Kibana ValidationError ["system" is not allowed, "objects" is not allowed]

I tried to put the key for encryptedSavedObjects.encryptionKey into the Kibana keystore and when I tried restarting kibana it said there was an error because value has length [21] (This is a separate problem, I put in a 32 character key).

When I changed kibana.yml back to having the key in plaintext Kibana will no longer start with the message:

May 14 20:29:32 kibana[90384]: {"type":"log","@timestamp":"2021-05-15T02:29:32Z","tags":["fatal","root"],"pid":90384,"message":"{ ValidationError: child \"kibana\" fails because [\"system\" is not allowed, \"objects\" is not allowed]\n    at Object.exports.process (/usr/share/kibana/node_modules/joi/lib/errors.js:196:19)\n    at internals.Object._validateWithOptions (/usr/share/kibana/node_modules/joi/lib/types/any/index.js:675:31)\n    at module.exports.internals.Any.root.validate (/usr/share/kibana/node_modules/joi/lib/index.js:146:23)\n    at Config._commit (/usr/share/kibana/src/legacy/server/config/config.js:133:34)\n    at Config.set (/usr/share/kibana/src/legacy/server/config/config.js:104:10)\n    at Config.extendSchema (/usr/share/kibana/src/legacy/server/config/config.js:76:10)\n    at _lodash.default.each.child (/usr/share/kibana/src/legacy/server/config/config.js:66:14)\n    at arrayEach (/usr/share/kibana/node_modules/lodash/lodash.js:516:11)\n    at Function.forEach (/usr/share/kibana/node_modules/lodash/lodash.js:9368:14)\n    at Config.extendSchema (/usr/share/kibana/src/legacy/server/config/config.js:65:30)\n    at new Config (/usr/share/kibana/src/legacy/server/config/config.js:56:10)\n    at Function.withDefaultSchema (/usr/share/kibana/src/legacy/server/config/config.js:50:12)\n    at LegacyService.setupLegacyConfig (/usr/share/kibana/src/core/server/legacy/legacy_service.js:84:43) name: 'ValidationError' }"}

Version 7.10.1. No settings were changed in kibana.yml, I only replaced the plaintext password with ${key} and then changed it back after it failed. I have no idea how to fix this, any advice would be appreciated

So I found the solution. Unlike the keystores for Filebeat, Metricbeat and Logstash you cannot add arbitrary keys to Kibana's keystore or it will fail. I upgraded to 7.12.1 and got a more informative error that led me to this. Also of note is that the "--allow-root" flag was removed in the latest kibana-keystore and leads to another error if you have it in your command.

So instead of using elasticsearch.username: ${some.key} in one's configuration file you omit a key entirely from kibana.yml and add it to the keystore like usr/share/kibana/bin/kibana-keystore add xpack.encryptedSavedObjects.encryptionKey.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.