , 'logstash_user' etc... or the one who is authorized to tie a knot in AD with elasticsearch like we used the account for elasticsearch present in AD as administrator?

I do have several other questions revolving around these should I ask?

Starting of, I think you will find our documentation very helpful. Most of your questions can be answered with information from there and this will also enhance your understanding of how and why things are set up in a certain way. You can search on www.elastic.co for any topic that you want to learn more about !

But these steps are for local user authentication only right?

These are builtin users which are kind of special local users ,not users of the native realm. Our documentation covers both in detail, please read through https://www.elastic.co/guide/en/elastic-stack-overview/current/setting-up-authentication.html

You need to configure at least one so that kibana can communicate with elasticsearch, this user is the kibana user.

If i want to use custom user accounts and we have those in AD then how do I give every individual access to kibana dashboards? Consider I have 50 users

You would need to give the users the necessary roles .read through https://www.elastic.co/guide/en/kibana/current/xpack-security-authorization.html. when you have the roles ready, you can assign the roles to users in your roles.yml file that you already have

One more question clicked here, are all these account names mentioned in link that you posted are service accounts? and they should also be created in AD as is?

No, these are builtin users ,they exist in elasticsearch, you dont need to create them in AD.

If I want to use keystore then how do I mention here?

https://www.elastic.co/guide/en/kibana/current/secure-settings.html

I think he meant to say reserved realm == builtin users

You can ask here or your support engineer if you have a subscription. People im this forums will try to answer when we have time, but it's on a best effort basis !