Kibana users cannot connect after upgrade to 7.1.1

Hi.

I upgraded an elastic cloud cluster from v6 to elastic+kibana v7.1.1. I have other kibanas in dedicated servers (1 per customer) that I also upgraded to 7.1.1. Each of the other kibanas where using a dedicated kibana index.

After the upgrade, on the othes kibanas, the kibana users cannot log in, with a 403 error shown as json in the browser. I found two insane ways to bypass that :

  • switch the kibana.index to .kibana
  • give every user the superuser role

My login problem seems to a security one. But I can't find a way to grant a specific user an acces to a specific kibana index.

Thoughts ? Thaks for the help.

The kibana log output:

{"type":"log","@timestamp":"2019-06-11T20:51:31Z","tags":["debug","legacy-service"],"pid":793,"message":"Request will be handled by proxy POST:/api/security/v1/login."}
{"type":"error","@timestamp":"2019-06-11T20:51:31Z","tags":["debug","security","auth","session"],"pid":793,"level":"error","error":{"message":"Unauthorized","name":"Error","stack":"Error: Unauthorized\n at validate (/usr/share/kibana/node_modules/hapi-auth-cookie/lib/index.js:153:49)\n at Object.authenticate (/usr/share/kibana/node_modules/hapi-auth-cookie/lib/index.js:226:26)\n at module.exports.internals.Manager.execute (/usr/share/kibana/node_modules/hapi/lib/toolkit.js:35:106)\n at module.exports.internals.Auth.test (/usr/share/kibana/node_modules/hapi/lib/auth.js:92:54)\n at Session.get (/usr/share/kibana/node_modules/x-pack/plugins/security/server/lib/authentication/session.js:56:47)\n at Authenticator.authenticate (/usr/share/kibana/node_modules/x-pack/plugins/security/server/lib/authentication/authenticator.js:132:49)\n at Object.server.expose.request [as authenticate] (/usr/share/kibana/node_modules/x-pack/plugins/security/server/lib/authentication/authenticator.js:288:60)\n at handler (/usr/share/kibana/node_modules/x-pack/plugins/security/server/routes/api/v1/authenticate.js:34:68)\n at module.exports.internals.Manager.execute (/usr/share/kibana/node_modules/hapi/lib/toolkit.js:35:106)\n at Object.internals.handler (/usr/share/kibana/node_modules/hapi/lib/handler.js:50:48)\n at exports.execute (/usr/share/kibana/node_modules/hapi/lib/handler.js:35:36)\n at Request._lifecycle (/usr/share/kibana/node_modules/hapi/lib/request.js:263:62)\n at process._tickCallback (internal/process/next_tick.js:68:7)"},"message":"Unauthorized"}

You'll need to check the Elasticsearch logs. If authentication failed in ES, Kibana will not know why.