Kibana OSS ERROR: missing authentication credentials for REST request

Hello,

I have the problem that I can’t use Kibana OSS if my Elasticsearch is protected with basic authentication. I wanted to use the Kibana OSS version and figured out that in version 7.6.2 it was still working but with 7.7.0 and higher I get an error message:

kibana[85674]: {"type":"log","@timestamp":"2020-07-28T06:03:29Z","tags":["error","http"],"pid":85674,"message":"{ [security_exception] missing authentication credentials for REST request [/.kibana/_doc/config%3A7.7.0], with { header={ WWW-Authenticate=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } :: {\"path\":\"/.kibana/_doc/config%3A7.7.0\",\"query\":{},\"statusCode\":401,\"response\":\"{\\\"error\\\":{\\\"root_cause\\\":[{\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"missing authentication credentials for REST request [/.kibana/_doc/config%3A7.7.0]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"}}],\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"missing authentication credentials for REST request [/.kibana/_doc/config%3A7.7.0]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"}},\\\"status\\\":401}\",\"wwwAuthenticateDirective\":\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"}\n at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:349:15)\n at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:306:7)\n at HttpConnector.<anonymous> (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)\n at IncomingMessage.wrapper (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/lodash.js:4929:19)\n at IncomingMessage.emit (events.js:203:15)\n at endReadableNT (_stream_readable.js:1145:12)\n at process._tickCallback (internal/process/next_tick.js:63:19)\n status: 401,\n displayName: 'AuthenticationException',\n message:\n '[security_exception] missing authentication credentials for REST request [/.kibana/_doc/config%3A7.7.0], with { header={ WWW-Authenticate=\"Basic realm=\\\\\"security\\\\\" charset=\\\\\"UTF-8\\\\\"\" } }',\n path: '/.kibana/_doc/config%3A7.7.0',\n query: {},\n body:\n { error:\n { root_cause: [Array],\n type: 'security_exception',\n reason:\n 'missing authentication credentials for REST request [/.kibana/_doc/config%3A7.7.0]',\n header: [Object] },\n status: 401 },\n statusCode: 401,\n response:\n '{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"missing authentication credentials for REST request [/.kibana/_doc/config%3A7.7.0]\",\"header\":{\"WWW-Authenticate\":\"Basic realm=\\\\\"security\\\\\" charset=\\\\\"UTF-8\\\\\"\"}}],\"type\":\"security_exception\",\"reason\":\"missing authentication credentials for REST request [/.kibana/_doc/config%3A7.7.0]\",\"header\":{\"WWW-Authenticate\":\"Basic realm=\\\\\"security\\\\\" charset=\\\\\"UTF-8\\\\\"\"}},\"status\":401}',\n wwwAuthenticateDirective: 'Basic realm=\"security\" charset=\"UTF-8\"',\n toString: [Function],\n toJSON: [Function],\n isBoom: true,\n isServer: false,\n data: null,\n output:\n { statusCode: 401,\n payload:\n { statusCode: 401,\n error: 'Unauthorized',\n message:\n '[security_exception] missing authentication credentials for REST request [/.kibana/_doc/config%3A7.7.0], with { header={ WWW-Authenticate=\"Basic realm=\\\\\"security\\\\\" charset=\\\\\"UTF-8\\\\\"\" } }' },\n headers:\n { 'WWW-Authenticate': 'Basic realm=\"security\" charset=\"UTF-8\"' } },\n reformat: [Function],\n [Symbol(ElasticsearchError)]: 'Elasticsearch/notAuthorized',\n [Symbol(SavedObjectsClientErrorCode)]: 'SavedObjectsClient/notAuthorized' }"}

After that I tried the “normal” Kibana release and it works fine.
Do I miss anything? I looked in to the release notes but didn’t find anything.

Logstash-Version: 7.8.0
Elasticsearch-Version: 7.8.0

User authentication is only available in the default distribution. You should always run the default distributions of Kibana and Elasticsearch, and not mix the two.

I don't know if I understand you correctly, do you mean it is not supported in the Kibana OSS release?

Because I thought the Kibana OSS release is like the Kibana release out of the repro but with only the open source code and without the non-free features...
You even have the settings for the user authentication in the kibana.yml file.

There's no code in Kibana OSS to implement the authentication methods, but Elasticsearch is still expecting authentication. Hence you get the error because Kibana cannot talk to Elasticsearch correctly.

So it will only work with the Kibana version out of the default distribution?

If I install only the OSS versions of the software, could I get the authentication running there or is this a feature only of the standard version?

Authentication is only part of the default distribution, yes.

Ok, thanks a lot for the help :smiley:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.